All that's left is editauthor.php, which must provide an interface for us to edit an existing author's details. This page will actually be very similar to newauthor.php, except the form fields will initially contain the values stored in the database, and an UPDATE query will be used instead of an INSERT query when the form is submitted.
One minor complication comes into play here. To initialize the form fields with the values stored in the database, the page will obviously use the $id variable passed from authors.php to retrieve the values and store them in PHP variables (say, $name and $email). The code for our form should then look like this:
<form action="<?=$_SERVER['PHP_SELF']?>" method="post"> <p>Edit the author:<br /> Name: <input type="text" name="name" value="<?=$name?>" size="20" maxlength="255" /><br /> EMail: <input type="text" name="email" value="<?=$email?>" size="20" maxlength="255" /><br /> <input type="hidden" name="id" value="<?=$id?>" /> <input type="submit" name="submit" value="SUBMIT" /></p> </form>
As an aside, notice the hidden form field, which we use to pass along the author's ID with the updated values when the form is submitted.
But consider what would happen if the author's name were "The Jokester" (with the quotes). The input tag produced by the PHP script would look like this:
<input type="text" name="name" value="The Jokester" size="20" maxlength="255" />
Obviously, this is invalid HTML. We need to replace the quotes in the name with their HTML character entity equivalents. Specifically, any double quotes in the name should be converted to the character code " as follows:
<input type="text" name="name" value=""The Jokester"" size="20" maxlength="255" />
PHP provides a function called To avoid problems with quotes and angled brackets in your text strings,
you should use this function whenever you output a non-HTML text string, especially
when you output variables retrieved from a database, which can have unpredictable
values. With this issue in mind, we can now create editauthor.php,
the complete code for which is provided in the code archive. While we're on
the subject of troublesome special characters, there is another situation
where particular characters in a string can cause problems. Consider the following
SQL query: Obviously, the apostrophe in the author's last name will cause problems
here, as MySQL can no longer figure out where the author's name ends. The
solution in this case would be to use another function provided by PHP: addslashes. This function,
like A backslash tells MySQL to treat the next character (the apostrophe,
in this case) as a character in the string, ignoring any special meaning it
might normally have. Thus, the above code will correctly insert the name Molly
O'Reilly into the Authors table. So why haven't we worried about this problem before now? PHP has a nifty
little feature called Magic Quotes, which is enabled
by default with the following setting in your php.ini file: This setting basically tells PHP to use the addslashes function
automatically upon any variables that are passed with the request for the
page. The "gpc" stands for "get, post, cookies", which
are the three methods by which information may be passed with a request for
a Web page. As all the values we've inserted into our database up until now
have been passed as part of a form submission, the Magic Quotes feature of
PHP has automatically added slashes to them every time. Values retrieved from
a MySQL database, however, do not benefit from the Magic Quotes feature, and
so we must add slashes before we can use them in any situation where quotes,
apostrophes, and other special characters may be a problem. In some cases, you may not actually want to add
backslashes to submitted values. For example, if you are just going to print
out a value that was submitted with a form, then those backslashes could turn
out to be quite an eyesore. To undo the work of either the addslashes function
or the Magic Quotes feature, you can use yet another function called stripslashes. Complete information about these functions may be found in the PHP online
manual at http://www.php.net/manual.
All of the scripts in this book are written with the default setting, magic_quotes_gpc
= On in mind.$text =lspecialchars('<HTML> can be dangerous!');
echo($text); // output: <HTML> can be dangerous!
// Convert special characters for safe use
// as HTML attributes.
$name =lspecialchars($name);
$email =lspecialchars($email);
Magic Quotes
mysql>INSERT INTO Authors SET
->Name='Molly O'Reilly',
->EMail='mollyo@hotmail.com';
mysql>INSERT INTO Authors SET
->Name='Molly O\'Reilly',
->EMail='mollyo@hotmail.com';
magic_quotes_gpc = On