Next lesson playing in 5 seconds

  • Overview
  • Transcript

10.3 Updating Data

Next, we need the ability to update a post. We'll read an existing post from the database and use it to populate an edit form. Then we'll validate the form input before updating the post in the database. In this lesson, I'll also introduce you to the concept of SQL injection attacks, and you'll learn how to avoid them to make your applications more secure.

10.3 Updating Data

In the previous lesson, we looked at a few concepts, we passed data to another file. And validated that data so that we knew that we were working with something that would make sense, at least as far as working with our posts are concerned. And then we used that data to read the database and then display the data. Now in this lesson, we're going to take it a step further and edit or update the data that we have within the database. So, I went ahead and created a file for that, now we are going to finish this file, right now it's just a form. So, the file is edit.php, the form is going to post to the same file and then we have two fields. One for the title and the other is for the post and then we have a submit button. Now each one of these form controls both of the fields, and the submit button have names. And it's important that the submit button has a name, as you will see here in a few moments, but let's add a link to this file. And we can do so in a variety of different places but let's do it inside of post.php. So that's we will visit this page and then there will be a link prompting us to edit this post and we can do that right here with our title. So, let's add an a element, we are going to edit.php, and we're going to kinda do the same thing. We're going to use the query string to pass the id to the Edit file, that way we know what file or what post we are going to be editing. So we're just going to output id and our text for this link is going to be just simply Edit Post. So, if we go and look at this in the browser, we can refresh this page, there is an edit post. If we click on this, we are taken to the form, now the form itself is not pretty at all actually, we could use bootstrap to make it a little cleaner. But we're just going to keep this simple, now when it comes to our edits page, we essentially want to do the same thing that we did inside of our post. Dot PHP file because we have the ID in the query string, we need to validate it. We need to retrieve the post so that we can then populate our form with the post information. So, really we can reuse all of this code, so I'm going to cut this out and I'm going to create a new file. And since this is all stuff for get requests, I'm going to call this, get helpers.php, and then I'm just going to paste it in. And then we can include this inside of our post.php file, so gets helpers. And then, inside of our edit page, we will want to do the same thing there as well, because we need all of that. So, just copy and paste and we should be good to go but just to make sure that everything is working still. Yes, this is working and we haven't really done anything with edits.php yet, so everything there is working. But now with a get request, we have our post information, so we can go ahead and start populating our form. So for our title field, we're going to add the value attribute and we are going to use our post object and the title property. And we will do the same thing for our content, so let's just copy and paste this. Change title to content and there we go. Now when it comes to sending a post request. We also need to know what posts that we are updating, now, yes, we could rely upon the URL for that. And some people would do that but me, personally, I don't like to do that because that is part of a get request. Anything with a query string is typically a get request, whenever you send a POST request, the post request should have everything there that we need. So, we're going to do is add another fields to our form but this is going to be a hidden field and it's going to contain our ID. So, the type is going to be hidden and the value Is going to be our ID, so let's just paste in what we already have, change that to ID. And we also need a name here, so this is going to be post-id, and there we will have everything that we need whenever we make a post request. Now, when it comes to our edit.php file we are essentially doing two things, we are handling a get request, a get request is going to display our form. A post request is going to take the information from the form and then update the database. So we need to know how to determine what type of request is being handled. And we can do that with the name of our submit button, if the form is being posted, then the edit-submit field will be in our post collection. So, we can do something like this, we'll add an if statement, we're going to use the is set function, this returns true or false based upon if a variable is set. And in this case, we're going to check our post collection, if it has our Submit button, then it is a post request. If it doesn't, then it is a get request and then for a get request, we can just include our get helpers. So, that was nice and easy, however, when it comes to our post request, we need to do quite a few things. We need to take the information that is provided by the user and validate it. Because remember from the previous lesson, we should never, ever trust the data coming from the user. So, let's do this, we're gonna say post ID, and we are essentially going to do what we did in the previous lesson with the filter var function. So, let's just copy that, we will paste it in here and we will use our post collection. And we want the post ID and we will want to do the same type of checks, if it is invalid, or if it is less than one, then we have an invalid ID. So let's just go ahead and copy that code as well, now