[newbie] Keeping it all in one page?

Hello

Out of curiosity, is this an acceptable way to build a small,
all-in-one script to create/update/list/delete records in a table?

This is a bit of pseudo-code (eg. don't know if "switch" exists in
PHP, nor if it trickles down in the absence of "break"), but you get
the idea:

============
<?php

$base = "mydb";

switch $status {
case 'update'
//fetch existing record, and go on to next case
$query = "SELECT ... WHERE ..."

case 'create' || 'update'
//Show form to create/modify an existing record
echo "<form method=post>";
echo "<input type=hidden name=status value=\"save\">";
echo "Name <input type=\"text\" name=\"txtField\"><p>";
echo "<input type=\"submit\" name=\"create\"
value=\"Create\"></p>";
echo "</form>";

case 'create_update'
//Save newly-created record
$query = "INSERT..."

case 'create_save'
//Save modified, existing record
$query = "UPDATE..."

case default
//List records, and include a "Modify/delete" button
$query = "SELECT..."
}
============

Thank you.

Gilles Ganault wrote:
> Hello
>
> Out of curiosity, is this an acceptable way to build a small,
> all-in-one script to create/update/list/delete records in a table?
>

Whatever turns you on.

Ive got lots of code like this, generally done custom foir te form,
using if then els if type constructs, and a hiddne variable called
'update' which takes values NULL, 'yes', and 'new'

The display is the same whether I am creating new or updating tho. The
only difference is the variables that go in the input boxes are blank if
its 'new'

The difference is how teh php pricess teh DATABASE, not e screen.

If its caled as a result of a frm submit, I tet for a new recird, or
updating old. Thats goes into one of three possible states. Update
existing, create new, or do nothing.

Then in all cases bar record ID=0/NULL the database is READ to fill in
the form.


> This is a bit of pseudo-code (eg. don't know if "switch" exists in
> PHP, nor if it trickles down in the absence of "break"), but you get
> the idea:
>
> ============
> <?php
>
> $base = "mydb";
>
> switch $status {
> case 'update'
> //fetch existing record, and go on to next case
> $query = "SELECT ... WHERE ..."
>
> case 'create' || 'update'
> //Show form to create/modify an existing record
> echo "<form method=post>";
> echo "<input type=hidden name=status value=\"save\">";
> echo "Name <input type=\"text\" name=\"txtField\"><p>";
> echo "<input type=\"submit\" name=\"create\"
> value=\"Create\"></p>";
> echo "</form>";
>
> case 'create_update'
> //Save newly-created record
> $query = "INSERT..."
>
> case 'create_save'
> //Save modified, existing record
> $query = "UPDATE..."
>
> case default
> //List records, and include a "Modify/delete" button
> $query = "SELECT..."
> }
> ============
>
> Thank you.

On Tue, 29 Jan 2008 19:23:20 +0000, The Natural Philosopher <a@b.c>
wrote:
>Whatever turns you on.

Does Megan Fox code in PHP? ;-)

I now have four sections in index.php organized in a switch() bloc.
I'd like to add the following features:

1. Retrieve the names of the columns from MySQL, and display them at
the top of the table using TH tags
2. Clicking on a colum header sorts the whole table, ASC and DESC
3. On each line, add a checkbox so that the user can delete some or
all records in one go.

http://img101.imageshack.us/img101/9529/phpcrudfh6.jpg

Does someone have so code handy that I could use as basis?

Thank you.

