We Keep Coding

PHP: Validate data in Update form before submitting to database

I'm still very new to php and form validation. I am currently trying to create an update form that validates before submitting the data to the database. So far I have successfully managed to update the data in the database when submitting the form.
But now I am trying to validate the data and make sure that the 4 fields are filled in and not left blank, if some of the form fields are left blank then I need the form to reload with what was already filled in on the form previously.
I have started adding in form validation into the script below but this is script I have successfully used for adding new data to a database. I'm having trouble trying to wrap my head around what I need to change to make it work for an UPDATE query. Thanks in advance
The only fields i need to update in the form is the description, img_path, location and payment.
<?php
$mysqli = new mysqli("localhost", "root", "", "etrading");
session_start(); //start session
//Check that a product ID is specified for the page
if (isset($_GET['ItemID'])) {
$productID = $_GET['ItemID'];
}else{
header("Location: index.php");
}
if (isset($_POST['Name'])) {
$Name = $_POST['Name'];
$Description = $_POST['Description'];
$img_path = $_POST['img_path'];
$Quantity = $_POST['Quantity'];
$Category = $_POST['Category'];
$Location = $_POST['Location'];
$Saletype = $_POST['Saletype'];
$Price = $_POST['Price'];
$Duration = $_POST['Duration'];
$Payment = $_POST['Payment'];
$updateQuery = "UPDATE item SET Description = '$Description', img_path = '$img_path', Location = '$Location', Payment = '$Payment' WHERE ItemID= $productID";
$mysqli->query($updateQuery);
echo ("Product successfully updated");
}
$query = "SELECT * FROM item WHERE ItemID = $productID";
$result = $mysqli->query($query);
if($result->num_rows > 0) {
$data = $result->fetch_array(MYSQLI_BOTH);
//prepare input data in an array
$updatedata = array($Description, $img_path, $Location, $Payment);
//prepare error list
$errors = array ();
//Validation tests and store list
if ($Description == "" || $img_path == "" || $Location == "" || $Payment == "" ) {
array_push($errors, "All form fields must be filled out before submitting.");
}
//if errors redirect back to form page and save attempted data.
if (count($errors) > 0) {
$_SESSION['updatedata'] = $updatedata;
$_SESSION['errors'] = $errors;
header("Location: ../edit.php");
}else{
unset($_SESSION['updatedata']);
unset($_SESSION['errors']);
}
if(isset($_SESSION['errors'])) {
$errors = $_SESSION['errors'];
for ($errorCount = 0; $errorCount < count($errors); $errorCount++) {
echo ("<p class='error'>Error: " . $errors[$errorCount] . "</p>");
}
}
?>
<div id="form">
<h2> Edit Product </h2>
<form action="edit.php?ItemID=<?php echo $productID; ?>" method="POST" >
<fieldset>
<h4>Sell Your Item</h4>
<p><label class="title" for="Name">Name:</label>
<input type="text" placeholder="<?php echo $data['Name']; ?>" name="Name" id="Name" title="Please enter item name"
readonly ><br />
<label class="title" for="Description">Description:</label>
<textarea name="Description" rows="5" cols="33" placeholder="<?php echo $data['Description']; ?>" id="Description" title="Please describe your item" ></textarea><br />
<img src="../img/<?php echo $data['img_path']; ?>" />
<br>
Select image to upload:
<input type="file" name="img_path" placeholder="<?php echo $data['img_path']; ?>" id="img_path" accept="image/jpg"><br>
<label class="title" for="Quantity">Quantity:</label>
<input type="text" placeholder="<?php echo $data['Quantity']; ?>" name="Quantity" id="Quantity" title="Number of items" readonly><br />
<label class="title" for="Category">Category:</label>
<input type="text" placeholder="<?php echo $data['Category']; ?>" name="Category" id="Category" Title="Category" readonly >
<label class="title" for="Location">Location:</label>
<input type="text" placeholder="<?php echo $data['Location']; ?>" name="Location" id="Location" title="Enter item location" ><br />
<label class="title" for="Saletype">Sale Type:</label>
<input type="text" placeholder="<?php echo $data['Saletype']; ?>" name="Saletype" id="Saletype" title="Sale Type" readonly >
<label class="title" for="Price">Price: $</label>
<input type="text" placeholder="<?php echo $data['Price']; ?>" name="Price" id="Price" title="Please enter your name" readonly><br />
<label class="title" for="Duration">Duration:</label>
<input type="text" placeholder="<?php echo $data['Duration']; ?>" name="Duration" id="Duration" title="End Date" readonly><br />
<label class="title" for="Payment">Payment Type:</label>
<input type="text" placeholder="<?php echo $data['Payment']; ?>" name="Payment" id="Payment" title="Payment" readonly >
<select name="Payment" id="Payment" >
<option value="PayPal">PayPal</option>
<option value="Bank Deposit">Bank Deposit</option>
<option value="Card">Credit Card</option>
</select><br>
<div class="submit"><input type="submit" value="submit" name="submit" /></div>
<div class="reset"><input type="reset" /></div>
</fieldset>
</form>

