لطفا منتظر باشید ...
Editing Authors
Allthat's left is editauthor.php, which must provide an
interface for us to edit an existing author's details. This page will actually
be very similar to newauthor.php, except the form fields
will initially contain the values stored in the database, and an UPDATE query will be used
instead of an INSERT query when the form is submitted.One minor complication comes into play here. To initialize the form
fields with the values stored in the database, the page will obviously use
the $id variable passed from authors.php to
retrieve the values and store them in PHP variables (say, $name and $email).
The code for our form should then look like this:
<form action="<?=$_SERVER['PHP_SELF']?>" method="post">
<p>Edit the author:<br />
Name: <input type="text" name="name" value="<?=$name?>"
size="20" maxlength="255" /><br />
EMail: <input type="text" name="email" value="<?=$email?>"
size="20" maxlength="255" /><br />
<input type="hidden" name="id" value="<?=$id?>" />
<input type="submit" name="submit" value="SUBMIT" /></p>
</form>
As an aside, notice the hidden form field, which we use to pass along
the author's ID with the updated values when the form is submitted.But consider
what would happen if the author's name were "The Jokester" (with the
quotes). The input tag produced by the PHP script would look like this:
<input type="text" name="name" value="The Jokester"
size="20" maxlength="255" />
Obviously, this is invalid HTML. We need to replace the quotes in the
name with their HTML character entity equivalents. Specifically, any double quotes
in the name should be converted to the character code " as
follows:
<input type="text" name="name" value=""The Jokester""
size="20" maxlength="255" />
PHP provides a function called htmlspecialchars that
automatically converts special HTML characters such as <, > and
quotes (among others) like those above into their respective character codes.
Consider the following basic example:
$text = htmlspecialchars('<HTML> can be dangerous!');
echo($text); // output: <HTML> can be dangerous!To avoid problems with quotes and angled brackets in your text strings,
you should use this function whenever you output a non-HTML text string, especially
when you output variables retrieved from a database, which can have unpredictable
values.
// Convert special characters for safe use
// as HTML attributes.
$name = htmlspecialchars($name);
$email = htmlspecialchars($email);
With this issue in mind, we can now create editauthor.php,
the complete code for which is provided in the code archive.
Magic Quotes
While we're on
the subject of troublesome special characters, there is another situation
where particular characters in a string can cause problems. Consider the following
SQL query:
mysql>INSERT INTO Authors SET
->Name='Molly O'Reilly',
->EMail='mollyo@hotmail.com';
Obviously, the apostrophe in the author's last name will cause problems
here, as MySQL can no longer figure out where the author's name ends. The
solution in this case would be to use another function provided by PHP: addslashes. This function,
like htmlspecialchars, converts unsafe characters in
a string so that they're safe. The difference is that addslashes is
used to escape special characters by putting backslashes
before them, as follows:
mysql>INSERT INTO Authors SET
->Name='Molly O\'Reilly',
->EMail='mollyo@hotmail.com';
A backslash tells MySQL to treat the next character (the apostrophe,
in this case) as a character in the string, ignoring any special meaning it
might normally have. Thus, the above code will correctly insert the name Molly
O'Reilly into the Authors table.So why haven't we worried about this problem before now? PHP has a nifty
little feature called Magic Quotes, which is enabled
by default with the following setting in your php.ini file:
magic_quotes_gpc = On
This setting basically tells PHP to use the addslashes function
automatically upon any variables that are passed with the request for the
page. The "gpc" stands for "get, post, cookies", which
are the three methods by which information may be passed with a request for
a Web page. As all the values we've inserted into our database up until now
have been passed as part of a form submission, the Magic Quotes feature of
PHP has automatically added slashes to them every time. Values retrieved from
a MySQL database, however, do not benefit from the Magic Quotes feature, and
so we must add slashes before we can use them in any situation where quotes,
apostrophes, and other special characters may be a problem.In some cases, you may not actually want to add
backslashes to submitted values. For example, if you are just going to print
out a value that was submitted with a form, then those backslashes could turn
out to be quite an eyesore. To undo the work of either the addslashes function
or the Magic Quotes feature, you can use yet another function called stripslashes.Complete information about these functions may be found in the PHP online
manual at http://www.php.net/manual.
All of the scripts in this book are written with the default setting, magic_quotes_gpc
= On in mind.
