/
update.php
executable file
·77 lines (65 loc) · 2.38 KB
/
update.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
<?php include 'database.php'; ?>
<?php
// this scripts updates an exisiting record based on the id
if ( isset($_POST(['id'])) && isset($_POST(['name'])) ) {
// sanitizeMySQL() is a custom function, written below
// these values came from the form
$id = sanitizeMySQL($conn, $_POST(['id']));
$month = sanitizeMySQL($conn, $_POST(['month']));
$day = sanitizeMySQL($conn, $_POST(['day']));
$year = sanitizeMySQL($conn, $_POST(['year']));
$location = sanitizeMySQL($conn, $_POST(['location']));
$temperature_high = sanitizeMySQL($conn, $_POST(['temperature_high']));
$temperature_low = sanitizeMySQL($conn, $_POST(['temperature_low']));
$conditions = sanitizeMySQL($conn, $_POST(['conditions']));
$rainfall = sanitizeMySQL($conn, $_POST(['rainfall']));
// create a new PHP timestamp
date_default_timezone_set('America/New_York');
$date = date('m-d-Y', time());
// the prepared statement - note: question marks represent
// variables we will send to database separately
// we don't check which fields the user changed - we just update all
$query = "UPDATE weather SET month = ?,
day = ?,
year = ?,
location = ?,
temperature_high = ?,
temperature_low = ?,
conditions = ?,
rainfall = ?
WHERE id = ?";
// prepare the statement in db
if ( $stmt = mysqli_prepare($conn, $query) ) {
// bind the values to replace the question marks
// the order matters! so id is at end!
// note that 7 letters in 'sssidsi' MUST MATCH data types in table
// Type specification chars:
// i - integer, s - string , d - double (decimal), b - blob
mysqli_stmt_bind_param($stmt, 'ssssssssi',
$month,
$day,
$year,
$location,
$temperature_high,
$temperature_low,
$conditions,
$rainfall,
$id
);
// executes the prepared statement with the values already set, above
mysqli_stmt_execute($stmt);
// close the prepared statement
mysqli_stmt_close($stmt);
// close db connection
mysqli_close($conn);
}
} else {
echo "Failed to update the listing!";
}
// erase any HTML tags and then escape all quotes
function sanitizeMySQL($conn, $var) {
$var = strip_tags($var);
$var = mysqli_real_escape_string($conn, $var);
return $var;
}
?>