PHP/MySQL - Fail to update form

Question

I've been playing a bit with updating a form including checkboxes, which was a bit harder than I expected.

Now that I thought I'd done everything right, it's just not updating. I don't have a clue why at this moment.

This is the page with the form:

<?php 

include "style.css";
include "connect.php";
include "header.php";


//This code runs if the form has been submitted

$id = htmlspecialchars($_GET["id"]);
$query  = "SELECT * FROM draaiboek_users WHERE id = '$id'";
$result = mysql_query($query);
$data=mysql_fetch_array($result);

?>


<table>
<p align="right"><button onclick="history.go(-1);">Terug</button></p>
</table>

<form action="users-update.php" method="post">
<input type="hidden" name=ud_id" value="<? echo $id; ?>">

<table border="0">
<br>
<tr><td>Gebruikersnaam:</td><td>

<input type="text" name="ud_username" maxlength="60" value="<? echo ($data['username']); ?>">

</td></tr>

<tr><td>Module Basisgegevens:</td><td>

<input type="checkbox" name="ud_mod_basisgegevens" value="1"<?php if($data['mod_basisgegevens'] == '1') echo 'checked'; ?>>

</td></tr>

<tr><td>Module Personeel:</td><td>

<input type="checkbox" name="ud_mod_personeel" value="1"<?php if($data['mod_personeel'] == '1') echo 'checked'; ?>>

</td></tr>

<tr><td>Module Vrijwilligers:</td><td>

<input type="checkbox" name="ud_mod_vrijwilligers" value="1"<?php if($data['mod_vrijwilligers'] == '1') echo 'checked'; ?>>

</td></tr>

<tr><td>Module Gasten:</td><td>

<input type="checkbox" name="ud_mod_gasten" value="1"<?php if($data['mod_gasten'] == '1') echo 'checked'; ?>>

</td></tr>

<tr><td>Module Artistiek:</td><td>

<input type="checkbox" name="ud_mod_artistiek" value="1"<?php if($data['mod_artistiek'] == '1') echo 'checked'; ?>>

</td></tr>

<tr><td>Module Publiekswerking:</td><td>

<input type="checkbox" name="ud_mod_publiekswerking" value="1"<?php if($data['mod_publiekswerking'] == '1') echo 'checked'; ?>>

</td></tr>

<tr><td>Module Techniek:</td><td>

<input type="checkbox" name="ud_mod_techniek" value="1"<?php if($data['mod_techniek'] == '1') echo 'checked'; ?>>

</td></tr>

<tr><td>Module Financien:</td><td>

<input type="checkbox" name="ud_mod_financien" value="1"<?php if($data['mod_financien'] == '1') echo 'checked'; ?>>

</td></tr>
<tr><th colspan=2><br><input type="submit" name="submit" 
value="Update"></th></tr> </table>

</form>

And this is the update page:

<html>
<head>
<?php

include 'style.css';
include 'connect.php';
include 'security.php';
include 'header.php';

?>
</head>


<body>

<table>

<?php 
  $ud_id = $_POST['ud_id'];
  $ud_username = $_POST['ud_username'];
  $ud_mod_basisgegevens = ($_POST['ud_mod_basisgegevens'] == '1') ? "1" : "0";
  $ud_mod_personeel = ($_POST['ud_mod_personeel'] == '1') ? "1" : "0";
  $ud_mod_vrijwilligers = ($_POST['ud_mod_vrijwilligers'] == '1') ? "1" : "0";
  $ud_mod_gasten = ($_POST['ud_mod_gasten'] == '1') ? "1" : "0";
  $ud_mod_artistiek = ($_POST['ud_mod_artistiek'] == '1') ? "1" : "0";
  $ud_mod_publiekswerking = ($_POST['ud_mod_publiekswerking'] == '1') ? "1" : "0";
  $ud_mod_techniek = ($_POST['ud_mod_techniek'] == '1') ? "1" : "0";
  $ud_mod_financien = ($_POST['ud_mod_financien'] == '1') ? "1" : "0";


  $query = "UPDATE draaiboek_users SET username = '$ud_username' mod_basisgegevens = '$ud_mod_basisgegevens' mod_personeel = '$ud_mod_personeel' mod_vrijwilligers = '$ud_mod_vrijwilligers' mod_gasten = '$ud_mod_gasten' mod_artistiek = '$ud_mod_artistiek' mod_publiekswerking = '$ud_mod_publiekswerking' mod_techniek = '$ud_mod_techniek' mod_financien = '$ud_mod_financien' WHERE id = '$ud_id'";

  mysql_query($query);
  echo "Record updated";
  mysql_close();
?>

</table>
</body>
</html>

Any ideas how this comes?