You could use the required attribute on the HTML form. This will ensure the form can not be submitted unless there are input values.
<input type="text" required />
In your PHP file, you can use the isset() function to check all the values.
if (isset($description) && isset($img_path) && isset($description) && isset($payment))
{
// other code
}
You should also make sure to escape the values.
if (isset($description) && isset($img_path) && isset($description) && isset($payment))
{
$description = mysqli_real_escape_string($conn, $description);
$img_path = mysqli_real_escape_string($conn, $img_path);
$location = mysqli_real_escape_string($conn, $location);
$payment = mysqli_real_escape_string($conn, $payment);
$updateQuery = "UPDATE item SET Description = '$Description', img_path = '$img_path', Location = '$Location', Payment = '$Payment' WHERE ItemID= $productID";
$mysqli->query($updateQuery);
}
The mysqli_real_escape_string escapes special characters in a string for use in an SQL statement, taking into account the current charset of the connection
You should always do validation on both frontend and backend.

Try this.. this would work.. It worked for me..
<input type="text" name="name" value="<?php echo $name; ?>" required="required" placeholder="Enter name">

Copying a value from POST into a variable

In a page I have a form that submits with Post method. In another page I'm just trying to retreive and echo those values. If I just:
var_dump($_POST)
I see every value I entered in the form.
If I do something like:
echo $_POST['name'];
echo $_POST['surname'];
echo $_POST['telephone'];
I see the correct values.
But if, at the beginning of the page, use:
$name = $_POST['name'];
$surname = $_POST['surname'];
$telephone = $_POST['telephone'];
echo $name . ' ' . $surname . ' ' . $telephone;
I notice that for example name and telephone are always empty.
HTML form:
<form id="dom_com_sci" class="form" name="dom_com_sci" action="./ricevuta-fiscale-2convention.php" method="post" enctype="application/x-www-form-urlencoded" target="_self" style="height: 2200px; width: 619px;">
<p>
<label for="name">name:</label>
<input id="name" class="focus capitalize" name="name" type="text" size="26" value="" maxlength="70" placeholder="es. Mario" autocomplete="off" />
</p>
<p>
<label for="surname">surname:</label>
<input id="surname" class="focus capitalize" name="surname" type="text" size="26" value="" maxlength="70" placeholder="es. Rossi" autocomplete="off" />
</p>
<p>
<label for="telephone">telephone:</label>
<input id="telephone" class="focus capitalize" name="telephone" type="text" size="26" value="" maxlength="70" placeholder="es. Rossi" autocomplete="off" />
</p>
<input type="submit" name="Send" value="Send" tabindex="34" />
</form>
The php script on the result page:
<?php
require_once('./function/generic_function.php');
if(isset($_POST['submit']) && $_POST['submit'] == "Send") {
$surname= $_POST['surname'];
$name = $_POST['name'];
$telephone = $_POST['telephone'];
}
?>
generic_function.php:
<?php
function replace($stringa) {
$stringa_r = str_replace('\\','',$stringa);
return $stringa_r;
}
function accesso($percorso,$opzione = "N") {
($opzione == "Y") ? $blank = "target=_blank" : $blank = "";
if(isset($_SESSION['access_level']) && $_SESSION['access_level'] > 1 && isset($_SESSION['logged']) && $_SESSION['logged'] == 1 && isset($_SESSION['user_id'])) {
print('href="'.$percorso.'"'.$blank);
} else {
print('href="'.$dir.'access.php"');
}
}
?>

