0

This time, I am trying to retrieve data:

input_berita_static.php

<?php

    include('../includes/koneksi.php');

    $id = isset($_POST['id']) ? $_POST['id'] : '';  
    $confirmation = isset($_POST['confirmation']) ? $_POST['confirmation'] : '';  
    $kategori = isset($_POST['kategori']) ? $_POST['kategori'] : ''; 
    $news = isset($_POST['news']) ? $_POST['news'] : '';
    $judul = isset($_POST['judul']) ? $_POST['judul'] : ''; 
    $page = isset($_POST['page']) ? $_POST['page'] : '';


    //Load berita
    if (!empty($_POST['id'])){
        $result = mysql_query("SELECT * FROM static_page WHERE id =".$_POST['id']) or die(mysql_error());
        $data = mysql_fetch_array($result);
        $id = $data['id'];
        $page = $data['page'];
        $judul = $data['judul'];
        $news = $data['isi_berita'];

        echo "variable";
        echo $id;
        echo $page;
        echo $judul;
        echo $news;
    }
    else {
    echo "unable to select data";
    echo "id is empty";
    }

    //Simpan berita 
    if (isset($_POST['ok'])){

        if (empty($_POST['id']))
            {
            $sqlstr = "INSERT INTO static_page(page, judul, isi_berita) VALUES('".$page."','".$judul."','".$news."')";
            }
        else
        {
            $sqlstr = "UPDATE static_page SET page='".$page."', judul='".$judul."', isi_berita='".$news."' WHERE id=".$_POST['id'];

        }
        $result = mysql_query($sqlstr) or die(mysql_error());

        //Jika mode edit, maka tidak akan dikirimkan konfirmasi kepada subscriber
        //if (empty($_REQUEST['id']))   kirimEmail($idKategori, $judul, $news);
        $confirmation = ($result) ? "Data telah tersimpan." : "Gagal menyimpan data.";  
    }
    ?>
    <div align="center">
        <div style="width:800px;text-align:left;">
        <script type="text/javascript" src="../../Masterlink/cgoods/ckeditor/ckeditor.js"></script>
        <link href="../../Masterlink/cgoods/ckeditor/content.css" rel="stylesheet" type="text/css"/>
        <?php echo $confirmation;?>
        <form method="post" action="<?php echo $_SERVER['PHP_SELF']?>">
            <input type="hidden" name="id" value="<?php echo $id; ?>"/>
            <table>
                <tr>
                    <td>Page</td>             
                    <td><select name="page">
                    <option value="Pengenalan Perusahaan">Pengenalan Perusahaan</option>
                    <option value="Sejarah Perusahaan">Sejarah Perusahaan</option>
                    <option value="Cabang">Cabang</option>
                    </select></td>

                    <?php // <input size="50px" type="text" name="page" value="<?php echo $page; ?"/> ?>
                </tr>
                <tr>
                    <td>Judul</td>                
                    <td><input size="50px" type="text" name="judul" value="<?php echo $judul; ?>"/></td>
                </tr>
                <tr>
                    <td valign="top">Isi berita</td>              
                    <td>
                        <textarea cols="60" rows="10" id="news" name="news"><?php echo $news;?></textarea>
                        <script type="text/javascript">
                            var editor = CKEDITOR.replace('news');
                        </script>                    </td>
                </tr>
                <tr>             
                    <td><input type="submit" name="ok" value="Simpan"/></td>
              </tr>
            </table>
        </form>
        </div>
    </div>

url: http://localhost/RustoleumCustomCMS/administrator/input_berita_static.php?id=5 (the id is stated there and not empty)

That id is being passed from admin.php

admin.php

<form method="POST" action="<?php $_SERVER['PHP_SELF'] ?>">

                                    <br/>
                        <a class="topLink" href="input_berita_static.php">Berita Static Baru >></a><br><br>

        <?php
                //LOAD NEWS

                $result = mysql_query("SELECT * FROM static_page") or die(mysql_error());
                ?>
                <table id="admintable" border="1" cellpadding="2" cellspacing="0">
                    <tr>
                        <th>Static Page</th><th>Judul</th><th>Action</th>
                    </tr>
                    <?php
                    $i=0;
                    while ($data = mysql_fetch_array($result)){
                    $result2=($i%2)?'#DFA09D':'white';

                            echo "<tr bgcolor='$result2'>";                  
                            echo '<td>'.$data['page'].'</td>';
                            echo '<td>'.$data['judul'].'</td>';
                            echo '<td><a href="admin.php?mode=delete&id='.$data['id'].'">Hapus</a> |<a href="input_berita_static.php?id='.$data['id'].'">Edit</a></td>';
                        echo '</tr>';

                    $i++;   
                    }
                    ?>
                </table>

        </form>

The result in input_berita_static.php:

unable to select dataid is empty

I expect the saved data being retrieve in the form.

3
Contributors
5
Replies
19
Views
4 Years
Discussion Span
Last Post by broj1
0

On line 15 more appropriate check would be:

if (isset($_POST['id']) && is_int($_POST['id'])){

so you are checking whether $_POST['id'] exists at al and is integer.

0

the request seems like GET as it is appended in URL

@iim: Ups, you are right. I don't know what I was looking at.

0

As IIM said change $_POST to $_GET at least for reading the ID (depending on the source of the data).

There is other thing I would like to point out. You are assigning your ID to the $id variable but:
1. you are not using that variable later on and
2. you are not cleaning and escaping the input. You open your database to attackers.

$id = isset($_POST['id']) ? $_POST['id'] : '';  

It is really recommended to validate, clean (or reject) and escape input, no matter wheter GET or POST.

$id = isset($_POST['id']) ? mysql_real_escape_string($_POST['id']) : '';
$confirmation = isset($_POST['confirmation']) ? mysql_real_escape_string($_POST['confirmation']) : '';
$kategori = isset($_POST['kategori']) ? mysql_real_escape_string($_POST['kategori']) : '';
...

// Use only cleaned and escaped variables from now on

Edited by broj1

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.