How can I show only 1 id?

General PHP Help
#1

I need to show only 1 id at the same time, and I need a button to go to the previous and next id , how can I do that?
And when I click “Aanpassen” I want to edit only the id, but when I click “Aanpassen” now it shows me every id. How can I fix this?
These are my codes:

Overzichtbetalingen.php

<?php  include ('betalingen.php'); ?>
    <!DOCTYPE html>
    <html>
    <head>
        <title>Overzichtbetalingen</title>
        <link rel="stylesheet" type="text/css" href="overzichtbetalingen.css">
    </head>
    <body>
    <a href="index.html">Startpagina<a/>
    <table>
        <thead>
            <tr>
                <th>Naam</th>
                <th>Pand</th>
                <th>Datum betaling</th>
                <th colspan="2">Hoe word er betaald</th>
                <th>Betalingsperiode</th>
                <th>Bedrag per periode</th>
            </tr>
        </thead>
        <tbody>
        <?php while ($row = mysqli_fetch_array($results)){?>
            <tr>
                <td><?php echo $row['Naam']?></td>
                <td><?php echo $row['Pand']?></td>
                <td><?php echo $row['Datum']?></td>
                <td><?php echo $row['Betaling']?></td>
                <td><?php echo $row['Bank']?></td>
                <td><?php echo $row['Betalingsperiode']?></td>
                <td><?php echo $row['Bedragperperiode']?></td>
                <?php } ?>
            </tr>
        </tbody>
    </table>
    <button class="knop" onclick="window.location = ('https://mijntuintjes.000webhostapp.com/Betalingtoevoegen.php') ">Betaling toevoegen</button>
    <div>
    </body>
    </html>

Betalingen.php

<?php
session_start();
// connect to database
$db = mysqli_connect("xxx","xxx","xxx","xxx");
//retrieve results
$results = mysqli_query($db, "SELECT *  FROM Info");
?>

Betalingsperiode.php

<?php
//connect to database
$db = mysqli_connect("xxx","xxx","xxx","xxx");
//show results
$results = mysqli_query($db, "SELECT *  FROM Info");

?>
<!doctype html>
<html>
<head>
    <title>Betalingsperiode</title>
    <link rel="stylesheet" type="text/css" href="Betalingsperiode.css">
</head>
<body>
<table>
    <thead>
    <tr>
        <th>Naam</th>
        <th>E-mail</th>
        <th>Betalingsperiode</th>
        <th>Aanpassen</th>
    </tr>
    <?php while ($row = mysqli_fetch_array($results)){ ?>
    <tr>
        <td><?php echo $row['Naam']?></td>
        <td><?php echo $row['Email']?></td>
        <td><?php echo $row['Betalingsperiode']?></td>
        <td>
        <a href="Aanpassenbetalingsperiode.php?aanpassen=><?php echo $row['id'] ?>">Aanpassen</a>
        </td>
    </tr>
    </thead>
</table>
<table>
    <thead>
    <tr>
        <th>Maand</th>
        <th>Bedragpermaand</th>
        <th>Betaald/Niet betaald</th>
    </tr>
    </thead>
    <tbody>

    <tr>
        <th><?php echo $row['Januari']?></th>
        <td><?php echo $row['Bedragperjan']?></td>
        <td><?php echo $row['Betaaldjan']?></td>
    </tr>
    <tr>
        <th><?php echo $row['Februari']?></th>
        <td><?php echo $row['Bedragperfeb']?></td>
        <td><?php echo $row['Betaaldfeb']?></td>
    </tr>
    <tr>
        <th><?php echo $row['Maart']?></th>
        <td><?php echo $row['Bedragpermaa']?></td>
        <td><?php echo $row['Betaaldmaa']?></td>
    </tr>
    <tr>
        <th><?php echo $row['April']?></th>
        <td><?php echo $row['Bedragperapr']?></td>
        <td><?php echo $row['Betaaldapr']?></td>
    </tr>
    <tr>
        <th><?php echo $row['Mei']?></th>
        <td><?php echo $row['Bedragpermei']?></td>
        <td><?php echo $row['Betaaldmei']?></td>
    </tr>
    <tr>
        <th><?php echo $row['Juni']?></th>
        <td><?php echo $row['Bedragperjun']?></td>
        <td><?php echo $row['Betaaldjun']?></td>
    </tr>
    <tr>
        <th><?php echo $row['Juli']?></th>
        <td><?php echo $row['Bedragperjul']?></td>
        <td><?php echo $row['Betaaldjul']?></td>
    </tr>
    <tr>
        <th><?php echo $row['Augustus']?></th>
        <td><?php echo $row['Bedragperaug']?></td>
        <td><?php echo $row['Betaaldaug']?></td>
    </tr>
    <tr>
        <th><?php echo $row['September']?></th>
        <td><?php echo $row['Bedragpersep']?></td>
        <td><?php echo $row['Betaaldsep']?></td>
    </tr>
    <tr>
        <th><?php echo $row['Oktober']?></th>
        <td><?php echo $row['Bedragperokt']?></td>
        <td><?php echo $row['Betaaldokt']?></td>
    </tr>
    <tr>
        <th><?php echo $row['November']?></th>
        <td><?php echo $row['Bedragpernov']?></td>
        <td><?php echo $row['Betaaldnov']?></td>
    </tr>
    <tr>
        <th><?php echo $row['December']?></th>
        <td><?php echo $row['Bedragperdec']?></td>
        <td><?php echo $row['Betaalddec']?></td>
    </tr>
    </tbody>
    <?php } ?>
</table>
</body>
</html>

