Update where id = $GET['id']

Question

I am trying to create a successful update, using the following HTML:

<form id="form2" name="form2" method="post" 
  onsubmit="return validateForm();" action="">

    Id <input type="text" class="txt" name="id" />
    <br />
    Name <input type="text" class="txt" name="name" />
    <br />
    Website <input type="text" class="txt" name="website" />
    <br />
    Description <input type="text" class="txt" name="description" />
    <br />
    <input type="submit" id="submit" value="Submit"/>
</form>

I then use the following PHP to read the value and update my database:

<?php
  global $wpdb;
  if (isset($_GET['id']) && !empty($_GET['id']) &&
    isset($_POST['name']) && !empty($_POST['name']) &&
    isset($_POST['website']) && !empty($_POST['website']) &&
    isset($_POST['description']) && !empty($_POST['description']))
  {
      $wpdb->query("update where id = $_GET['id'] ".PRO_TABLE_PREFIX
            ."tutorial (name, website, description) "
            ."values('{$_POST['name']}', '{$_POST['website']}', '{$_POST['description']}')");
  }
?>

What am I doing wrong?

instead of this update where id= $_GET['id'] try this update where id= $_POST['id'] don't mixed it up — drsndodiya, Jan 01 '13 at 06:16
@RabNawaz: You can have both GET and POST parameters in the same request (e.g. by POSTing a form to an URL including URL parameters). Uncommon, but possible. — Jan Schejbal, Jan 01 '13 at 06:20
Are youre "updating" (changing what explains $_GET) or "inserting" your data for a first time? — Xfile, Jan 01 '13 at 06:23
Absolutely terrible idea to rely on unescaped or un-parametrized user input. — David Harris, Jan 01 '13 at 06:40
BTW: You don't need both `isset` and `! empty` - `! empty` will also return false if it's not set (the same way `isset` would) — , Jan 01 '13 at 07:21
**WARNING!** Your code contains an [SQL injection vulnerability](http://en.wikipedia.org/wiki/SQL_injection) -- you are passing raw, unfiltered, unvalidated user input directly into an SQL string. SQL injection is [very easy to fix](http://stackoverflow.com/q/60174/168868). It looks like you're using Wordpress, so you should use the features of [WPDB](http://codex.wordpress.org/Class_Reference/wpdb), which include emulation of [prepared statements with parameterized queries](http://en.wikipedia.org/wiki/Prepared_statement). — Charles, Jan 01 '13 at 07:35

score 2 · Answer 1 · edited Jan 01 '13 at 07:14

2

<form id="form2" name="form2" **method="post"** onsubmit="return validateForm();" action="">

Please note that your form method is post

and you are trying to fetch data using get method

isset ( $_GET['id'] ) && ! empty ( $_GET['id'] )

replace these with $_POST['key_name]; to get proper results.

edited Jan 01 '13 at 07:14

NullPoiиteя

56,591
22
125
143

answered Jan 01 '13 at 06:25

Ketan Patkar

83
8

Codesen · Answer 2 · 2013-01-01T06:29:45.783

0

Try with POST id

<?php
     global $wpdb;
if ( isset ( $_POST['id'] ) && ! empty ( $_POST['id'] ) &&
 isset ( $_POST['name'] ) && ! empty ( $_POST['name'] ) &&
 isset ( $_POST['website'] ) && ! empty ( $_POST['website'] ) &&
 isset ( $_POST['description'] ) && ! empty ( $_POST['description'] ))
{
$wpdb->query("INSERT ".PRO_TABLE_PREFIX."tutorial ( name, website, description )
values('{$_POST['name']}','{$_POST['website']}','{$_POST['description']}') ");
}
?>

edited Jan 01 '13 at 06:29

answered Jan 01 '13 at 06:15

Codesen

7,724
5
29
31

It just adding a new entry not updating the old one :( – user1890857 Jan 01 '13 at 06:27

Supericy · Answer 3 · 2013-01-01T07:10:00.087

0

2 Things.

1) Since your form method is POST, you would have to use $_POST['id'].

2) Inside your query string, your mysql UPDATE syntax as wrong as well as to use an array with key inside a string, you have to wrap it in { and } tags. This should work:

$wpdb->query("UPDATE " . PRO_TABLE_PREFIX . "tutorial SET name='{$_POST['name']}', website='{$_POST['website']}', description='{$_POST['description']}' WHERE id={$_POST['id']}");

edited Jan 01 '13 at 07:10

answered Jan 01 '13 at 06:18

Supericy

5,866
1
21
25

Are any of your table columns unique or primary? If they are, you can't have 2 rows with the same values. – Supericy Jan 01 '13 at 06:34
**watch out! your code is open to sql injection** - have you ever heard about bobby tables? – corn on the cob Nov 15 '20 at 16:05

score 0 · Answer 4 · answered Jan 01 '13 at 06:19

0

use this your update query is not correct syntax

$wpdb->query("update ".PRO_TABLE_PREFIX."tutorial set  name='{$_POST['name']}', website='{$_POST['website']}', description= '{$_POST['description']}' where id= $_GET['id'] ) ");

answered Jan 01 '13 at 06:19

Manish Nagar

1,038
7
12

2

Your suggestion also includes the SQL injection vulnerability that is in the original code. Please at least add a note so other people don't use the code as an example. – Jan Schejbal Jan 01 '13 at 06:55

score 0 · Answer 5 · answered Jan 01 '13 at 06:28

If you want the ID to be in $_GET['id'], then form action should be like this

action = "<page-url>?id=<somevalue>"

Also, you have to create a textbox to input id and the for the form should be changed according to the input there, using jQuery or Javascript.

Finally, if this is too complicated, change $_GET['id'] to $_POS['id'] as the others suggested.

Also, the SQL query is incorrect. Others have already pointed it out.

Update where id = $GET['id']

5 Answers5