Dave's Edit User

[Royal Guardian]

Hey MWG, I am here with a big request which is for someone to re-code the script for me. Much secure and efficient.

I tried re-coding it myself however, I am failing with many errors. And it looks like a complete mess.

Error at the moment -

QUERY ERROR: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
Query was SELECT * FROM `users` WHERE `userid` =

 

 

<?php
require_once('sglobals.php');

echo "<h3><u>Edit User</u></h3>";

   $_POST['userid'] = 
           array_key_exists('userid', $_POST) && ctype_digit($_POST['userid']) 
                   ? $_POST['userid'] : '';
   $_POST['ID'] = 
           array_key_exists('ID', $_POST) && ctype_digit($_POST['ID']) 
                   ? $_POST['ID'] : '';
   $_GET['ID'] = 
           array_key_exists('ID', $_GET) && ctype_digit($_GET['ID']) 
                   ? $_GET['ID'] : '';

  if(!isset($_POST['ID'])) {
   foreach($_POST as $k => $v) {
       $db->query("UPDATE `users` SET " . $k . " = '" . $v . "' WHERE `userid` = " . $_POST['userid']);
   }
   stafflog_add("Edited {$_POST['userid']}");
   confirmation("Edited {$_POST['userid']}");
}
if(!$_GET['ID'] AND !$_POST['userid']) {
   echo "Please select the user you wish to edit below.<br/>Some of the edit fields have been disabled and hidden to protect certain details about the user.
   <table width = '70%' class = 'table' cellpadding = '5' cellspacing = '1'>
       <tr>
           <th width = '50%'>Userid</th>
           <th width = '50%'>Username</th>
       </tr>
       <tr>
           <td style = 'text-align: center;'>
               <form action = '" . basename($_SERVER['SCRIPT_FILENAME']) . "' method = 'GET'>
               <input type = 'text' name = 'ID'>
               <input type = 'submit' value = 'Edit'>
               </form>
           </td>
           <td style = 'text-align: center;'>
               <form action = '" . basename($_SERVER['SCRIPT_FILENAME']) . "' method = 'GET'>
               " . user_dropdown($c, 'ID') . "
               <input type = 'submit' value = 'edit'>
               </form>
           </td>
       </tr>
   </table>";
}
function showTable($variable) {
   if ($variable === true) {
       return 'true';
   } else if ($variable === false) {
       return 'false';
   } else if ($variable === null) {
       return 'null';
   } else if (is_array($variable)) {
       $html = "<table width = '80%' class = 'table' cellpadding = '5' cellspacing = '1' style = 'text-align: left;'>
       <tr><th colspan = '2'>Currently editing user " . $variable['username'] . " [" . $_GET['ID'] . "] <div style = 'float: right;'><a href ='staff_edituser.php'>>Go Back</a></div></th></tr>
       <tr><th width = '20%' style = 'text-align: left;'>Field</th><th style = 'text-align: left;'>Value</th></tr>";
       foreach ($variable as $key => $value) {
           $value = showTable($value);
           $hide = array('userpass','pass_salt','profile_signature','user_notepad','forums_signature','user_level','login_name');
           if(!in_array($key, $hide)) {
               $html .= "<tr><td style='text-align: left;'>" . ucfirst($key) . "</td>
               <td style='text-align: left;'>
                   <input type='text' name='".$key."' value='".$value."' size='70'>
               </td></tr>";
           }
       }
       return $html;
   } else {
       return strval($variable);
   }
}

$ro = $db->query("SELECT * FROM `users` WHERE `userid` = " . $_GET['ID']);
if(!$db->num_rows($ro)) {
error("No users found");
}
$r = $db->fetch_row($ro);

echo "<form action='staff_edituser.php' method='post'>";
echo showTable($r);
echo "<tr><td colspan = '2'><input type='submit' value='Save new settings'></td></tr></form>
</table>";
$h->endpage();
?>

[KyleMassacre]

Your error is because you are not $_POSTing a key named ID. If you notice, when you select your user it is using $_GET. You are in fact posting the userid though.