you are missing on quote (') in these line
$surname= $_POST['surname];
$name = $_POST['name];
$telephone = $_POST['telephone];
it should be this
$surname= $_POST['surname'];
$name = $_POST['name'];
$telephone = $_POST['telephone'];
<?php
//error_reporting($level=NULL);
?>
<form id="dom_com_sci" class="form" name="dom_com_sci" action="" method="post" enctype="application/x-www-form-urlencoded" target="_self" >
<p>
<label for="name">name:</label>
<input id="name" class="focus capitalize" name="name" type="text" size="26" value="" maxlength="70" placeholder="es. Mario" autocomplete="off" />
</p>
<p>
<label for="surname">surname:</label>
<input id="surname" class="focus capitalize" name="surname" type="text" size="26" value="" maxlength="70" placeholder="es. Rossi" autocomplete="off" />
</p>
<p>
<label for="telephone">telephone:</label>
<input id="telephone" class="focus capitalize" name="telephone" type="text" size="26" value="" maxlength="70" placeholder="es. Rossi" autocomplete="off" />
</p>
<input type="submit" name="submit" value="submit" tabindex="34" />
</form>
<?php
//require_once('./function/generic_function.php');
if(isset($_POST['submit']) && $_POST['submit'] == "submit") {
$surname= $_POST['surname'];
$name = $_POST['name'];
$telephone = $_POST['telephone'];
echo $name . ' ' . $surname . ' ' . $telephone;
}
?>
Comment:: To style your form. You can put it inside the div and than can give that div style.
Thanks let me know it work or not.

Updating Query Matter

I've defined a user settings page in my website, and there are several forms that appears on that page, I'v written a query for these fields to be updated upon clicking on "submit" button, but some how I end up having this error below;
User Could Not Be Updated Because:You have an error in your SQL
syntax; check the manual that corresponds to your MySQL server version
for the right syntax to use near
'SHA1(5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8)', ' WHERE id =' at
line 1
this is profile settings page codes for the form:
<?php
$uid = $_SESSION['user_id'];
$query = mysqli_query($dbc, "SELECT * FROM users WHERE id = $uid ")or die(mysql_error());
$arr = mysqli_fetch_assoc($query);
?>
<form action="?page=profileset&id=<?php echo $arr['id']; ?>" method="post" role="form">
<label for="first">First Name</label>
<input class="form-control" type="text" name="first" id="first" value="<?php echo $arr['first']; ?>" placeholder="First Name" autocomplete="off">
</div>
<div class="from-group">
<label for="last">Last Name</label>
<input class="form-control" type="text" name="last" id="last" value="<?php echo $arr['last']; ?>" placeholder="Last Name" autocomplete="off">
</div>
<br>
<div class="from-group">
<label for="email">Email Address</label>
<input class="form-control" type="text" name="email" id="email" value="<?php echo $arr['email']; ?>" placeholder="Email Address" autocomplete="off">
</div>
<div class="from-group">
<label for="password">Password</label>
<input class="form-control" type="password" name="password" id="password" value="<?php echo $arr['password']; ?>" placeholder="Password" autocomplete="off">
</div>
<button id="profile-btn-change" type="submit" class="btn">Submit Changes</button>
<input type="hidden" name="submitted" value="1">
</form>
and this is the query which updates this form;
if(isset($_POST['submitted']) == 1){
$first = mysqli_real_escape_string($dbc, $_POST['first']);
$last = mysqli_real_escape_string($dbc, $_POST['last']);
$password = SHA1($_POST['password']);
$action = 'Updated';
$q = "UPDATE users SET first = '".$first."', last = '".$last."', email = '".$_POST['email']."', password = '".$password."' WHERE id = '".$_POST['id']."'";
$r = mysqli_query($dbc, $q);
if($r){
$message = '<p class="alert alert-success">User Was '.$action.'!</p>';
} else {
$message = '<p class="alert alert-danger">User Could Not Be '.$action.' Because:'.mysqli_error($dbc);
}
}
any consideration is appreciated

You are repeating the password = part in the UPDATE query.
do
$password = sha1($_POST[password]);
instead of
$password = " password = 'SHA1($_POST[password])', ";
update
make sure you try the update query like
$q = "UPDATE users SET first = '".$first."', last = '".$last."', email = '".$_POST['email']."', password = '".$password."' WHERE id = '".$_POST['id']."'";
and try to sanitize the variables while you use them.

