I have a form which passes data from the index.php to the update.php. The code successfully passed the date of birth variable but it didn't pass the $leadid variable. What is wrong with my code?
part of code in index.php
<form method="post" action="update.php">
<table width="400" border="0" cellspacing="1" cellpadding="2">
<tr>
<td width="100">Lead ID</td>
<td>
<?php
mysql_connect('localhost', 'root', '');
mysql_select_db('test');
$sql = "SELECT leadid FROM table WHERE lead_no ='$lead_no'";
$result = mysql_query($sql);
$row = mysql_fetch_row($result);
$leadid = $row[0];
echo $leadid;
?>
</td>
</tr>
<tr>
<td width="100">Date of Birth</td>
<td><input name="birth" type="date" id="birth"></td>
</tr>
</table>
</form>
In my update.php i have POST
$id = $_POST['leadid'];
$birth = $_POST['birth'];
In your code there is no input field for the leadid variable. Try adding a hidden field like this:
<input type="hidden" value="<?php echo $leadid;?>" name="leadid" />
Then, that POST variable should be transferred.
Post does only pass the variables that are wrapped by a html form element like <input> <textarea> or others inside the <form> tag.
Since you did not create such a tag for your $leadid variable it's not available for the update.php file.
Put the following code inside your <form> tag to pass the leadid to the second script.
<input type="hidden" value="<?php echo $leadid;?>" name="leadid" />
Relating to your database query: It is recommended to use prepared statements instead of unprepared. The way you're currently selecting values from your database is a huge security leak and can be abused for SQL injections! I know you're currently using it for local testing but it's important to know that the code could cause security problems.
Here is an example on how to do it with prepared statements:
$mysqli = new mysqli('localhost', 'root', '');
$stmt = $mysqli->prepare("SELECT leadid FROM table WHERE lead_no = ?");
$stmt->bind_param("i", $lead_no); // assuming lead_no is an integer value
$stmt->execute();
$stmt->bind_result($leadid);
$stmt->fetch();
// your lead id is now stored inside $leadid
More information can be found here: http://php.net/manual/de/mysqli.quickstart.prepared-statements.php
Related
I am trying to update a Mysql row based on value passed to url of a page.
But i am getting an error Notice: Undefined index: id_store in C:\xampp\htdocs\store\php\update.php on line 29 when i submit the button in html form.
Here is my code:
<?php
require 'db.php';
if(isset($_GET['id_store'])){
$id_store=$_GET['id_store'];
$sql ="SELECT store_name,heading FROM store ORDER BY id_store='$id_store'";
$result = $conn->query($sql);
$row = $result->fetch_assoc();
$store_name = $row['store_name'];
$heading = $row['heading'];
}
if(isset($_POST['btn-update']))
{
// variables for input data
$store_name_ = $_POST['store_name'];
$heading_ = $_POST['heading'];
// variables for input data
$id=$_GET['id_store'];
// sql query for update data into database
$sql_query = "UPDATE store SET store_name='$store_name_',heading='$heading_' WHERE id_store='$id'";
$conn->query($sql_query);
// sql query for update data into database
}
?>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>CRUD Operations With PHP and MySql - By Cleartuts</title>
</head>
<body>
<center>
<div >
<form method="post" action="update.php">
<table align="center">
<tr>
<td><input type="text" name="store_name" placeholder="Store Name" value="<?php echo $store_name; ?>" required /></td>
</tr>
<tr>
<td><input type="text" name="heading" placeholder="Store Heading" value="<?php echo $heading; ?>" required /></td>
</tr>
<tr>
<td>
<button type="submit" name="btn-update"><strong>UPDATE</strong></button>
</td>
</tr>
</table>
</form>
</div>
</center>
</body>
</html>
I am getting an error at line $id=$_GET['id_store'];
I think when I submit then button the form is directed to update.php without id_store due to which SQL query gets null value. Is there any thing that i need to change?
Note:
Make sure that there is an id_store value in your URL.
Your first query is wrong. You are using ORDER BY like a WHERE.
You try to update and submit the page, but you didn't pass the id_store. Your form will go to update.php. Remove the URL attribute in your ACTION.
Revised select query code:
$sql ="SELECT store_name,heading FROM store WHERE id_store='$id_store' ORDER BY id_store";
Your form should be:
<form method="post" action="">
So that when your from localhost/store/php/update.php?id_store=36, and you press the submit button, it will still go to localhost/store/php/update.php?id_store=36, instead of just localhost/store/php/update.php.
After you submit, the undefine error will be gone because you retain the id_store in your URL.
And inside your isset(), so that user can't refresh the page and re-submit the form, just put this before the closing bracket:
header("LOCATION:update.php?id_store=".$_GET["id_store"]);
Please check these errors:-
Your all coding stuff along with form code is in one file then why you give action. Remove action attribute from your form.
form method is POST but you are using $_GET change it to $_POST every where you use that.
