Create a condition between SAVE and SAVE&PUBLISH

[ajnoguerra]

Hi guys. I seem to get a tangled mind these past few days with my project. I’m trying to build a custom cms and I am up to the point of creating posts for website pages.

I have two(2) buttons -> ‘**SAVE**’ and ‘**SAVE & PUBLISH**’
The SAVE button will submit my form fields to the database but _not_ putting number 1 in the publish field so it wouldn’t be processed as published while the SAVE&PUBLISH will do the same but _will put_ number 1 to the publish field so it will be processed as published.

How do I build a condition with this without probably messing up my code?
I know this comes with a little tweaking.
Please see my current code.

// CHECK IF THE FORM WAS SUBMITTED
if( isset( $_POST ) ){

$title = $_POST;
$editor_data = $_POST[ ‘editor1’ ];
$format = $_POST[ ‘format’ ];
$page = $_POST;

//IF FORM WAS SUBMITTED, CHECK IF THERE ARE ERRORS
if(empty($title) === true){
$errors[] = “You forgot to add a Title”;
}
if(empty($editor_data) === true){
$errors[] = “You forgot to add a Content”;
}
if(empty($format) === true){
$errors[] = “Please choose a title format”;
}
if(empty($page) === true){
$errors[] = “Please choose a Page”;
}

//IF THE ERROR ARRAY IS EMPTY THEN PROCESS THE FORM
if (empty($errors) === true){

switch ($format)
{
case “1”:
$post_title = “

“.$title.”

“;
break;
case “2”:
$post_title = “

“.$title.”

“;
break;
case “3”:
$post_title = “

“.$title.”

“;
break;
case “4”:
$post_title = “

“.$title.”

“;
break;
case “5”:
$post_title = “

“.$title.”

“;
break;
case “6”:
$post_title = “

“.$title.”

“;
break;
default:
$post_title = $title;
}//>end of switch

//current time zone
date_default_timezone_set(‘Asia/Manila’);
$date = date(‘Y-m-d’);
$date_time = date(‘Y-m-d H:i:s’);

//INSERT VALUES FROM FORM TO THE DATABASE TABLE
mysql_query(“INSERT INTO posts (`post_title`, `post_content`, `post_page`, `date_posted`) VALUES(‘$post_title’, ‘$editor_data’, ‘$page’, ‘$date_time’)”);

// IF ERROR ARRAY IS NOT EMPTY, OUTPUT ERRORS!
} else if(empty($errors) === false){
//output errors
echo output_errors($errors);
}//> end of else if errors

}//>end of isset submit

[__]

The most straightforward approach would be to use the value of the submit button (I’m assuming “Save” and “Save & Publish” are the submit buttons) to decide whether or not to toggle the `publish` field.

.

// . . .
$publish = ($_POST === “Save & Publish”)? 1: 0;

…then insert `$publish` into your `publish` field.

[ajnoguerra]

I was hoping that you’d answer my question, I know you’re great with this :) Here’s what I got @traq.
// CHECK IF THE FORM WAS SUBMITTED
if( isset( $_POST ) ){
$title = $_POST;
$editor_data = $_POST[ ‘editor1’ ];
$format = $_POST[ ‘format’ ];
$page = $_POST;

//IF FORM WAS SUBMITTED, CHECK IF THERE ARE ERRORS
if(empty($title) === true){
$errors[] = “You forgot to add a Title”;
}
if(empty($editor_data) === true){
$errors[] = “You forgot to add a Content”;
}
if(empty($format) === true){
$errors[] = “Please choose a title format”;
}
if(empty($page) === true){
$errors[] = “Please choose a Page”;
}

//IF THE ERROR ARRAY IS EMPTY THEN PROCESS THE FORM
if (empty($errors) === true){

switch ($format)
{
case “1”:
$post_title = “

“.$title.”

“;
break;
case “2”:
$post_title = “

“.$title.”

“;
break;
case “3”:
$post_title = “

“.$title.”

“;
break;
case “4”:
$post_title = “

“.$title.”

“;
break;
case “5”:
$post_title = “

“.$title.”

“;
break;
case “6”:
$post_title = “

“.$title.”

“;
break;
default:
$post_title = $title;
}//>end of switch

//current time zone
date_default_timezone_set(‘Asia/Manila’);
$date = date(‘Y-m-d’);
$date_time = date(‘Y-m-d H:i:s’);

//insert values from form to server
mysql_query(“INSERT INTO posts (`post_title`, `post_content`, `post_page`, `date_posted`) VALUES(‘$post_title’, ‘$editor_data’, ‘$page’, ‘$date_time’)”);

// IF ARRAY ERROR IS NOT EMPTY, OUTPUT ERRORS!
} else if(empty($errors) === false){
//output errors
echo output_errors($errors);
}//> end of else if errors

}else if(isset( $_POST )){
$title = $_POST;
$editor_data = $_POST[ ‘editor1’ ];
$format = $_POST[ ‘format’ ];
$page = $_POST;

//IF FORM WAS SUBMITTED, CHECK IF THERE ARE ERRORS
if(empty($title) === true){
$errors[] = “You forgot to add a Title”;
}
if(empty($editor_data) === true){
$errors[] = “You forgot to add a Content”;
}
if(empty($format) === true){
$errors[] = “Please choose a title format”;
}
if(empty($page) === true){
$errors[] = “Please choose a Page”;
}

//IF THE ERROR ARRAY IS EMPTY THEN PROCESS THE FORM
if (empty($errors) === true){

switch ($format)
{
case “1”:
$post_title = “

“.$title.”

