PHP page is storing form input variables after user submits

Question

I wasn't sure what else to call the title...I have a PHP page that accesses a certain MySQL database, pulls the values from the table, and places them in an HTML form (POST method - PHP_SELF). The user can then view the values, alter them as they wish, and submit them. The page then takes those values and updates the MySQL database. Everything works perfectly except that when the user submits and the page goes to show the new updated variables, it still shows the old values. The user is forced refresh the page before the new variables show up. I thought that PHP was perhaps not deleting the variables, so I unset all stored variables after the script was over and it's still not working. I ever tried putting a sleep timer before the script started, and that didn't work either. I'd appreciate any suggestions. Here is my script just for reference:

<html>
<body>

<?php

$sql = "SELECT * FROM lease";
$result = mysql_query($sql);

?>

<form id="lease_update" method="post" action="<?php echo htmlentities($PHP_SELF); ?>">
<table>
<tr>
<th>Account</th>
<th>Car Lease</th>
<th>Radio Lease</th>
<th>Misc. Charges</th>
</tr>

<?php
    while($rows = mysql_fetch_array($result)){
 ?>

<tr>
<td><input type="text" name="account[]" value="<?php echo $rows['accnt']; ?>" /></td>
<td><input type="int" name="car_lease[]" value="<?php echo $rows['car']; ?>" /></td>
<td><input type="int" name="radio_lease[]" value="<?php echo $rows['radio']; ?>" />     </td>
<td><input type="int" name="misc_lease[]" value="<?php echo $rows['misc']; ?>" /></td>
<input type="hidden" name="lease_ID[]" value="<?php echo $rows['ID']; ?>" />
</tr>

<?php
    }
?>
</table>
<input type="submit" value="Update" name="lease_update" />

<?php

if(isset($_POST['lease_update'])){

$account = $_POST['account'];
$car_lease = $_POST['car_lease'];
$radio_lease = $_POST['radio_lease'];
$misc_lease = $_POST['misc_lease'];
$lease_ID = $_POST['lease_ID'];

//Get Array Lengths For Each Section
$A = count($lease_ID);

//Update Lease Information
$i = 0;
while($i < $A){
    if(!mysql_query('UPDATE lease SET accnt = "' .$account[$i]. '", car = "' .$car_lease[$i]. '", radio = "' .$radio_lease[$i]. '", misc = "' .$misc_lease[$i]. '"  WHERE ID = ' .$lease_ID[$i]))
        die('Error: ' .mysql_error());
    $i++;
}
unset($_POST);
    unset($rows);
    unset(result);

}
?>
</body>
</html>

Read about [SQL Injection here](http://en.wikipedia.org/wiki/SQL_injection) and about [how to prevent it here](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php). — PeeHaa, Aug 20 '12 at 09:52

Fluffeh · Accepted Answer · 2012-08-20T09:55:36.563

You are displaying the data from the database before you update it.

It is normally good practice to do all your database connectivity at the top of the page, then display the results.

In your code (even if a user has submitted an update), you query the data, pull it from database and display it, then run the update with what the user submitted.

Changing your code to this should do the trick (Do read the note below though):

<html>
<body>

<?php

if(isset($_POST['lease_update'])){

$account = $_POST['account'];
$car_lease = $_POST['car_lease'];
$radio_lease = $_POST['radio_lease'];
$misc_lease = $_POST['misc_lease'];
$lease_ID = $_POST['lease_ID'];

//Get Array Lengths For Each Section
$A = count($lease_ID);

//Update Lease Information
$i = 0;
while($i < $A){
    if(!mysql_query('UPDATE lease SET accnt = "' .$account[$i]. '", car = "' .$car_lease[$i]. '", radio = "' .$radio_lease[$i]. '", misc = "' .$misc_lease[$i]. '"  WHERE ID = ' .$lease_ID[$i]))
    die('Error: ' .mysql_error());
    $i++;
}
unset($_POST);
    unset($rows);
    unset(result);

}


$sql = "SELECT * FROM lease";
$result = mysql_query($sql);

?>

<form id="lease_update" method="post" action="<?php echo htmlentities($PHP_SELF); ?>">
<table>
<tr>
<th>Account</th>
<th>Car Lease</th>
<th>Radio Lease</th>
<th>Misc. Charges</th>
</tr>

<?php
    while($rows = mysql_fetch_array($result)){
 ?>

<tr>
<td><input type="text" name="account[]" value="<?php echo $rows['accnt']; ?>" /></td>
<td><input type="int" name="car_lease[]" value="<?php echo $rows['car']; ?>" /></td>
<td><input type="int" name="radio_lease[]" value="<?php echo $rows['radio']; ?>" />     </td>
<td><input type="int" name="misc_lease[]" value="<?php echo $rows['misc']; ?>" /></td>
<input type="hidden" name="lease_ID[]" value="<?php echo $rows['ID']; ?>" />
</tr>

<?php
    }
?>
</table>
<input type="submit" value="Update" name="lease_update" />

</body>
</html>

Bad note - your code is wide open to injection attacks. You are using form data with no verification. That's a big red flag. Secondly, you are using deprecated mysql_* functions. Your code should be using mysqli_* functions or better yet move to PDO. It is much safer and you will be able to do a lot more with it.

Edit 2: The page IS being updated after the user submits the form, but the page you display to the user is querying the database before you update it - and using that to display the page to the user.

Hmmm, that's very interesting. I'm rather new to PHP, but I was under the impression that once the form inputs were submitted and the database was updated, the page would reload (since it's a PHP_SELF), and query the database again (with the new values). — user1562781, Aug 20 '12 at 09:52
Thanks for the notes. I'm still trying to learn form verification in PHP. This form is only for admin viewing only (no other user will have access to it). Do you think verification is still important in these cases? — user1562781, Aug 20 '12 at 10:06
@user1562781 Yes, you can never be too secure - that and it isn't too hard to do. I created a set of objects that use prepared statements and do all my verification nicely - and I can basically keep using them over and over on each bit of code I write. — Fluffeh, Aug 20 '12 at 10:09
Thanks. I will read into it and see how it's done. I come from an engineering background where all I do is heavy mathematical computations. We never have to deal with users, so life is simple. User interaction is a huge pain. :-P — user1562781, Aug 20 '12 at 10:20
@user1562781 Think of users as the folks who will do *everything* wrong, click where they *aren't* supposed to and who will try to do everything they can to *hack* past your system. An engineering background should make your job easier to be honest. Think of a webpage as a schematic or flowchart - with users doing *everything* they can to leave the expected path. Then you will have nice secure sites. — Fluffeh, Aug 20 '12 at 10:23
let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/15559/discussion-between-user1562781-and-fluffeh) — user1562781, Aug 20 '12 at 10:25

PHP page is storing form input variables after user submits

1 Answers1