0

Ok so I am trying to get my form to update my table to edit a contact but for some reason with 0 errors it just won't update and I just can not figure out why as it all looks good to me.

Here is the edit contact script 

// Connect to database
$dbc = mysql_connect("localhost", "root");
if (!$dbc) 
    die("Could not connect: " . mysql_error());

// Select database
$db_select = mysql_select_db( "contactmanager", $dbc );
if (!$db_select)
    die("Could not select DB: " . mysql_error());


// Build update function for form
if(isset($_POST['update'])){
    mysql_query("UPDATE contacts SET Name='$_POST[name]', Address='$_POST[address]', Phone='$_POST[phone]', Mobile='$_POST[mobile]', Email='$_POST[email]' WHERE ContactID = $contactID") or trigger_error(mysql_error());

    echo 'Update has been pushed and fucntion has run';


} else {
    echo 'Update has not been pushed.';
}

// initialize form control values
$name = '';
$address = '';
$phone = '';
$mobile = '';
$email = '';

// Get ID of contact selected for editing
$contactID = $_GET['id'];

// build sql select statement
$query = "SELECT * FROM contacts WHERE ContactID = '$contactID'";

// Run sql statement against database
$result = mysql_query($query, $dbc);

if ($result) {

    $row = mysql_fetch_assoc($result);

    $name = $row["Name"];
    $address = $row["Address"];
    $phone = $row["Phone"];
    $mobile = $row["Mobile"];
    $email = $row["Email"];
}
else { 
    // If there is an error display message
    echo '<p><b class="error">Error with $rst: ' . mysql_error($dbc) . '</b></p>';
}

?>


    <form name="editcontact" method="post" action="edit-contact.php" id="editcontact">
        <fieldset>
            <dl>
                <dt><label for="name">Name</label></dt>
                <dd><input name="name" type="text" value="<?php echo $name; ?>" size="33" maxlength="50" tabindex="1" /></dd>
            </dl>   
            <dl>
                <dt><label for="address">Address</label></dt>
                <dd><textarea name="address" cols="33" rows="5" tabindex="2"><?php echo $address; ?></textarea></dd>
            </dl>   
            <dl>
                <dt><label for="phone">Phone</label></dt>
                <dd><input name="phone" value="<?php echo $phone; ?>" type="text" size="33" maxlength="50" tabindex="3" /></dd>
            </dl>   
            <dl>
                <dt><label for="mobile">Mobile</label></dt>
                <dd><input name="mobile" value="<?php echo $mobile; ?>" type="text" size="33" maxlength="50" tabindex="4" /></dd>
            </dl>
            <dl>
                <dt><label for="Email">Email</label></dt>
                <dd><input name="email" value="<?php echo $email; ?>" type="text" size="33" maxlength="50" tabindex="5" /></dd>
            </dl>
            <dl>
                <dt></dt>
                <dd><input type="submit" value="Update" name="update" tabindex="6" style="margin-left:7.3%;" /></dd>
                <dd><a href="list-contacts.php" alt="Contacts List"><p style="margin-left:7.3%;">Back to contacts list</p></a></dd>
            </dl>

        </fieldset>
    </form>

<?php


?>
Improve this question
11
  • 1
    Lovely() Commented Mar 25, 2014 at 22:03
  • 1
    You left out a parameter in $dbc = mysql_connect("localhost", "root"); which should read as $dbc = mysql_connect("localhost", "root", "password_xxx"); --- Plus, everything outside of the if(isset($_POST['update'])){...} conditional statement will be ignored upon submitting, which is where your $contactID = $_GET['id']; is located; amongst other things. Commented Mar 25, 2014 at 22:07
  • 1
    I'm next to 100% sure of it. @RiCHiE Commented Mar 25, 2014 at 22:16
  • 2
    You can declare your variable first $name = mysql_real_escape_string($_POST['name']); etc., then use SET Name='$name', etc. @RiCHiE yet using mysqli with prepared statements is better, or PDO Commented Mar 25, 2014 at 22:18
  • 1
    You should also change $Upname = $_POST['name']; to $Upname = mysql_real_escape_string($_POST['name']); for the time being, and do the rest for the others, following the same convention. @RiCHiE Least, that will give you some form of security. Commented Mar 25, 2014 at 22:44

2 Answers 2

Reset to default
2

Everything outside of the if(isset($_POST['update'])){...} conditional statement will be ignored upon submitting, which is where your $contactID = $_GET['id']; is presently located.

Place it within the conditional statement.

<?php
...

if(isset($_POST['update'])){

    // $contactID = $_GET['id']; // original
    $contactID = intval($_GET['id']); // recommended for (INT) type
    $name = mysql_real_escape_string($_POST['name']); // etc.

...

}

Sidenote: Your present code is open to SQL injection. Use mysqli_* functions. (which I recommend you use and with prepared statements, or PDO)

You should change:

$name = $_POST['name'];

to:

$name = mysql_real_escape_string($_POST['name']);

for the time being, and do the rest for the others, following the same convention.

Then do SET Name='$name' etc., and do the same for the others. That will give you some security until you get familiar with prepared statements, or PDO.

mysql_* functions deprecation notice:

http://www.php.net/manual/en/intro.mysql.php

This extension is deprecated as of PHP 5.5.0, and is not recommended for writing new code as it will be removed in the future. Instead, either the mysqli or PDO_MySQL extension should be used. See also the MySQL API Overview for further help while choosing a MySQL API.

These functions allow you to access MySQL database servers. More information about MySQL can be found at » http://www.mysql.com/.

Documentation for MySQL can be found at » http://dev.mysql.com/doc/.

Here are a few tutorials on prepared statements that you can study and try:

Here are a few tutorials on PDO:

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thanks, I completely forgot about escaping the strings. I will recode it as such :)
1

The id or contactID never makes it through the form and into the processing portion of the code. Just before the final set of <dl> tags in your form, you can add a hidden input to pass the ID through the form and into $_POST array:

<dl>
    <dt></dt>
    <dd><input name="contactID" value="<?php echo $contactID; ?>" type="hidden" /> </dd>
</dl>

Then in the processing portion, you can add a line to grab the value again:

if(isset($_POST['update'])){

    $id = mysql_real_escape_string($_POST['contactID']);
    $name = mysql_real_escape_string($_POST['name']);
    $address = mysql_real_escape_string($_POST['address']);
    $phone = mysql_real_escape_string($_POST['phone']);
    $mobile = mysql_real_escape_string($_POST['[mobile']);
    $email = mysql_real_escape_string($_POST['email']);

    mysql_query("UPDATE contacts SET Name='$name', Address='$address', Phone='$phone', Mobile='$mobile', Email='$email' WHERE ContactID = $id") or trigger_error(mysql_error());

    echo 'Update has been pushed and function has run';

} else {//as before...

Also, take a good hard look at the comment about using mysqli from @Fred-ii-

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.