Gilles Ganault wrote:
> On Tue, 29 Jan 2008 19:23:20 +0000, The Natural Philosopher <a@b.c>
> wrote:
>> Whatever turns you on.
>
> Does Megan Fox code in PHP? ;-)
>
> I now have four sections in index.php organized in a switch() bloc.
> I'd like to add the following features:
>
> 1. Retrieve the names of the columns from MySQL, and display them at
> the top of the table using TH tags
> 2. Clicking on a colum header sorts the whole table, ASC and DESC
> 3. On each line, add a checkbox so that the user can delete some or
> all records in one go.
>
> http://img101.imageshack.us/img101/9529/phpcrudfh6.jpg
>
> Does someone have so code handy that I could use as basis?
>
> Thank you.
>

I'd do the sorting in javascript. And adding a checkbox isn't hard at
all. But don't just use the primary key id in the checkbox unless you
have some other way to protect your page from hackers. It's too easy
for a hacker to delete your entire database. Rather, I use an encrypted
value for the checkbox field. Still not foolproof, but a lot safer.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

On Tue, 29 Jan 2008 20:53:29 -0500, Jerry Stuckle
<jstucklex@attglobal.net> wrote:
>I'd do the sorting in javascript.

OK. I'll google for this.

> And adding a checkbox isn't hard at all. But don't just
> use the primary key id in the checkbox unless you have
> some other way to protect your page from hackers.

Thanks for the tip. This is just a dummy project to get a feel for the
machinery, and I'll move all variables on the server by using a
session.

On Tue, 29 Jan 2008 20:53:29 -0500, Jerry Stuckle
<jstucklex@attglobal.net> wrote:
>And adding a checkbox isn't hard at all. But don't just use
> the primary key id in the checkbox unless you have some other way
> to protect your page from hackers.

The definitive wrong way to do things:
============
<?php

switch ($status) {
case "delete":
foreach ($item as $bit) {
$query = "DELETE FROM " . $table . " WHERE id=" . $bit;
$result = mysql_query($query) or die("Query failed: " .
mysql_error());
}
break;

default:
echo "<form method=post>";
echo "<input type=checkbox name=item[] value=1>"
echo "<input type=checkbox name=item[] value=2>"
echo "<input type=hidden name=status value=delete>";
echo "<input type=submit value=Delete>";
echo "</form>";

}
?>
============

BTW, is there some book like "The 50 pitfalls of writing web apps in
PHP" that would take real-life newbie errors like the above, explain
why they're wrong, and the safe way to rewrite them?

Thanks.

Gilles Ganault wrote:
> On Tue, 29 Jan 2008 20:53:29 -0500, Jerry Stuckle
> <jstucklex@attglobal.net> wrote:
>> And adding a checkbox isn't hard at all. But don't just use
>> the primary key id in the checkbox unless you have some other way
>> to protect your page from hackers.
>
> The definitive wrong way to do things:
> ============
> <?php
>
> switch ($status) {
> case "delete":
> foreach ($item as $bit) {
> $query = "DELETE FROM " . $table . " WHERE id=" . $bit;
> $result = mysql_query($query) or die("Query failed: " .
> mysql_error());
> }
> break;
>
> default:
> echo "<form method=post>";
> echo "<input type=checkbox name=item[] value=1>"
> echo "<input type=checkbox name=item[] value=2>"
> echo "<input type=hidden name=status value=delete>";
> echo "<input type=submit value=Delete>";
> echo "</form>";
>
> }
> ?>
> ============
>
> BTW, is there some book like "The 50 pitfalls of writing web apps in
> PHP" that would take real-life newbie errors like the above, explain
> why they're wrong, and the safe way to rewrite them?
>
> Thanks.
>

Well, let's see. First of all, you should never use "or die()" in
production code. It's fine for testing, but you need a graceful
recovery in production. You do not want your page to stop in the middle
of loading with "Query failed" or a message from MySQL in the window!

You're just deleting rows, without validating the user has permission to
delete the row. This would be fine for an admin interface, where access
is restricted and the admin person can delete any row. However, it is
not good for a public interface.

And always validate any data from your user. For instance, what would
happen if I submitted a form to your page with:

<input type=checkbox name=item[] value="1 OR 2=2">

Your query would end up as:

DELETE FROM mytable WHERE id=1 OR 2=2

And guess what would be deleted? :-)

Not sure what else they're talking about.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================