sql update statement from a html form doesn't execute

<?php
//include 'includes/connectie.php';
if (isset($_GET['id'])){
$product_id=$_GET['id'];
} else {
$product_id=$_POST['id'];
}
$user = 'userID';
$pass = 'mypassword';
$dbh = new PDO( 'mysql:host=localhost;dbname=webshop', $user, $pass );
$sql = "SELECT * FROM `producten` WHERE product_id='$product_id'";
$sql_result = $dbh->query($sql);
foreach($sql_result as $row)
{
$prijs=$row['prijs'];
$product_naam=$row['product_naam'];
$product_categorie=$row['product_categorie'];
$product_specificaties=$row['product_specificaties'];
$foto=$row['foto'];
$product_id=$row['product_id'];
$product_soort=$row['product_soort'];
echo "Product id nummer:", $product_id;
}
//$_SESSION['prijs'] = $prijs;
if ($_SERVER["REQUEST_METHOD"] == "POST"){
//if (!empty($product_naam) && !empty($product_specifcaties) && !empty($product_categorie) && !empty($prijs)
//&& !empty($product_soort))
If (isset($_POST['submit']))
{
$sql = "UPDATE producten
SET prijs='$prijs', product_naam='$product_naam', product_specificaties='$product_specificaties',
product_categorie='$product_categorie', product_soort='$product_soort',
WHERE product_id='$product_id'";
$query = $dbh->prepare( $sql );
$result = $query->execute();
if ($result){
echo "Product aangepast!!!!! in id:";
echo $product_id;
} else {
echo "Product NIET aangepast!!!!";
}
}
}
?>
<form name="admin" action="producten_echt_aanpassen.php" method="POST" enctype="multipart/form-data">
<p>
<label for 'product_id'>Product ID: </label><br>
<input type="text" name="id" value="<?php print $product_id; ?>"/>
</p>
<p>
<label for 'product_naam'>Naam: </label><br>
<input type="text" name="product_naam" value="<?php print $product_naam; ?>"/>
</p>
<p> <label for 'product_specificaties'>Specificaties: </label><br>
<textarea rows= "4" cols="50" name="product_specificaties"><?php print $product_specificaties; ?>
</textarea>
</p>
<p>
<label for 'prijs'>Prijs: </label><br>
<input type="text" name="prijs" value="<?php print $prijs; ?>"/>
</p>
<p>
<label for 'product_categorie'>Iphone: </label><br>
<input type="text" name="product_categorie" value="<?php print $product_categorie; ?>"/>
</p>
<p>
<label for 'product_soort'>Soort: </label><br>
<input type="text" name="product_soort" value="<?php print $product_soort; ?>"/>
</p>
<br/>
<label for 'uploadfile'>Kies foto <img src="<?php print $foto; ?>"></label><br>
<input type="file" name="file" ><br><br>
<input type="submit" name="submit" value="Submit">
</form>
I have a form in which I load properties of products like the product name, price, photo etc. The properties are then possible to change and then updated in the database. But the sql update statement does not execute. Can anybody help me out?

there is a , before the where on the update that should not be there. Try to activate error reporting like this: How to get useful error messages in PHP? so that you know wwhy things are failing