Also change query like this:-
$sql ="SELECT store_name,heading FROM store WHERE id_store='$id_store' ORDER BY id_store";
Note:- check and do all this thing and tell what happen
I have a list of 'orders' being pulled out, which consist of product name, description etc, one of the fields is quantity which is in an editable text box, next to that is an update button (which has an unique ID for that row pulled from the DB). Now when the update button is pressed, I want the quantity for that product to be updated. However i'm having problems getting the correct updated quantity to be matched with the ID of that row.
I can see that the problem is me setting the $quantity1 variable with just the last result pulled out inside the IF statement, but I can't think how to get it to relate the row i'm clicking on. Here is part of the code:
echo "<td>".$row['uName']."</td>";
echo "<td>".$row['prodID']."</td>";?>
<form method="post" action="reserved.php">
<td><input name="quantity1" type="text" id="quantity1" size="1" value='<?= $qty ?>' />
<td><input name="order2" id="order2" type="submit" class="button_add" value='<?= $row['ID']?>' /></td><?
echo "</tr>";
}
}elseif(!empty($studyDir) && $rowCount == 0){
?>
<?
}
}
if (isset($_POST['order2'])){
$order2 = $_POST['order2'];
$quantity1 = $_POST['quantity1'];
\\echo $quantity1;
$link3 = mysql_connect('localhost', '******', '******');
$SQL1 = "UPDATE ybsinter_stock.reservedStock SET qty = $quantity1 WHERE ID = '$order2'";
$result1 = mysql_query($SQL1);
mysql_close($link3);
unset($quantity1);
unset($order2);
header("Location:reserved.php");
}
?>
I can't see your form ending i.e. there is no <\form>.
Also note that declaring forms in tables (except entirely enclosed in a td) is bad HTML, run your code through the W3C validator.
Also try PHP heredocs for outputting blocks of HTML with embedded data....
echo <<<EOF
<tr>
<td>{$row['uName']}</td>
<td>{$row['prodID']}</td>
<td>
<form method="post" action="reserved.php">
<input name="quantity1" type="text" id="quantity1" size="1" value="{$qty}" />
// style this button right with CSS if you want ...
<input name="order2" id="order2" type="submit" class="button_add" value="{$row['ID']}" />
</form>
</td>
</tr>
EOF;
The above form will only submit data to your script with the id that you're interested in..
Your SQL query seems roughly correct, but beware of SQL injection - please bind your variables into your queries instead of inserting them. Use the mysqli or PDO libraries instead of the outdated basic mysql functions.
$mysqli = new mysqli( /* your connection params here */ );
$sql1 = 'UPDATE ybsinter_stock.reservedStock SET qty = ? WHERE ID = ?';
$stmt = $mysqli->query( $sql1);
$stmt->bind_param( 'sd', $quantity1, $order2);
$result = $stmt->execute();
I seem to have an issue inserting the post values into my database, and i don't see the error in the coding. I've been looking at it for a while now and to me everything looks right, however when i use the form and submit the data the page reload but no data get inserted into the database.
It would be much appreciated if someone could help me identify the error in the coding.
If you have any questions feel free to ask!
Kind regards Jim
FORM
<?php
//Show the form if the user is a Admin
if(isset($_SESSION['username'])){
$username == $_SESSION['username'];
$results = $mysqli->query("SELECT authority FROM users WHERE username='$username' LIMIT 1");
while($row = $results->fetch_object()){
$aut = $row->authority;
}
}
if($aut == 1){
?>
<form action="index.php" method="post">
<table>
<tr>
<td> Title: </td>
<td><input type="text" name="title"></td>
</tr>
<tr>
<td valign="top"> News: </td>
<td><textarea name="information"></textarea></td>
</tr>
<tr>
<td> <input type="hidden" value="news"> </td>
<td><input type="submit"></td>
</tr>
</table> <hr>
</form>
MYSQLI
<?php
}
//Insert into the database
if(isset($_POST['news'])){
$title = $_POST['title'];
$information = $_POST['information'];
$mysqli->query("INSERT INTO `news` (`title`, `information`) VALUES ( '".$title."', '".$information."')");
}
<input type="hidden" value="news"> should be <input type="hidden" name="news">
That's why isset($_POST['news']) will never be true.
Beside that silly typo problem your code suffers from two real disasters.
You have no error reporting, which renders you helpless against such silly mistakes
You are adding your data directly into query, while ought to use placeholders for that.
I am not sure what was intended with the backticks and periods in your original query. In my limited experience my queries take the form of:
$mysqli->query("INSERT INTO news(title, information) VALUES ('$title', '$information')");
I would say that priority #1 is getting some debugging information in the form of return values for your php functions or access to php error logs.
Hi I'm trying to update a single field from a HTML form, for some reason one of the session variables I am passing to the update query is not being accepted. I have already echoed the variable in the page so am fairly certain it exists in memory.
NB, I know my code is horrifically insecure but I'm learning PHP and once I've got the basics working Ill go over it and bring it upto best practice standards.
