用户丢失文本区域的焦点时，如何在mysql中更新表？

Question

I want users of my site to be able to update their profile information by clicking into a textarea. When they type in some text and click out of the text area (on blur), I want this to update a table in my database called 'bio'.

I have been working on this for several days, I'm ashamed to admit but I am really new to php and sql so I am learning as I go along. I have tried to make sense of a script but it's probably completely wrong. Can someone please advise me of what I need to do?

Here's my code:

 <textarea id="bio" style="width: 456px; 
    margin-top:3px;
    text-align:left;
    margin-left:-2px;
    height: 120px;
    resize: none; 
    border: hidden;" textarea name="bio" data-id="bio">
    <?php echo $profile['bio'] ?>
  </textarea>

  <script type="text/javascript">

    $('textarea').on('blur',function () {
        var bioVal = $(this).val(), 
            id = $(this).data('id');        

        $.ajax({
             type: "POST",
             url: "includes/changebio.php",
             data: {bio:bioVal , id:id},
             success: function(msg) {
                 $('#bio-' + id).val(msg);
             }
       })
    });

  </script>

Here's the url php file that should do the work:

function update_profilebio() {
            global $connection;
            global $profile_id;
            $query = "UPDATE ptb_profiles
                      SET bio=''
                        WHERE ptb_profiles.user_id = \"$profile_id\"
                        AND ptb_profiles.user_id = ptb_users.id";
            $update_profilebio_set = mysql_query($query, $connection);
            confirm_query($update_profilebio_set);
            return $update_profilebio_set;

            }

Answer 1

I checked HTML+JavaScript code and AJAX POST request is sending data correctly to the PHP script (You may check this in Chrome Developer Tools or with Firebug add-on).

This changebio.php script has only definition of this update_profilebio() function ? Definition alone won't execute this function, you need to call it.

<?php
    update_profilebio(); // tells php to call the function, defined below

    function update_profilebio() {
        global $connection;
        global $profile_id;
        $query = "UPDATE ptb_profiles
                  SET bio=''
                    WHERE ptb_profiles.user_id = \"$profile_id\"
                    AND ptb_profiles.user_id = ptb_users.id";
        $update_profilebio_set = mysql_query($query, $connection);
        confirm_query($update_profilebio_set);
        return $update_profilebio_set;
    } 
?>

Also, SQL query has two conditions and I don't understand this part "...AND ptb_profiles.user_id = ptb_users.id ". You update only one column in one table, the only thing you need is user id which you provide in first where condition.

Answer 2

Your HTML + jQuery code looks ok, just cheng php output <?php echo $profile['bio'] ?> by adding htmlspecialchars , that will help you avoid some trouble

<?php echo htmlspecialchars($profile['bio']); ?>

The thing that fails in your code is SQL query; you are setting bio to empty text. Also you have condition on matching user_id with other table id, but you have not joined this table in your query. Just requiring user_id to be equal to given integer is enough. Also remember to escape user input properly, to prevent them from injecting malicious code into your database.

SQL should look like this:

$bio = mysql_real_escape_string($_POST['bio']);

$query = "
UPDATE 
   ptb_profiles 
SET 
   bio='{$bio}'
WHERE
   ptb_profiles.user_id = " . intval($profile_id);

Answer 3

You got your quoting wrong, try something like this

 $query = "UPDATE ptb_profiles SET bio='".$_REQUEST['bio']."'
           WHERE ptb_profiles.user_id = ".$profile_id;

SQL usually uses single quotes, PHP uses both.