0

I am working on JQuery Edit Table with PHP. I am posting the table name via a form in order to display the table and do in live modifcation. My issue is to re passing the tablename variable to the second php file (live_edit.php) to perform modifications.

Form.html ($_POST["tablename"]) => =>jedit.php => (live_edit.php, custom_edit_table.js)

My form.html

<form action="jedit.php" method="POST">
<input type="text" name="tablename" id="tablename"/>
<input type="submit" id="upload" name="upload" value="Submit"/>
</form>

jedit.php:

<html>
<head>
<title>Jquery Edit table</title>
<script src="https://ajax.googleapis.com/ajax/libs/jquery/2.1.3/jquery.min.js"></script>
<script type="text/javascript" src="jquery-tabledit-1.2.3/jquery.tabledit.js"></script>
<script type="text/javascript" src="custom_table_edit.js"></script>
</head>
<body>
<table id="data_table" class="table table-striped">
<thead>
<tr>
<th>Id</th>
<th>Coding</th>

</tr>
</thead>
<tbody>
<?php
require_once 'config.php';
$tablename=mysqli_real_escape_string($conn,$_POST['$tablename']);
$sql_query = 'SELECT id,Coding FROM '.$tablename.' LIMIT 10';
$resultset = mysqli_query($conn, $sql_query) or die("database error:". mysqli_error($conn));
while( $developer = mysqli_fetch_assoc($resultset) ) {
?>
<tr id="<?php echo $developer ['id']; ?>">
<td><?php echo $developer ['id']; ?></td>
<td><?php echo $developer ['Coding']; ?></td>

</tr>
<?php } ?>
</tbody>
</table>
</body>
</html>

live_edit.php:

<?php
include_once("config.php");
$tablename=mysqli_real_escape_string($conn,$_POST['tablename']);
$input = filter_input_array(INPUT_POST);
if ($input['action'] == 'edit') {
$update_field='';
if(isset($input['Coding'])) {
$update_field.= "Coding='".$input['Coding']."'";
} 
if($update_field && $input['id']) {
$sql_query = "UPDATE ".$tablename." SET $update_field WHERE id='" . $input['id'] . "'";
mysqli_query($conn, $sql_query) or die("database error:". mysqli_error($conn));
}
}
?>

custom_edit_table.js:

$(document).ready(function(){
$('#data_table').Tabledit({
deleteButton: false,
editButton: false,
columns: {
identifier: [0, 'id'],
editable: [[1, 'Coding']]
},
hideIdentifier: true,
url: 'live_edit.php'
});
});
user979974
  • 883
  • 3
  • 13
  • 32
  • this is a SQL Injection disaster waiting to happen... – ADyson Aug 06 '18 at 15:44
  • I will correct code for SQL injection. I am in a test environment – user979974 Aug 07 '18 at 07:14
  • Ok but one day presumably it will be in a live environment. Better to write it safely in the first place anyway, so you don't have to re-test it - if you make it "work", test and verify it, but then change it to reduce the risk of injection attacks, then you've changed fundamental things in the code and you need to re-test it all. Seems like a waste of time. Better to do it properly the first time, if you're aware of the issues. – ADyson Aug 07 '18 at 08:20
  • ya, mysqli_real_escape_string($conn,$_POST['...'] will correct SQL injections – user979974 Aug 07 '18 at 10:13
  • that's not proper parameterisation though. It doesn't prevent all kinds of attacks, although it's better than nothing. – ADyson Aug 07 '18 at 10:15

0 Answers0