0

I've checked dozens of threads on here and on other sites, and I cannot figure out why my code is not working. I am trying to use PHP to update MySQL using a variable to identify WHERE. The code I have works if I swap the variable for a number, and the variable works everywhere else in my script. It's just this one line that does not.

The line in question is:

$change = "UPDATE reg_info SET fname='$fname', lname='$lname', email='$email', explevel='$experience', addinfo='$additional', event='$regEvent' where id='$id'";

I've also tried the following:

$change = mysqli_query("UPDATE reg_info SET fname='$fname', lname='$lname', email='$email', explevel='$experience', addinfo='$additional', event='$regEvent' where id='$id'");

$change = "UPDATE reg_info SET fname='$fname', lname='$lname', email='$email', explevel='$experience', addinfo='$additional', event='$regEvent' where id=".$id;

$change = 'UPDATE reg_info SET fname="'.$fname.'", lname="'.$lname.'", email="'.$email.'", explevel="'.$experience.'", addinfo="'.$additional.'", event="'.$regEvent.'" where id='.$id;

From what I've seen on other threads, at least one of these should worked for me.

Can anyone point me in the right direction, please?

If it helps the entire string of PHP code is:

    <?php
$fnameErr = $lnameErr = $emailErr = $experienceErr = $regEventErr = "";
$fname = $lname = $email = $experience = $regEvent = "";
$id = $_GET["id"];
$errors = "yes";
$servername = "localhost";
$username = "root";
$password = "5tTtFzaz6dIO";
$database = "project2db";
$conn = new mysqli($servername, $username, $password, $database);
$query = mysqli_query($conn, "SELECT * FROM reg_info where id=".$id);
$row = mysqli_fetch_array($query, MYSQLI_NUM);

    if ($_SERVER["REQUEST_METHOD"] == "POST") {
     if (empty($_POST["fname"])) {
       $fnameErr = "First name is required";
       $errors = "yes";
     } else {
       $fname = test_input($_POST["fname"]);
       if (!preg_match("/^[a-zA-Z ]*$/",$fname)) {
         $fnameErr = "Only letters and white space allowed";
         $errors = "yes";
       }
       else {
        $errors = "no";
       }
     }

     if (empty($_POST["lname"])) {
       $lnameErr = "Last name is required";
       $errors = "yes";
     } else {
       $lname = test_input($_POST["lname"]);
       if (!preg_match("/^[a-zA-Z ]*$/",$lname)) {
        $lnameErr = "Only letters and white space allowed";
        $errors = "yes";
       }
       else {
        $errors = "no";
       }
     }

     if (empty($_POST["email"])) {
       $emailErr = "Email is required";
       $errors = "yes";
     } else {
       $email = test_input($_POST["email"]);
       if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
        $emailErr = "Invalid email address";
        $errors = "yes";
       }
       else {
        $errors = "no";
       }
     }

     if (empty($_POST["experience"])) {
       $experienceErr = "Experience level is required";
       $errors = "yes";
     } else {
       $experience = test_input($_POST["experience"]);
       $errors = "no";
     }

     if (empty($_POST["additional"])) {
       $regEvent = "";
     } else {
       $additional = test_input($_POST["additional"]);
     }

     if (empty($_POST["regEvent"])) {
       $regEventErr = "Event is required";
       $errors = "yes";
     } else {
       $regEvent = test_input($_POST["regEvent"]);
       $errors = "no";
     }

     if($errors == "no") {
        $change = 'UPDATE reg_info SET fname="'.$fname.'", lname="'.$lname.'", email="'.$email.'", explevel="'.$experience.'", addinfo="'.$additional.'", event="'.$regEvent.'" where id='.$id;
        $result=$conn->query($change);

        if ($result) {
             echo '<script language="javascript">';
             echo 'alert("New record created successfully.")';
             echo '</script>';
             header('Location: regtable.php');
        } else {
             echo '<script language="javascript">';
             echo 'alert("Error. New record not created.")';
             echo '</script>';
             header('Location: regtable.php');
        }
     }

    }

    function test_input($data) {
    $data = trim($data);
    $data = stripslashes($data);
    $data = htmlspecialchars($data);
    return $data;
    }
    ?>
Improve this question
8
  • 1
    Does the variable have a quote in it? Look into prepared statements. Also check for errors so you know what is currently happening. Commented Apr 18, 2016 at 16:50
  • 1
    Little Bobby says your script is at risk for SQL Injection Attacks. Learn about prepared statements for MySQLi. Even escaping the string is not safe! Commented Apr 18, 2016 at 16:51
  • Maybe check first if you can connect successfully to database Commented Apr 18, 2016 at 17:19
  • 1
    Right after the query, do an "echo $result->error" and share with us the result here. Commented Apr 18, 2016 at 19:52
  • 1
    SQL injections aren't just about malicious users. They break your query because the data is being passed in incorrectly. Check for errors, guessing isnt that fun. Commented Apr 18, 2016 at 20:48

2 Answers 2

Reset to default
1

I figured out the issue! Whenever the form was submitted, the new POST data did not have anything assigned to the html id="id" that was passed into the PHP code to create the $id variable.

Since there was nothing in the form, $id was null, and thus the query did not update the database, even though the query and connection were completely valid.

Thanks to everyone who posted comments and advice, I really appreciate it.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Since the query in itself is valid, I can only guess that somehow the data is causing the issue. Try the following, which escapes every value that will be used in the query:

$fname = mysqli_real_escape_string( $conn, $fname );
$lname = mysqli_real_escape_string( $conn, $lname );
$email = mysqli_real_escape_string( $conn, $email );
$experience = mysqli_real_escape_string( $conn, $experience );
$additional = mysqli_real_escape_string( $conn, $additional );
$regEvent = mysqli_real_escape_string( $conn, $regEvent );
$id = mysqli_real_escape_string( $conn, $id );

$change = "UPDATE reg_info SET fname='$fname', lname='$lname', email='$email', explevel='$experience', addinfo='$additional', event='$regEvent' where id='$id'";
Improve this answer

3 Comments

Isn't the id usually numeric? So why the quotes there?
@Reto $id can be anything doesn't matter. The quotes aren't really important for integers, they will be corrected. Not quoting a string is less forgiving though. See this, stackoverflow.com/a/3308020/4333555, for more on quoting integers vs. not.
I tried adding the above code, but there was no change in the behavior of the page.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.