I have a form where the user inputs their ID and this then populates their name from a database? There is a whole form I just copied the relevant parts and the sql below.
User ID: <input value="User ID" name="user_id">
$sql = "SELECT user_firstname, user_surname FROM users_tbl WHERE xxxx = users_tbl.user_id"
$result = pg_query($sql);
I have made it this far, but im not sure what to do.
You should filter GET or POST form variables. So the right way would be:
$sql = "SELECT user_firstname, user_surname FROM users_tbl WHERE users_tbl.user_id= ".$_POST['user_id'];
$result = pg_query($sql);
Also don't forget to filter POST and GET variables from sql injections
You probably want something like ...
page1.php
<form method="POST" action="page2.php">
User ID: <input name="user_id" value="User ID">
<input type="submit" value="go">
</form>
page2.php
$id = mysql_escape_string( $_POST['user_id'] );
$sql = "SELECT `user_firstname`, `user_surname` FROM `users_tbl `WHERE `id` = '$id' LIMIT 1";
...
Related
I can copy columns from one table to another but my problem is to insert a data in the column of new table from an input form in a single query
Here I'd like to add this $tom in the column along with "name and price" and this $tom is from another input form
<form method="post" enctype="multipart/form-data">
<input type="text" name="code" placeholder="Enter the Product Code" />
<button name="add_to_cart">Submit</button>
</form>
<?php
$db = mysqli_connect('localhost','root','','mainstock');
if(isset($_POST['add_to_cart']))
{
$tom = $_SESSION['cust'];
$code = $_POST['code'];
$query = "INSERT INTO sales (name,price,cust) SELECT name,price FROM tbl_product WHERE code = '$code' VALUES('{$tom}')";
$res = mysqli_query($db,$query);
I think this is the query for that one:
$query = "
INSERT INTO sales (name,price,cust)
SELECT name,price,'". $tom . "' FROM tbl_product;
";
This code is meant to check the submitted form values and update the table,
however it just replaces the field with a blank
Any ideas where it is gone wrong, please?
<form action = "update.php" method = "POST">
<p>
New Name: <input type "text" name="name">
<input type= "submit">
</p>
</form>
<?php
require ('/var/www/html/site1/connect_db.php');
if(!empty($_POST['name']) && !is_numeric($_POST['name']))
{
$name=$_POST['name'];
$name=mysqli_real_escape_string($dbc,$query);
$name=strip_tags($name);
#$query='update customers SET customerName = '".$name."' where customerNumber=114';
$query = "update customers ". "SET customerName = $name"."where customerNumber=114" ;
mysqli_query($dbc,$query);
}
else
{
echo $name;
}
$query = 'select * from customers where customerNumber=103';
$result = mysqli_query($dbc,$query);
while ($row=mysqli_fetch_array($result, MYSQLI_NUM))
{
echo"<p>Name : $row[1]</p>";
}
mysqli_close($dbc);
?>
You are updating customer number 114 but selecting 103 out, whose name may be blank.
Your update statement needs to have quotes around the $name bit as below:
$query = "UPDATE customers SET customerName = '$name' WHERE customerNumber=114";
Edit: please see the parameterised query advice in the question comments.
I can't seem to find a solution to this and i've looked for similar threads too but no luck
Basically here's my code, when you click Update it's meant to display your current name in the form fields then you can overwrite them and submit the changes, however sadly it will not update, it only displays the originally set first name and last name and does not update the database so therefore not displaying the new set names.
<?php
include('../connect_db.php');
$res = mysqli_query($dbconnection, "SELECT * FROM users");
$row = mysqli_fetch_array($res);
if(isset($_POST['newFirst']) && isset($_POST['newLast'])){
$newFirst = $_POST['newFirst'];
$newLast = $_POST['newLast'];
$id = $_POST['id'];
$sql = "UPDATE users SET first_name='$newFirst', last_name='$newLast' WHERE id='$id'";
$res = mysqli_query($dbconnection, $sql);
}
?>
<div id="editSection">
<h3>Edit Details</h3>
<form action="edit_profile.php" method="POST">
<input type="hidden" value="<?php echo $row[0];?>" name="id"/>
<h2>First Name</h2>
<input type="text" name="newFirst" value="<?php echo $row[1];?>">
<h2>Last Name</h2>
<input type="text" name="newLast" value="<?php echo $row[2];?>">
<input type="submit" value="Update">
</form>
</div>
Any help would be greatly appreciated :)
Kind Regards
~ Matt
You have to connect to DB before updating.so use
$con=mysqli_connect("localhost","my_user","my_password","my_db");
There are several other errors like you have to make $POST['newFirst'] as $_POST['newFirst'] like this
if(isset($_POST['newFirst']) && isset($_POST['newLast'])){
And change the query to
$sql = "UPDATE users SET first_name='$newFirst',last_name='$newLast' WHERE id= '$id'";
beacuse you have error at end of query id='first_name='$id' which is wrong
I see some error in the query
$sql = "UPDATE users SET first_name='$newFirst',
last_name='$newLast' WHERE id='first_name='$id'";
should be
$sql = "UPDATE users SET first_name='$newFirst',
last_name='$newLast' WHERE id= '$id'";
also
if(isset($POST['newFirst']) && isset($POST['newLast'])){
should be
if(isset($_POST['newFirst']) && isset($_POST['newLast'])){
You are using $POST wrong in your if-condition.