Thanks,
Daan

Conrad Lotz · Answer 1 · 2012-09-08T13:56:14.193

There are no comma's between the column/value assignments

$query = "UPDATE draaiboek_users SET username = '$ud_username', mod_basisgegevens = '$ud_mod_basisgegevens', mod_personeel = '$ud_mod_personeel', mod_vrijwilligers = '$ud_mod_vrijwilligers', mod_gasten = '$ud_mod_gasten', mod_artistiek = '$ud_mod_artistiek', mod_publiekswerking = '$ud_mod_publiekswerking', mod_techniek = '$ud_mod_techniek', mod_financien = '$ud_mod_financien' WHERE id = '$ud_id'";

Reference: UPDATE Syntax.

Consider adding or die when executing the query

$result = mysql_query($query) or die ("Error in query: $query. ".mysql_error());

Thanks guys! I followed your advice and it works fine now! Cheers, — user1627596, Sep 08 '12 at 14:51

score 0 · Answer 2 · edited Jun 20 '20 at 09:12

Daan, you have used incorrect syntax on your SQL query - you have forgotten commas, you must also use quotes properly and add mysql_real_escape_string at least, to make you code protected against SQL Injections.

The correct example of your code should be:

$query = "
UPDATE 
    draaiboek_users 
SET 
    username = '".mysql_real_escape_string($ud_username)."',
    mod_basisgegevens = '".mysql_real_escape_string($ud_mod_basisgegevens)."',
    mod_personeel = '".mysql_real_escape_string($ud_mod_personeel)."',
    mod_vrijwilligers = '".mysql_real_escape_string($ud_mod_vrijwilligers)."',
    mod_gasten = '".mysql_real_escape_string($ud_mod_gasten)."',
    mod_artistiek = '".mysql_real_escape_string($ud_mod_artistiek)."',
    mod_publiekswerking = '".mysql_real_escape_string($ud_mod_publiekswerking)."',
    mod_techniek = '".mysql_real_escape_string($ud_mod_techniek)."',
    mod_financien = '".mysql_real_escape_string($ud_mod_financien)."' 
WHERE 
    id = '".mysql_real_escape_string($ud_id)."'";

mysql_query($query);
echo "Record updated";
mysql_close();

Your code is vulnerable for SQL Injection. I would strongly recommend using mysql_real_escape_string as you insert data into your database to prevent SQL injections, as a quick solution or better use PDO or MySQLi.

It's stated in the introduction to the PHP manual chapter on the mysql_* functions, that this extension is not recommended for writing new code. Instead, you should use either the MySQLi or PDO_MySQL extension should be used.

Besides in your HTML you must use a space before `checked="checked"`, e.g.:

<input type="checkbox" name="ud_mod_techniek" value="1"<?php if($data['mod_techniek'] == '1') echo ' checked="checked"'; ?>>

Otherwise, on the output, the attributes value and checked might be printed out together and as a result your HTML will become not W3C Valid returning No space between attributes error.

score 0 · Answer 3 · answered Dec 16 '13 at 11:45

Some things are missing in your form

You have not added double quotes for ud_id

<input type="hidden" name=ud_id" value="<? echo $id; ?>">

You haven't added the id for the inputs and to set the value id you must fetch the id of row before you update by which is implemented as

<input type="hidden" name="ud_id" value="<?php echo $data['id'];?>" id="<?php echo $data['id'];?>">

so only when the id is passed correctly through POST the update will be made for the particular columns belonging to the id of the row

PHP/MySQL - Fail to update form

3 Answers3

The correct example of your code should be:

Besides in your HTML you must use a space before checked="checked", e.g.:

Besides in your HTML you must use a space before `checked="checked"`, e.g.: