Managing a MySQL DB

[Anirban1987]

I have a php page which outputs the data in the MySQL DB table. Also it has a HTML radio button form in the cells of a particular field. That form should modify another field in the same row/id. But now when I submit the form it inserts the entry in a new row. Now my question is how can that HTML form identifies the sql row's id and force the processor file (i.e. the file which is updating the DB by processing the form) to modify the particular cell in the row in which the form resides. I am posting the page's and processor file code here. Plus a screenshot of how the table looks like.

HTML Code:

<?php
session_start(); // If 
if (!isset($_SESSION['web_user'])) {
    // User is not logged in, so send user away.
    header("Location:../index.php");
    die();
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Content Management Panel</title>
<style type="text/css">
<!--
p {
 text-align: center;
}
body {
 text-align: center;
}
-->
</style>
</head>
<body>
<h2><u>TechDarpan Content Management Panel</u></h2>
<p>
  <?php
function SQLResultTable($Query)
{
  $link = mysql_connect(localhost, ******, ******) or die('Could not connect: ' . mysql_error());   //build MySQL Link
  mysql_select_db(anirban_tdcms) or die('Could not select database');        //select database
  $Table = "";  //initialize table variable
  $Table.= "<table border='1' bordercolor=#000000 style=\"color: #000000;\">"; //Open HTML Table
  $Result = mysql_query($Query); //Execute the query
  if(mysql_error())
  {
     $Table.= "<tr><td>MySQL ERROR: " . mysql_error() . "</td></tr>";
  }
  else
  {
   //Header Row with Field Names
   $NumFields = mysql_num_fields($Result);
   $Table.= "<tr style=\"\">";
   for ($i=0; $i < $NumFields; $i++)
   {
     $Table.= "<th>" . mysql_field_name($Result, $i) . "</th>"; 
   }
   $Table.= "</tr>";
   //Loop thru results
   $RowCt = 0; //Row Counter
   while($Row = mysql_fetch_assoc($Result))
   {
    //Loop thru each field
     foreach($Row as $field => $value)
     {
      if($field!='Action Taken')
      {
       $Table.= "<td>$value</td>";
      }
      elseif($field=='Action Taken')
      {
      $Table.='<td>
      <form method=post enctype=multipart/form-data action=Action/processor.php onSubmit="return validatePage1();">
 <li class="mainForm" id="fieldBox_1" style="list-style-type:none"><span>
   <label class=formFieldOption for="Action_option_1"><br>
     <input class=mainForm type=radio name=Action id=Action_option_3 value="Accepted" />
        Accepted<br>
      </label>
      <input class=mainForm type=radio name=Action id=Action_option_2 value="Rejected" />
      <label class=formFieldOption for="Action_option_2">Rejected</label>
 </span><span>
 <label class=formFieldOption for="Action_option_3">
      <br>
      <input class=mainForm type=radio name=Action id=Action_option_1 value="Accepted with Modification" />
      Accepted with Modification </label>
 </span></li>
 <li class="mainForm" style="list-style-type:none"></li>
 <li class="mainForm" style="list-style-type:none">
   <!-- end of this page -->
 
   <!-- next page buttons -->
   <input id="saveForm" class="mainForm" type="submit" value="Submit" />
   </li>
 </form>
    </td>';
      }
     }
     $Table.= "</tr>";
   }
    $Table.= "<tr style=\"background-color: #FFFFFF; color: #000000;\"><td colspan='$NumFields'>Query Returned " . mysql_num_rows($Result) . " records</td></tr>";    }    
    $Table.= "</table>";        
    return $Table;
    }
    //Call the function like this:
    echo SQLResultTable("SELECT * FROM reply");
?>
</p>
<p>&nbsp;</p>
<?php
include("../form.php");
?>
</body>
</html>

PHP Code:

<?php
$where_form_is="http://".$_SERVER['SERVER_NAME'].strrev(strstr(strrev($_SERVER['PHP_SELF']),"/"));
include("config.inc.php");
$link = mysql_connect($db_host,$db_user,$db_pass);
if(!$link) die ('Could not connect to database: '.mysql_error());
mysql_select_db($db_name,$link);
$query = "INSERT into `".$db_table."` (Action) VALUES ('" . $_POST['Action'] . "')";
mysql_query($query);
mysql_close($link);
?>

[misson]

[...]But now when I submit the form it inserts the entry in a new row.

Use UPDATE, not INSERT, to change an existing row.

Now my question is how can that HTML form identifies the sql row's id and force the processor file (i.e. the file which is updating the DB by processing the form) to modify the particular cell in the row in which the form resides.

See the above link for details, but the short answer is you use a 'WHERE id="$id"' clause in the UPDATE query.

HTML Code:

      <form method=post enctype=multipart/form-data action=Action/processor.php onSubmit="return validatePage1();">

Enclose all element attributes in double quotes. Technically it's not required, but it's always a good idea. For one thing, it will make transition to XHTML easier.

PHP Code:

[...]
$query = "INSERT into `".$db_table."` (Action) VALUES ('" . $_POST['Action'] . "')"; 


DO NOT PASS USER INPUT DIRECTLY TO A QUERY! You've just given a visitor complete control over your database. I'd say to use PDO, but X10Hosting doesn't offer it. If there is a specific set of actions, you can use an array to verify the action is valid. Example:

PHP Code:

$actions=array('accept' => 'accept', 'reject' => 'reject', 'modify' => 'modify', 'Accepted' => 'accept', 'Rejected' => 'reject', 'Accepted with Modification' => 'modify')
if (isset($actions[$_REQUEST['Action']])) {
    $action = $actions[$_REQUEST['Action']];
    $query = [...]
} else {
    // visitor is doing something naughty or there's a typo in the code
} 


Read the PHP manual page on SQL Injection for more info, particularly how to filter other field types.