It must be called $_POST[..].
Also you should take a look at your WHERE in your update query.
I think you mean: WHERE id= '$id'
You should get your id from $_POST['id']; which is your row ID i suppose and also the update query must be where id=$id.
$id = $_POST['id'];
$sql = "UPDATE users SET first_name='$newFirst', last_name='$newLast' WHERE id=$id";
Also have you checked in DB after the update? the row[0], row[1], row[2] used will have old set of values used during select before the update happened. can you have the mysqli_fetch_array($res) after the update call?
I'm building a simple bug tracker tool.
When you've created a project, you can select a project status (open, in progress, finished).
You can change this status on the project page with this select form, :
<form action="classes/changestatus.class.php" method="post">
<label> Change Project Status </label>
<select name="status" id="status">
<option value="open">Open</option>
<option value="inprogress">In Progress</option>
<option value="finished">Finished</option>
</select>
<input class="small button" value="Change Status" type="submit">
</form>
The form posts the action to this class:
$status = $_POST['status'];
$sql = "UPDATE INTO projects ( status ) VALUES ('$status')";
$result = mysql_query( $sql );
$result = mysql_real_escape_string( $sql );
$latestID = mysql_insert_id();
if ( $result ) {
header('Location: ../projectpage.php?id='.$latestID);
} else {
echo "There is something wrong. Try again later.";
}
mysql_close();
So, when you submit the form it will run the query above and go back to the project page, with the changed project status, but this doesn't work.
I always get redirected to the wrong project page and the data doesn't update in the mysql table.
The problem is that I can't get the id, when I have this link for example 'projectpage?id=20', it always redirects me to 'projectpage?id=0'.
Can anyone help me ? I know the code isn't fully sql injection proof and I don't use mysqli, I just like to have an anwser on my question.
Thanks!
You're not keeping the $id so the this data isn't being transferred. on your form use:
<input type='hidden' name='hdnID' value="<?php echo $id;?>">
<input class="small button" value="Change Status" type="submit">
Then on your form use:
$status = $_POST['status'];
$id = $_POST['hdnID'];
Try This,
$sql="UPDATE projects SET status = '$status', id = LAST_INSERT_ID(id)";
$latestID = mysql_insert_id();
It will works for you.
Use
$sql="UPDATE projects SET status = '$status'";
And mysql_insert_id will only work when an INSERT query is executed.You need an id to update it or either to redirect it...If you are giving id then you can do like
$sql="UPDATE projects SET status = '$status' WHERE id = $id";
And redirection will be like
header('Location: ../projectpage.php?id='.$id);
I've built a page for user permissions and rankings just not to deal with phpmyadmin every time i want to change someones rank or whatever. Now, I have a problem with this query, every time I run all of the users get the same rank.
$sql = "SELECT * FROM users ORDER BY rank DESC LIMIT $start_from, 20";
$rs_result = mysql_query($sql) or die(mysql_error);
while ($row = mysql_fetch_assoc($rs_result)) {
echo "
<tr>
<td>".$row['username']."</td>
<td>".$row['rank']."</td>
<td>
<form action='' method='post'>
<select name='rank'>
<option value='member'>Member</option>
<option value='moderator'>Moderator</option>
<option value='supermoderator'>Supermoderator</option>
<option value='administrator'>Administrator</option>
</select>
<input type='submit' name='change' value='Change' />
</form>
</td>
</tr>
";
if (isset($_POST['change'])) {
$sql_rank = "UPDATE users SET rank = '".$_POST['rank']."' WHERE username = '".$row['username']."'";
$res_rank = mysql_query($sql_rank) or die(mysql_error());
}
you have
if (isset($_POST['change'])) {
$sql_rank = "UPDATE users SET rank = '".$_POST['rank']."' WHERE username = '".$row['username']."'";
$res_rank = mysql_query($sql_rank) or die(mysql_error());
}
inside the while loop. make sure you close the loop and you grab the data with $_POST not $row...
if (isset($_POST['change'])) {
$sql_rank = "UPDATE users SET rank = '".$_POST['rank']."' WHERE username = '".mysql_real_escape_string($_POST['username'])."'";
$res_rank = mysql_query($sql_rank) or die(mysql_error());
}
Also please consider trying mysqli or PDO
Yeah, you don't transmit the information which user exactly; you only check for isset($_POST["change"]) which isn't serving any information about which user; it's only indicating that any post request with an <input name="change"... /> has been submitted.
I suggest to add the value in some hidden input field like echo '<input type="hidden" name="username" value="'.$row['username'].'" />';
And then add in your if the condition: $_POST["username"] == $row['username']
Also you should consider to upgrade to mysqli or PDO.