These forms contain hidden fields with the table name, key field name, and record number.. This information will be used by subsequent functions to build a query specific to the record a
Trang 1<td colspan = “5”>
<center>
<form action = “addRecord.php”>
<input type = “hidden”
name = “tableName”
value = “$tableName”>
<input type = “submit”
value = “add a record”></form>
</center>
</td>
HERE;
$output = “</table>\n”;
return $output;
} // end tToEdit
Look carefully at the forms for editing and deleting records These forms contain
hidden fields with the table name, key field name, and record number This
information will be used by subsequent functions to build a query specific to the
record associated with that particular table row.
Creating a Generic Form to Edit a Record
The table created in tToEdit()calls a program called editRecord.php This
pro-gram accepts a one-record query It prints out an HTML table based on the results
of that query The output of rToEdit()is shown in Figure 12.12.
The rToEditfunction produces a very simple HTML table Every field has a
corre-sponding textbox The advantage of this approach is that it works with any table.
However, the use of this form is quite risky
• The user should not be allowed to change the primary key, because that
would edit some other record, which could have disastrous results
• The operationIDfield is a foreign key reference The only valid entries to
this field are integers corresponding to records in the operationtable.
There’s no way for the user to know what operation a particular integer is
related to Worse, she could enter any number (or any text) into the field.
The results would be unpredictable, but almost certainly bad
I fix these defects in the smartRToEdit()function coming up next, but begin by
studying this simpler function, because smartRToEdit()is built on rToEdit().
413
i l
i o
Trang 2function rToEdit ($query){
//given a one-record query, creates a form to edit that record //works on any table, but allows direct editing of keys
//use smartRToEdit instead if you can
global $dbConn;
$output = “”;
$result = mysql_query($query, $dbConn);
$row = mysql_fetch_assoc($result);
//get table name from field object
$fieldObj = mysql_fetch_field($result, 0);
$tableName = $fieldObj->table;
$output = <<< HERE
<form action = “updateRecord.php”
method = “post”>
<input type = “hidden”
name = “tableName”
value = “$tableName”>
<table border = 1>
g r
s o
l u
g in
e r
FIGURE 12.12
The rToEdit
function is simple
but produces
dangerous output
Trang 3foreach ($row as $col=>$val){
$output = <<<HERE
<tr>
<th>$col</th>
<td>
<input type = “text”
name = “$col”
value = “$val”>
</td>
</tr>
HERE;
} // end foreach
$output = <<< HERE
<tr>
<td colspan = 2>
<center>
<input type = “submit”
value = “update this record”>
</center>
</td>
</tr>
</table>
HERE;
return $output;
} // end rToEdit
Building a Smarter Edit Form
The smartRToEdit() function builds on the basic design of rToEdit() but
com-pensates for a couple of major flaws in the rToEdit()design Take a look at the
smarter code:
function smartRToEdit ($query){
//given a one-record query, creates a form to edit that record
//Doesn’t let user edit first (primary key) field
//generates dropdown list for foreign keys
//MUCH safer than ordinary rToEdit function
415
i l
i o
Trang 4// —restrictions on table design—
//foreign keys MUST be named tableID where ‘table’ is table name // (because mySQL doesn’t recognize foreign key indicators) // I also expect a ‘name’ field in any table used as a foreign key // (for same reason)
global $dbConn;
$output = “”;
$result = mysql_query($query, $dbConn);
$row = mysql_fetch_assoc($result);
//get table name from field object
$fieldObj = mysql_fetch_field($result, 0);
$tableName = $fieldObj->table;
$output = <<< HERE
<form action = “updateRecord.php”
method = “post”>
<input type = “hidden”
name = “tableName”
value = “$tableName”>
<table border = 1>
HERE;
$fieldNum = 0;
foreach ($row as $col=>$val){
if ($fieldNum == 0){
//it’s primary key don’t make textbox, //but store value in hidden field instead //user shouldn’t be able to edit primary keys
$output = <<<HERE
<tr>
<th>$col</th>
<td>$val
<input type = “hidden”
name = “$col”
value = “$val”>
</td>
</tr>
g r
s o
l u
g in
e r
Trang 5} else if (preg_match(“/(.*)ID$/”, $col, $match)) {
//it’s a foreign key reference
// get table name (match[1])
//create a listbox based on table name and its name field
$valList = fieldToList($match[1],$col, $fieldNum, “name”);
$output = <<<HERE
<tr>
<th>$col</th>
<td>$valList</td>
</tr>
HERE;
} else {
$output = <<<HERE
<tr>
<th>$col</th>
<td>
<input type = “text”
name = “$col”
value = “$val”>
</td>
</tr>
HERE;
} // end if
$fieldNum++;
} // end foreach
$output = <<< HERE
<tr>
<td colspan = 2>
<center>
<input type = “submit”
value = “update this record”>
</center>
</td>
</tr>
</table>
417
i l
i o