<td colspan = “5”> <center> <form action = “addRecord.php”> <input type = “hidden” name = “tableName” value = “$tableName”> <input type = “submit” value = “add a record”></form> </center> </td> HERE; $output .= “</table>\n”; return $output; } // end tToEdit Look carefully at the forms for editing and deleting records. These forms contain hidden fields with the table name, key field name, and record number. This information will be used by subsequent functions to build a query specific to the record associated with that particular table row. Creating a Generic Form to Edit a Record The table created in tToEdit() calls a program called editRecord.php. This pro- gram accepts a one-record query. It prints out an HTML table based on the results of that query. The output of rToEdit() is shown in Figure 12.12. The rToEdit function produces a very simple HTML table. Every field has a corre- sponding textbox. The advantage of this approach is that it works with any table. However, the use of this form is quite risky. • The user should not be allowed to change the primary key, because that would edit some other record, which could have disastrous results. • The operationID field is a foreign key reference. The only valid entries to this field are integers corresponding to records in the operation table. There’s no way for the user to know what operation a particular integer is related to. Worse, she could enter any number (or any text) into the field. The results would be unpredictable, but almost certainly bad. I fix these defects in the smartRToEdit() function coming up next, but begin by studying this simpler function, because smartRToEdit() is built on rToEdit(). 413 C h a p t e r 1 2B u i l d i n g a T h r e e -T i e r e d D a t a A p p l i c a t i o n function rToEdit ($query){ //given a one-record query, creates a form to edit that record //works on any table, but allows direct editing of keys //use smartRToEdit instead if you can global $dbConn; $output = “”; $result = mysql_query($query, $dbConn); $row = mysql_fetch_assoc($result); //get table name from field object $fieldObj = mysql_fetch_field($result, 0); $tableName = $fieldObj->table; $output .= <<< HERE <form action = “updateRecord.php” method = “post”> <input type = “hidden” name = “tableName” value = “$tableName”> <table border = 1> 414 P H P 5 /M y S Q L P r o g r a m m i n g f o r t h e A b s o l u t e B e g i n n e r FIGURE 12.12 The rToEdit function is simple but produces dangerous output. HERE; foreach ($row as $col=>$val){ $output .= <<<HERE <tr> <th>$col</th> <td> <input type = “text” name = “$col” value = “$val”> </td> </tr> HERE; } // end foreach $output .= <<< HERE <tr> <td colspan = 2> <center> <input type = “submit” value = “update this record”> </center> </td> </tr> </table> HERE; return $output; } // end rToEdit Building a Smarter Edit Form The smartRToEdit() function builds on the basic design of rToEdit() but com- pensates for a couple of major flaws in the rToEdit() design. Take a look at the smarter code: function smartRToEdit ($query){ //given a one-record query, creates a form to edit that record //Doesn’t let user edit first (primary key) field //generates dropdown list for foreign keys //MUCH safer than ordinary rToEdit function 415 C h a p t e r 1 2B u i l d i n g a T h r e e -T i e r e d D a t a A p p l i c a t i o n // —restrictions on table design— //foreign keys MUST be named tableID where ‘table’ is table name // (because mySQL doesn’t recognize foreign key indicators) // I also expect a ‘name’ field in any table used as a foreign key // (for same reason) global $dbConn; $output = “”; $result = mysql_query($query, $dbConn); $row = mysql_fetch_assoc($result); //get table name from field object $fieldObj = mysql_fetch_field($result, 0); $tableName = $fieldObj->table; $output .= <<< HERE <form action = “updateRecord.php” method = “post”> <input type = “hidden” name = “tableName” value = “$tableName”> <table border = 1> HERE; $fieldNum = 0; foreach ($row as $col=>$val){ if ($fieldNum == 0){ //it’s primary key. don’t make textbox, //but store value in hidden field instead //user shouldn’t be able to edit primary keys $output .= <<<HERE <tr> <th>$col</th> <td>$val <input type = “hidden” name = “$col” value = “$val”> </td> </tr> 416 P H P 5 /M y S Q L P r o g r a m m i n g f o r t h e A b s o l u t e B e g i n n e r HERE; } else if (preg_match(“/(.*)ID$/”, $col, $match)) { //it’s a foreign key reference // get table name (match[1]) //create a listbox based on table name and its name field $valList = fieldToList($match[1],$col, $fieldNum, “name”); $output .= <<<HERE <tr> <th>$col</th> <td>$valList</td> </tr> HERE; } else { $output .= <<<HERE <tr> <th>$col</th> <td> <input type = “text” name = “$col” value = “$val”> </td> </tr> HERE; } // end if $fieldNum++; } // end foreach $output .= <<< HERE <tr> <td colspan = 2> <center> <input type = “submit” value = “update this record”> </center> </td> </tr> </table> 417 C h a p t e r 1 2B u i l d i n g a T h r e e -T i e r e d D a t a A p p l i c a t i o n . <td colspan = “5”> <center> <form action = “addRecord .php > <input type = “hidden” name = “tableName” value = “$tableName”> <input type =. Generic Form to Edit a Record The table created in tToEdit() calls a program called editRecord .php. This pro- gram accepts a one-record query. It prints out an HTML table based on the results of. 0); $tableName = $fieldObj->table; $output .= <<< HERE <form action = “updateRecord .php method = “post”> <input type = “hidden” name = “tableName” value = “$tableName”> <table