Updating information into a MySQL Database using PHP

Question

Within my code, I'm attempting to update my database with values from modifiable text fields in a form. However, when the query is ran, it wipes all fields (turning them to "") related to the record the user is attempting to edit. Can anyone see why at all?

<?php
$dbuser = 'test';
$dbpass = 'test';
$host = '127.0.0.1';
$db = 'test';
mysql_connect($host, $dbuser, $dbpass) or die(mysql_error());
mysql_select_db($db) or die(mysql_error());

$result = mysql_query("SELECT * from characters");
$id = $_REQUEST['combo'];
while($row = mysql_fetch_array($result))
{
    if($id == $row['_Key'])
    {
        echo "<form action=\"webpagetests.php\" method=\'post\'>";
        echo "<strong>Player ID:</strong>    " . $row['_Key'] . "</br>";
        echo "<strong>Steam Name:</strong>   " . $row['_SteamName'] . "</br>";
        echo "<strong>Steam ID:</strong>     " . $row['_SteamID'] . "</br></br>";

        echo "Name: </br><input name = \"name\" type=\"text\" size=\"25\" value=\"" . $row['_Name'] . "\"></br></br>";
        echo "Cash: </br><input name = \"cash\" type=\"text\" size=\"25\" value=\"" . $row['_Cash'] . "\"></br></br>";
        echo "Flags: </br><input name = \"flags\" type=\"text\" size=\"25\" value=\"" . $row['_Flags'] . "\"></br></br>";
        echo "Gender:</br> <input name = \"gender\" type=\"text\" size=\"25\" value=\"" . $row['_Gender'] . "\"></br></br>";
        echo "Model:</br> <input name = \"model\" type=\"text\" size=\"50\" value=\"" . $row['_Model'] . "\"></br></br>";
        echo "Faction: </br><input name = \"faction\" type=\"text\" size=\"25\" value=\"" . $row['_Faction'] . "\"></br></br></br>";
        echo "Recognised Names: </br><input name = \"names\" type=\"text\" size=\"50\" value=\"" . $row['_RecognisedNames'] . "\"</br>";
        echo "<input name=\"submit2\" type=\"submit\" value=\"Update\" />";
        echo "</form>";
    }
}
if (isset($_POST['submit2'])) 
{
    //$name = mysql_real_escape_string(htmlspecialchars($_POST['name']));
    $name = "Test";
    $cash = (int)$_POST['cash'];
    $flags = mysql_real_escape_string(htmlspecialchars($_POST['flags']));
    $gender = mysql_real_escape_string(htmlspecialchars($_POST['gender']));
    $model = mysql_real_escape_string(htmlspecialchars($_POST['model']));
    $faction = mysql_real_escape_string(htmlspecialchars($_POST['faction']));
    $names = mysql_real_escape_string(htmlspecialchars($_POST['names']));

    mysql_query("UPDATE  `test`.`characters` SET  `_Name` =  '$name',
    `_Cash` =  '$cash',
    `_Model` =  '$model',
    `_Flags` =  '$flags',
    `_Gender` =  '$gender',
    `_Faction` =  '$faction',
    `_RecognisedNames` =  '$names' 
    WHERE  `characters`.`_Key` ='$id'") or die(mysql_error());
    echo '<META HTTP-EQUIV="Refresh" Content="0; URL=webpagetest.php">'; 
}?>

Don't use the `mysql_*()` functions - http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-function-in-php - That's not your problem in this case, but it should be noted. Also, including the actual HTML form you're using to post the data would help. — WWW, Oct 24 '12 at 20:55
Did you check the variables if they are actually filled with the expected values? That way you would know if it's a problem with your form/form handling or your query. — mboldt, Oct 24 '12 at 21:02
D is set at $id = $_REQUEST['combo']; - where combo is a drop down on the previous page which sends the value of _Key for the name selected. — Warjekk, Oct 25 '12 at 08:38

Olaf Dietsche · Answer 1 · 2012-10-24T21:32:33.567

0

1) You have no where clause in your select statement, so the whole table is transferred from the DB to your PHP script. Add:

$id = mysql_real_escape_string($id);
$result = mysql_query("select * from characters where _Key = '$id'");

to improve performance and bandwidth usage. Better yet, use mysqli, where you can use prepared statements.

2) I don't see where $id is set, when the form returns, so this might be a problem too.

edited Oct 24 '12 at 21:32

answered Oct 24 '12 at 21:06

Olaf Dietsche

72,253
8
102
198

1

Please do not post code snippets that expose beginners to SQL injections! Show them how to do it right by leading them to up-to-date solutions like [PDO](http://www.php.net/manual/en/intro.pdo.php) or [mysqli_*](http://ch2.php.net/manual/en/intro.mysqli.php). – CodeZombie Oct 24 '12 at 21:09

Updating information into a MySQL Database using PHP

1 Answers1