Updaten.php

<?php
//connect with my sql
$con = mysqli_connect("xxx","xxx","xxx","xxx");
// Select database
mysqli_select_db($con, 'id12302950_gebruikers');
//Update Query
$sql = "UPDATE Info SET Januari = '$_POST[Januari]', Bedragperjan = '$_POST[Bedragperjan]' ,  Betaaldjan = '$_POST[Betaaldjan]', Februari = '$_POST[Februari]', Bedragperfeb = '$_POST[Bedragperfeb]', Betaaldfeb = '$_POST[Betaaldfeb]' ,Maart = '$_POST[Maart]', Bedragpermaa = '$_POST[Bedragpermaa]',Betaaldmaa = '$_POST[Betaaldmaa]',April= '$_POST[April]', Bedragperapr = '$_POST[Bedragperapr]',Betaaldapr = '$_POST[Betaaldapr]',Mei = '$_POST[Mei]', Bedragpermei = '$_POST[Bedragpermei]',Betaaldmei = '$_POST[Betaaldmei]',Juni = '$_POST[Juni]', Bedragperjun = '$_POST[Bedragperjun]',Betaaldjun = '$_POST[Betaaldjun]',Juli = '$_POST[Juli]', Bedragperjul = '$_POST[Bedragperjul]',Betaaldjul = '$_POST[Betaaldjul]',Augustus = '$_POST[Augustus]', Bedragperaug = '$_POST[Bedragperaug]',Betaaldaug = '$_POST[Betaaldaug]', September = '$_POST[September]', Bedragpersep = '$_POST[Bedragpersep]',Betaaldsep = '$_POST[Betaaldsep]',Oktober = '$_POST[Oktober]', Bedragperokt = '$_POST[Bedragperokt]',Betaaldokt = '$_POST[Betaaldokt]',November = '$_POST[November]', Bedragpernov = '$_POST[Bedragpernov]',Betaaldnov = '$_POST[Betaaldnov]',December = '$_POST[December]', Bedragperdec = '$_POST[Bedragperdec]',Betaalddec = '$_POST[Betaalddec]' WHERE id='$_POST[id]'";
//execute the query
if (!mysqli_query($con,$sql)){
    echo("Error description:". mysqli_error($con));
}
header('location: Betalingsperiode.php');
?>
#2

Instead of edit(1) all rows you want to edit only one. To do so you need to know which record you want to edit. Most ideal way to determine which field must be edit is with the use of a $_GET variabele.
eg. http://mysite.nl/payments/edit.php?id=123 Here the 123 is the id of the payment to edit.
Second important thing is to write a database query that tries to get the data from the database from only that one particular record.

// initialize $id so that it will exist in any case
$id = 0;

// try to read the $_GET['id'] variable if it exists
if(isset($_GET['id']) && $_GET['id'] > 0) {
    $id = (int) $_GET['id']; // be sure to accept only integer values
}

// try to query the row that has the id we want to find
$result = mysqli_query($db, "SELECT * FROM payments WHERE id=" . $id);
if($result === false) {
    exit(mysqli_error($db));
}

// just try to fetch one single row
$row = mysqli_fetch_assoc($result);

if($row === false) {
    exit('Payment with id ' . $id . ' not found.');
}

// show the data for the test
echo '<pre>' . print_r($row, true) . '</pre>';

(1) instead of edit you can also read show or delete

#3

Thankyou very much very useful!

#4

Unfortunately, just about everything is wrong with that code example. Don’t just blindly copy/paste it.

I will give an example.

$_GET['id'] = 0.1+0.7;

$id = 0;

// try to read the $_GET['id'] variable if it exists
if(isset($_GET['id']) && $_GET['id'] > 0) {
    echo $id = (int) $_GET['id']; // be sure to accept only integer values
    echo '<br>Fail';
}



$_GET['id'] = 0x1A;
$id = 0;

// try to read the $_GET['id'] variable if it exists
if(isset($_GET['id']) && $_GET['id'] > 0) {
    $id = (int) $_GET['id']; // be sure to accept only integer values
    echo 'Fail';
}
#5

Hi @benanamen, sounds interesting…

 <?php
    $_GET['id'] = 0x1A;
    $id = 0;

    // try to read the $_GET['id'] variable if it exists
    if(isset($_GET['id']) && $_GET['id'] > 0) {
        $id = (int) $_GET['id']; // be sure to accept only integer values
        echo 'Fail';
    }

    echo $id;

echo’s 26 which looks like a valid value. Most important to me is to protect yourself against mysql injection. Can you convince me? I like to learn too…

And the fist example results in a zero (0). Which was the default value already…

#6

Of course you could validate the value before parsing it to an integer, which you surely must do when you think this is better for you. But at this moment when you say that almost everything is wrong about the code sounds a bit aggressive, sorry to say “Mister master coder”. Would be nice if you help people with advice instead of smash them on their heart.

#7

Yes, but what you missed is that zero got past your validation of greater than zero.

&& $_GET['id'] > 0

“Normally” when dealing with a record ID, a valid ID would contain only the numbers 0-9 and always starting with a 1 or greater so that’s exactly what your validation should allow ONLY. All the examples you see out there, is_numeric, is_int, int, etc, ect, do not do that.

The two simplest ways to get a true validation is either with a regex or to use Php’s validate filter with appropriate flags. The regex is the simplest and cleanest option.

Critique of code is exactly that and has no bearing on you personally whatsoever and is by no means a personal attack. We all started at the beginning and all of us are still learning no matter how long we have been at this.

Sorry you take it that way. The truth about the CODE is just that. If you want someone to go line by line through your code and tell you every single thing wrong with it, just ask. I am sure someone like @phdr would be happy to take the time to do that. I am not so inclined to do that myself these days. I offer what I offer of my time.

Since I am here… going to the next block of code…

  1. Do not select *, specify the columns by name

  2. NEVER EVER put variables in a query. Use Prepared Statements

  3. The if construct is already a truthy check by default, therefore checking for false is redundant. Checking for the exact type of false pointless. if returns either true or false. There is no such thing as exactly of the type false. it should simply be if(!$result)

  4. Outputting internal system errors to the user is very bad and a security risk. The info is useless to the user and only good to a hacker.

  5. The specific id not found message is a security risk. Anyone can enumerate the id’s and know exactly what record id’s are in the database.

There is more that would apply in an actual implementation such as permissions to edit/update/view/delete data but since this is an example that would not apply at this point.

#8

Thanks for the reply @benanamen. There are some points you write which are in the category of flavors. For example the if(!..) is clear for you and me but not for every starter or hobby php programmer. Keep in mind that the questions asked on a forum like this are often placed by enthousiast new people willing to write some code. About the security risks: you are totally right. But again it is beyond the scope of the level we are into. I work normally with a system where you have a dev mode and a production mode. As developer you sure want to see the errors, production mode switches those errors off. Maybe i should remark that in the comments.

Cheers

#9

I should clarify on this. The response relates to the possible return values of mysqli_query.

There are a handful of Php functions where you MUST do a strict comparison when using the if construct on their return values.

if ($var === false)

List may not be complete. Take note of the red warning box for these functions.

array_search
https://www.php.net/manual/en/function.array-search.php

curl_exec
https://www.php.net/manual/en/function.curl-exec.php

current
https://www.php.net/manual/en/function.current.php

fgetc
https://www.php.net/manual/en/function.fgetc.php

file_get_contents
https://www.php.net/manual/en/function.file-get-contents.php

imagecolorallocate AND imagecolorallocatealpha
https://www.php.net/manual/en/function.imagecolorallocate.php
https://www.php.net/manual/en/function.imagecolorallocatealpha.php

next
https://www.php.net/manual/en/function.next.php

PDO::exec
https://www.php.net/manual/en/pdo.exec.php

preg_match

https://www.php.net/manual/en/function.preg-match.php

prev
https://www.php.net/manual/en/function.prev.php

readdir is another.

https://www.php.net/manual/en/function.readdir.php

reset
https://www.php.net/manual/en/function.reset.php

simplexml_load_file
https://www.php.net/manual/en/function.simplexml-load-file.php

SplFileObject::fgetc
https://www.php.net/manual/en/splfileobject.fgetc.php

strpos
https://www.php.net/manual/en/function.strpos.php

#10

The next step is ensuring the person doing the editing, is authorized and has access to do the editing as well.

2 Likes
#11

@benamen: php.net about the mysqli_query:

Return Values

Returns FALSE on failure. For successful SELECT, SHOW, DESCRIBE or EXPLAIN queries mysqli_query() will return a mysqli_result object. For other successful queries mysqli_query() will return TRUE .

So for SELECT queries the function might return FALSE on failure and a mysqli_result object on success. Isn’t that a reason to check this with a strict comparison? I know there is not a red alertbox on this page but it might be because of the different behavior depending of the kind of query you execute…

In theory if my SELECT query succeeds and I get a mysqli_result object returned with the value zero (which of course is very unlikely) then my not strict comparison could fail.

#12

NO. See if you can come up with why. (HINT: Compare with any of the functions I listed and what the red box tells you)

Think about what you wrote and then tell me whats wrong with it.

Sponsor our Newsletter | Privacy Policy | Terms of Service