when it comes to the title in the content, the filter var is still going to be okay. But instead we're going to use a function called strip tags, which is going to strip out all of the HTML. Now that could pose a problem for our contents because we might want HTML in our content. But doing that correctly, well, it's not as easy as you might think it would be. So, in order to do things like that you need to rely upon code that other people have written and we aren't going to, we are just going to take it the easy way out. So, we are going to call strip underscore tags, we will get our post information, so we're going to use our post collection. This is for the title and then we will do the same thing for our content, so both of these are going to be just ordinary text. Now, this also poses a problem, because if we just blindly use these values in our SQL statements, well we could have some issues there. So, let's do something like this, we could say update and whenever you update a table. You say update and then the table, and then you specify what you're updating, you're going to set a column to a value. So, in our case, we're going to set our title to our post title, although that's not good enough. We do have to surround or post title with quotes because that is a string. And we are also setting content equal to R post content, and then we have a condition where the ID is equal to ID. Now since ID is numeric, we don't have to use our quotes there, now the problem here is that a malicious person could go to our form. And they could type in actual SQL in the form that would be submitted. And if we are directly using that value inside of our SQL statements, well, they could have crafted their data in such a way that it could cause some harm. That's called a SQL injection attack, so, instead what we will end up doing is using parameters or placeholders. So, we're going to use a question mark here, so we're going to say title equals question mark, content equals question mark. And then we're going to create what's called a prepared statement which will allow us. To bind values to where these question marks are, so we need to create our database now. So let's say RDB equals, and then I believe that was called createDb or get Db, I don't remember, I think it's getDb, we'll find out soon enough. And we will use our Db object to create our statement, so we will say statement equals Db. And the method that we want to call is called prepare, we will pass in our SQL statement, and then we want to bind our values. To those question marks, and we do that with our statement, this has a method called bind param. And the first thing that we pass to this method is the type of data that we are binding. So, we have a title which is a string, so we just use s for string, but we include all of the variables or the values that we are binding. So, we have a string for title and a string for content, so it ends up being ss, and then we pass in our values. So, we have post title and then post content, now you might be thinking, why are we not doing that for ID? Well by the time we get to line 15, we know that ID is a numeric value. We have used filter var, which returns either an integer or a Boolean value but we've already checked to see if that was false. We've also checked to see if it is less than 1 and if it is, then we are never ever going to get to line 15. But with saying that, it's always a good idea to just use these parameters, it's safer. You don't have to worry about, well did I validate this all the way, you just don't have to worry about that. So in our case, we are going to use a question mark for ideas as well. And whenever we bind our parameters, which is what these question marks are. We are going to have a string, a string, and then an integer and our integer is of course going to be our post ID. Now after we have prepared our SQL statement, and we have bound the parameters to their values. Then we execute our statement and we just call the execute method, and once that's done, we need to redirect back to some place. We don't want to just reload the form, instead, we want to either redirect back to the post page for displaying the individual post or to redirect back to index. Now, unfortunately there is not an easy way to just say redirect to here, what we end up doing is, setting the location header. So, we're going to call the header function, we will say location and then the location. Which is going to be well, whatever it is, so let's say location is going to be post.php with an Id=$postId. Now one very important thing about header, you cannot really use header if there has been something already sent to the browser. So this includes a doctype, this includes any HTML, so you can only use header before anything is sent to the browser, which in this case it is. So, we don't have to worry about that, okay, so the moment of truth, let's refresh this page which is a get request and we see that our form has been populated. This is the first post and then this is the content, let's change this so that it says this is the content for the first post, cross your fingers. You'll click on Edit post and we are redirected back to post.php with an ID of two. We see that this is the content for the first post, so everything works like it did before. Let's go ahead and go to the second post and we will edit that post and we will say that this is the edited content of the second post. There we can see that that was updated and so we are now able to edit our posts. In the next lesson, we're going to finish up our course, one of the things that we haven't done is include any of the author information. So far we've just displayed our post information and we want to bring in the author information. So that our viewers can see who authored what post, so we will do that, we will also add the ability to delete a post.

Back to the top