E2A: If I do var_dump($filename); before trying to run the query it returns string(6) "356/18", after the query it returns NULL. I'm not unsetting the variable anywhere so where could it be going!
Here is my form:
<form method="post" action="">
<p>Your username is: <?php echo $_SESSION['userid'] ?> Your company ID is: <?php echo $companyid['id']?></p>
<h3>Please enter note for file: <?php echo $filename; ?></h3>
<table width="200" cellpadding="5">
<tr>
<th width="18%" align="right" nowrap>Add Note: </th>
<td width="82%" nowrap>
<input type="text" name="note" />
</td>
</tr>
<tr>
<td colspan="2" width="100%" nowrap>
<input type="submit" value="Submit" name="Submit" />
</td>
</tr>
</table>
</form>
Here is my UPDATE query:
$sql = "UPDATE fields SET Notes = ('".mysql_real_escape_string(stripslashes($_REQUEST['note']))."')
WHERE companyId='".$companyid['id']."' AND fileNumber ='".$filename."'";
if($result = mysql_query($sql)) {
echo "<h1>Thank you</h1>Your information has been entered into our database<br><br>";
echo $sql;
echo $filename;
} else {
echo "ERROR: ".mysql_error();
}
} else {
echoing $sql produces the following:
UPDATE fields SET Notes = ('asdasda') WHERE companyId='11' AND fileNumber =''
and here is the bit where I instantiate the POST vars.
include "header.php";
$checkFiles = "checkFiles.php";
// Catches form input from previous page and stores it into session variable called filename for future reference;
$_SESSION['filename']=$_POST['filename'];
$filename = $_SESSION['filename'];
//User id stuff from previous page too;
$userid = $_SESSION['userid'];
$id = mysql_query("SELECT id FROM users WHERE DXNumber='".$userid."'");
// Returns pointer so fetch it as an array and insert it into variable $companyid for later use;
$companyid = mysql_fetch_array($id);
You need to include session_start() on the top of each file.
Just do:
AND fileNumber ='".$_SESSION[filename]."'";
In your update query.
If that doesn't work, make sure that a value for $_SESSION[filename] is being set.
<h3>Please enter note for file: <?php echo $filename; ?></h3>
Create a input box
<input type="text" name="filename" value="<?php echo $filename; ?>"/>
Then filename value will be pass to $_POST array
I wrote a simple form from which a user will change his/her name , Facebook Name and image
here is the profile.php code with the form
<!!--edit form--!!>
<div id="edit">
<table width="300" border="0" align="center" cellpadding="0" cellspacing="1"
bgcolor="#CCCCCC">
<tr>
<td>
<table width="100%" border="0" cellpadding="1" cellspacing="1"bgcolor="#FFFFFF">
<tr>
<form method="POST" action="save_profile.php">
<td colspan="3"><strong>Username<br><? echo $row['session'];?></strong></td>
<td colspan="3"><strong>Name</strong><input type="text" name="name" id="name"
value="<? echo $row['name'];?>"/><br></td>
<td colspan="3"><strong>Facebook</strong><input type="text" name="fb" id="fb" value="<? echo $row['facebook'];?>"/></td>
<td colspan="3"><strong>Image</strong><input type="text" name="img" id="img" value="<? echo $row['img'];?>"/></td>
<input type="hidden" name="pros" />
<input type="submit" value="Save" />
</form>
and this is the save_profile.php
<?
include"sp-includes/sp-config2.php";
$resultz = mysql_query($slctq);
while($rowqw = mysql_fetch_array($resultz, MYSQL_ASSOC))
{
if($_POST['pros']){
$name=$_POST['name'];
$fb=$_POST['fb'];
$img=$_POST['img'];
$do =mysql_query("UPDATE profile SET name='$name', facebook='$fb', img='$img' WHERE id='$rowqw[id]'");
}
echo $rowqw['id'];
}
?>
I dont Know where i am wrong..
First of all, PLEASE SANITIZE YOUR QUERIES. Your query is completely open for exploitation right now and that might entirely be the reason why it fails.
Write your query like this:
mysql_query('UPDATE profile SET name="'.mysql_real_escape_string($name).'", facebook="'.mysql_real_escape_string($fb).'", img="'.mysql_real_escape_string($img).'" WHERE id="'.mysql_real_escape_string($rowqw['id']).'";');
Also, note that the rowqw index should be written as 'id' instead of id.
The problems with your code:
You are not checking for errors. Use mysql_error().
You are not checking your input (if it's valid or not). You should be binding parameters or escaping with mysql_real_escape_string.
Put the query in a separate string. Something like $query = "UPDATE ..."; $do = mysql_query($query);. It is useful for debugging. You know what the exact query you are sending is.
You are using $rowq[id] the wrong way. When in a string you either use the . notation, you concatenate multiple strings; or you enclose it in {$rowq[id]}.
When you do all this, you'll solve the problems yourself. Read the docs too.
Change the code to
$do = mysql_query("UPDATE profile SET name = '$name', facebook = '$fb', img = '$img' WHERE id = '$rowqw[id]'");