Another In Place Editor - a jQuery edit in place plugin

Question

I'm trying to figure out how to get the changed value to submit to the database but so far ive not had much luck at all. any idea as to what i am doing wrong?

JS FILE:

$("#editme5").editInPlace({
    /*saving_animation_color: "#ECF2F8",
    callback: function(idOfEditor, enteredText, orinalHTMLContent, settingsParams, animationCallbacks) {
        animationCallbacks.didStartSaving();
        setTimeout(animationCallbacks.didEndSaving, 2000);
        return enteredText;
    },*/
    url: "server.php",
    params: "name=BUSINESS_NAME"
});

PHP FILE:

include('database.php');
$_GET['name'];
$_NAME=$_GET['name'];

$update = $_POST['update_value'];
$insert = "UPDATE CLIENTS SET ".$_NAME."='".$update."'";
mysql_query($insert) or die (mysql_error());

Answer 1

try using $_REQUEST which can help you capture both $_GET and $_POST request at the sample time ...

Try fixing SQL Injection holes with mysql_real_escape_string see http://php.net/manual/en/function.mysql-real-escape-string.php for more information

Thanks

Answer 2

Try changing:

include('database.php');
$_GET['name'];
$_NAME=$_GET['name'];

To:

include('database.php');
$_NAME=$_POST['name'];

The documentation says:

Once the in-place editor form is submitted, it sends a POST request to the URL that is specified in the editor’s parameters along with three form fields

By writing $_NAME=$_GET['name']; you were expecting the value come over a GET request, but the plugin sends the value using a POST request. That's what is the culprit here, I suppose.

Also, keep in mind what Marc B said in his comment. The code is very vunerable to SQL injection attacks. To make it less vunerable, use at least mysql_real_escape_string() (more: http://php.net/manual/pl/function.mysql-real-escape-string.php) or use prepared statements (a good tutorial: http://www.ultramegatech.com/2009/07/using-mysql-prepared-statements-in-php/).