Post data not being sent by a code igniter form

I've got a slight problem with my CI2.0.2 application.
From what I can tell, it is not getting any post data from a form and so is failing to run an update function, though most pages work fine.
The form is as follows:
<?php echo form_open('job/update/', array('id' => 'update', 'name' => 'update')); ?>
<div class="images">
<?php echo img('application/images/updateJob.png');?>
</div>
<h1>Update Job</h1>
<br><br><br><br>
<div class="fieldset">
<?php
if (isset($error))
{
echo '<div id ="error">';
echo '<h2>Error:</h2>';
echo '<p>'.$error.'</p>';
echo '</div>';
}
?>
<input type="hidden" name="c" id='c' value="<?php if(!empty($view[0])) { echo $view[0]; } else { echo "0"; } ?>">
<div class="left">
<h4>Job Details:</h4>
<div>
<label for="job_number">Job No:</label>
<input type="text" name="job_number" id="job_number" value="<?php echo $job['jobno']; ?>" disabled="disabled">
</div>
<div>
<label for="date">Date:</label>
<input type="text" name="date" id="date" value="<?php echo $job['datetime']->format('d-M-Y'); ?>">
</div>
<div>
<label for="council">Council:</label>
<input type="text" name="council" id="council" value="<?php echo htmlspecialchars($job['council']); ?>"> *
</div>
<div>
<label for="dano">DA No:</label>
<input type="text" name="dano" id="dano" value="<?php echo htmlspecialchars($job['dano']); ?>">
</div>
<div>
<label for="client">Client:</label>
<input type="text" name="client" id="client" value="<?php echo $job['clientid']; ?>" disabled="disabled">
</div>
</div>
<div class="right" style="margin-left: 390px;">
<h4>Location:</h4>
<label for="street_no">Street No:</label>
<input type="text" name="street_no" id="street_no" value="<?php echo $address['streetno']; ?>"> *
<br>
<label for="street_name">Street Name:</label>
<input type="text" name="street_name" id="street_name" value="<?php echo $address['streetname']; ?>"> *
<br>
<label for="street_type">Street Type:</label>
<select name="street_type" id="street_type">
<?php
foreach ($street_types as $type)
{
echo '<option';
if ($type == $address['streettype']) echo ' selected="selected"';
echo '>'.$type.'</option>';
}
?>
</select> *
<br>
<label for="suburb">Suburb:</label>
<input type="text" name="suburb" id="suburb" value="<?php echo $address['suburb']; ?>"> *
<br>
<label for="postcode">Postcode:</label>
<input type="text" name="postcode" id="postcode" value="<?php echo $address['postcode']; ?>"> *
<br>
<label for="state">State:</label>
<input type="text" name="state" id="state" value="<?php echo $address['state']; ?>"> *
<br>
<label for="country">Country:</label>
<input type="text" name="country" id="country" value="<?php echo $address['country']; ?>">
<br>
<label for="dp">DP:</label>
<input type="text" name="dp" id="dp" value="<?php echo $address['dp']; ?>">
<br>
<label for="lot_no">Lot No:</label>
<input type="text" name="lot_no" id="lot_no" value="<?php echo $address['lotno']; ?>">
<br>
<label for="po_box">PO Box:</label>
<input type="text" name="po_box" id="po_box" value="<?php echo $address['pobox']; ?>">
</div>
<div>
<input type="submit" id="submit" name="submit" value="Submit" class="button">
<p>* = Required fields</p>
</div>
</div>
<?php echo form_close();?>
And the update section of the controller is as follows:
/**
* Update an existing job.
* #param int $job_number The number of the job to update.
*/
public function update($job_number=0)
{
$this->load->model('Job_model');
$job = array();
$address = array();
// Get post data.
$job['joblocation'] = '';
$job['jobno'] = $this->input->post('job_number');
$job['datetime'] = new DateTime($this->input->post('date'));
$job['dano'] = $this->input->post('dano');
$job['council'] = $this->input->post('council');
echo $job['jobno'];
echo $job['dano'];
echo $job['council'];
$address['streetno'] = $this->input->post('street_no');
$address['streetname'] = $this->input->post('street_name');
$address['suburb'] = $this->input->post('suburb');
$address['country'] = $this->input->post('country');
$address['postcode'] = $this->input->post('postcode');
$address['state'] = $this->input->post('state');
$address['dp'] = $this->input->post('dp');
$address['lotno'] = $this->input->post('lot_no');
$address['pobox'] = $this->input->post('po_box');
$address['streettype'] = $this->input->post('street_type');
echo "here2";
if (isset($_POST['submit']))
{
$this->Job_model->update($job);
echo "here";
redirect('job/');
}
// Otherwise, get the data from the database.
else
{
$job = $this->Job_model->search($job_number);
$job = $job[0];
$job['datetime'] = new DateTime($job['datetime']);
$address = $this->Job_model->get_address($job['joblocation']);
$address = $address[0];
}
// Get the street types.
$street_types = array();
$this->load->model('staff_model');
$streets = $this->staff_model->get_street_types();
foreach ($streets as $street)
{
$street_types[$street['streettype']] = $street['streettype'];
}
// Load the client list.
$clients = array();
$this->load->model('client_model');
$people = $this->client_model->get_client_person_list();
$companies = $this->client_model->get_client_company_list();
// Allocate view data.
$viewdata = array();
$viewdata['job'] = $job;
$viewdata['street_types'] = $street_types;
$viewdata['address'] = $address;
$viewdata['people'] = $people;
$viewdata['companies'] = $companies;
$this->layout->view('job/update', $viewdata);
}
Any ideas why this might be happening?
Thanks in advance,
James

Try changing the quotes you're using on this line:
<input type="hidden" name="c" id='c' value="<?php if(!empty($view[0])) { echo $view[0]; } else { echo '0'; } ?>" />
The way you had it with the double quotes around the 0 you were breaking that php because the first one would be closing the opening value quote.