“;
break;
case “2”:
$post_title = “

“.$title.”

“;
break;
case “3”:
$post_title = “

“.$title.”

“;
break;
case “4”:
$post_title = “

“.$title.”

“;
break;
case “5”:
$post_title = “

“.$title.”

“;
break;
case “6”:
$post_title = “

“.$title.”

“;
break;
default:
$post_title = $title;
}//>end of switch

//current time zone
date_default_timezone_set(‘Asia/Manila’);
$date = date(‘Y-m-d’);
$date_time = date(‘Y-m-d H:i:s’);

//insert values from form to server
mysql_query(“INSERT INTO posts (`post_title`, `post_content`, `post_page`, `date_posted`, `publish`) VALUES(‘$post_title’, ‘$editor_data’, ‘$page’, ‘$date_time’, ‘1’)”);

// IF ARRAY ERROR IS NOT EMPTY, OUTPUT ERRORS!
} else if(empty($errors) === false){
//output errors
echo output_errors($errors);
}//> end of else if errors
}//>end of isset publish

But its too long…

[__]

I’d recommend changing your form to give “Save” and “Save & Publish” the same `name` (with different `value`s, of course), so you don’t have to have separate checks for them.

See the code I originally posted for an example and let me know if you need any further explanation.

There are other important things I’d like to point out in that code, but it’s bedtime where I live – look for another post tomorrow : )

[__]

okay…

*****

$title = $_POST;
// . . .
“INSERT INTO posts … VALUES(‘$post_title’ …

First and foremost, **never put user-supplied data directly into SQL**. Your current code is wide-open to SQL injection attacks (worst case) and any number of SQL errors (best case).

**Always** (always, always):

1) *Validate*. Make sure the info you got is the info you expected. If you asked for a name, don’t accept submissions with HTML. If you asked for an email address, don’t accept submissions with tabs or line breaks. If you asked for a number, don’t accept any non-digit characters.

Perhaps the most important thing is, when you have form fields with a known set of values (e.g., a set of checkboxes or a drop-down menu), then the submitted value must be one of those *exact* values. Don’t “fix” anything. If you had a checkbox for “yes” or “no” and the word “green” came back, that means someone is messing around with your form. **Throw the whole thing away**. Ignore it completely: don’t even give an error message. If you are keeping track of your users, that user needs to be permanently banned.

2) *Sanitize*. When putting data into SQL statements, you need to make sure MySQL treats your data *as data*. This is where functions like `real_escape_string` come in; to make sure names like `O’Brien` or `Smith’ OR 1=1–` don’t cause any problems.

Something else you need to consider: this appears to be a form for posting comments/articles, correct? You need to validate what sort of HTML you allow. Allowing *any* html (i.e., not checking) means that users basically have free reign on your website – they can add HTML, CSS or JavaScript at will. There are serious [XSS risks](https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)) here.

*****

Next, [ext/mysql (all `mysql_*()` functions) is **deprecated**](http://php.net/manual/en/intro.mysql.php) and should not be used in new code. For performance and security reasons, you should take the time to update any existing code to use [ext/mysql**i** or PDO](http://php.net/manual/en/mysqlinfo.api.choosing.php) as well.

*****

date_default_timezone_set(‘Asia/Manila’);

I know you want dates/times in your local time, but make sure that your DB is using the same time zone. If you use one timezone and MySQL uses another, you’ll have corrupt data. It is *almost always* best to use UTC time *everywhere* and convert to local times when necessary.

*****

//insert values from form to server
mysql_query(“INSERT INTO posts (`post_title`, `post_content`, `post_page`, `date_posted`) VALUES(‘$post_title’, ‘$editor_data’, ‘$page’, ‘$date_time’)”);

You should check if this actually worked or not.

[ajnoguerra]

Wow. Thanks @traq for the effort of giving all these knowledge. I think I need a lot of reading deep about php and mysql. As I see it, I’m still on the very basic stage. I will be reconstructing my code again and shall apply what you have mentioned. I shall post it again ;)

Again, thanks so much.

[__]

@ajnoguerra

no problem. If you’re not too far along, I really would encourage you to switch to the mysql**i** extension. It is designed with an object-oriented interface, but it also has functions for procedural coding that are *very* similar to the original mysql_* functions. I have an example somewhere; I’ll look for it (or look through the [examples on php.net](http://php.net/manual/en/mysqli.quickstart.php)).

> Save and save & publish seems almost like the same, what about just draft for when it’s not ready & publish for when it is.
–@FragaGeddon

Whatever he decides to call it, it’s the same functionality.

[Author]

Posts