PHP prevent duplicate post
I have the code below that updates user information. I need to run the query ONLY for the fields that are filled in, so you dont have to add all the info every time you want to make a little edit to a user. I want to IGNORE the empty form fields
I cant figure out what method to go with to achieve this:
if(isset($_POST['do_edit'])) {
$id = mysql_real_escape_string($_POST['user_id']);
$company_name = mysql_real_escape_string($_POST['company_name']);
$contact = mysql_real_escape_string($_POST['contact']);
$username = mysql_real_escape_string($_POST['username']);
$phone = mysql_real_escape_string($_POST['phone']);
$address = mysql_real_escape_string($_POST['address']);
$email = mysql_real_escape_string($_POST['email']);
$password = mysql_real_escape_string($_POST['password']);
$password2 = mysql_real_escape_string($_POST['confirm']);
$level = mysql_real_escape_string($_POST['user_level']);
$restrict = mysql_real_escape_string($_POST['restrict']);
$delete = mysql_real_escape_string($_POST['delete']);
// Ticked the 'delete user' box? If so, delete and echo message.
if($delete == 'delete_uid' && $error == '') {
$sql = "DELETE FROM login_users WHERE user_id='$id'";
$query = mysql_query($sql) or die("Fatal error: ".mysql_error());
echo "<h3>Deleted</h3>";
echo "<div class='success_message'>User <b>$company_name $contact</b> has been removed from the database.</div>";
echo "<h2>What to do now?</h2><br />";
echo "<a href=''>« Back to Admin Panel</a> | Go to the <a href='user_edit.php'>edit users</a> page.</li>";
} else {
// Validate the submitted information
if(trim($id) == '1') {
$error = '<div class="error_message">Attention! You cannot edit the main Administrator, use database.</div>';
} else if(trim($company_name) == '') {
$error = '<div class="error_message">Attention! You must enter a company name.</div>';
} else if(trim($contact) == '') {
$error = '<div class="error_message">Attention! You must enter a contact name.</div>';
} else if(!isEmail($email)) {
$error = '<div class="error_message">Attention! You have entered an invalid e-mail address, try again.</div>';
} else if(trim($level) == '') {
$error = '<div class="error_message">Attention! No user level has been selected.</div>';
}
// Password been entered? If so, validate and update information.
if($password != '') {
if($password != $password2) {
$error = '<div class="error_message">Attention! Your passwords did not match.</div>';
}
if(strlen($password) < 5) {
$error = '<div class="error_message">Attention! Your password must be at least 5 characters.</div>';
}
if($error == '') {
$sql = "UPDATE login_users SET restricted='$restrict', company_name='$company_name', contact='$contact', email='$email', user_level='$level', password = MD5('$password') WHERE user_id = '$id'";
$query = mysql_query($sql) or die("Fatal error: ".mysql_error());
echo "<h2>Updated</h2>";
echo "<div class='success_message'>User information (and password) updated for User ID <b>$id ($company_name)</b>.</div>";
echo "<h2>What to do now?</h2><br />";
echo "<a href=''>« Back to Admin Panel</a> | Go to the <a href='user_edit.php'>edit users</a> page.</li>";
}
// Password has not been entered don't update password fields.
} else {
if($error == '') {
$sql = "UPDATE login_users SET restricted='$restrict', company_name='$company_name', contact='$contact', username='$username', email='$email', user_level='$level' WHERE user_id = '$id'";
开发者_开发知识库 $query = mysql_query($sql) or die("Fatal error: ".mysql_error());
echo "<h2>Updated</h2>";
echo "<div class='success_message'>User information updated for <b>$company_name</b>.</div>";
echo "<h2>What to do now?</h2><br />";
echo "<a href=''>« Back to Admin Panel</a> | Go to the <a href='user_edit.php'>edit users</a> page.</li>";
}
}
}
}
Check the list of fields, and dynamically build your UPDATE query based on the ones that meet the criteria. Strongly consider writing a function or two to help build the query without the repeated logic, but the following should provide a hint:
$sql = "UPDATE login_users SET ";
$first = 1;
if ($restrict != '') {
if ($first) {
$first = 0;
} else {
$query += ", ";
}
$query += "restricted='$restrict'";
}
if ($company_name != '') {
if ($first) {
$first = 0;
} else {
$query += ", ";
}
$query += "company_name='$company_name'";
}
if ($contact != '') {
if ($first) {
$first = 0;
} else {
$query += ", ";
}
$query += "contact='$contact'";
}
if ($username != '') {
if ($first) {
$first = 0;
} else {
$query += ", ";
}
$query += "username='$username'";
}
if ($email != '') {
if ($first) {
$first = 0;
} else {
$query += ", ";
}
$query += "email='$email'";
}
if ($level!= '') {
if ($first) {
$first = 0;
} else {
$query += ", ";
}
$query += "user_level='$level'";
}
$query += " WHERE user_id = '$id'";
if (! $first) {
// do query, since we know something was changed
}
Two ways to do it:
- The one I usually use is to just use the database fields (except the password...) to pre-populate the form fields. They don't have to be empty.
- Start with an empty UPDATE query (
UPDATE login_users SET ? WHERE user_id=$id) and construct a field='value',... string to replace the ?.
The second one seems more cumbersome than just prefilling the form.
You could try something like this:
$sql = "UPDATE login_users SET ";
foreach ($_POST as $fieldname=>$value) {
if ($value) {
$sql .= "$fieldname='$value', ";
}
}
$sql = substr($sql, 0, -2); // to remove the last ", "
$sql .= " WHERE user_id = '$id';";
Beware of two things:
- $fieldname must be the same as the actual field name in your database (if not, you should do something to rename it).
- You should do the md5 for passwords somewhere in between.
EDIT: Two more things!
- Don't forget to do MySQL escaping.
- This could be done prettier using sprintf
加载中,请稍侯......
精彩评论