-2

Hi i've been curious on how to get the id in the url like php?pid=4 and use it in an update statement in sql. Well heres my code but cant get it worked because of undefined variable id which the value is in the url.

my function.php

function update_spot(){

$id=$_GET[pid];
if (isset($_POST['update'])){
$sql="UPDATE reports SET date_time_started='$_POST[date1]' ,
    date_time_finished=   '$_POST[date2]',
    barangay='$_POST[brgy]',
    street= '$_POST[street]',
    owner='$_POST[owner]', 
cause='$_POST[cause]',
motive='$_POST[motive]',
firfighter='$_POST[firefighter]'. 
civilian='$_POST[civilian]', 
ifirefighter='$_POST[ifirefighter]',
icivilian='$_POST[icivilian]',
occupancy='$_POST[occupancy]',
ed='$_POST[ed]',
alarm='$_POST[alarm]'

where id='".$id."' ";

 if (!mysql_query($sql)){ die('Error: ' . mysql_error()); } ?>
<script type='text/javascript'>alert('sucessful changed try it next time you log 

in.');window.location='view_inbox.php';</script>    <?php
}

}

it seems i cant get id in the url. my url show like this in the form php?pid=5

luchaninov
  • 6,792
  • 6
  • 60
  • 75
jcbbea
  • 17
  • 6
  • 2
    Caution, code very prone to sql injection – Dani J Jan 13 '14 at 22:10
  • You have a `.` instead of a `,` after `'$_POST[firefighter]'` – Phil Jan 13 '14 at 22:15
  • 1
    You should use the `mysqli` or `PDO` library now rather than `mysql`. Make sure you sanitize your inputs otherwise you are basically giving people free reign over your database. – OdinX Jan 13 '14 at 22:15
  • Please read [Why shouldn't I use mysql_* functions in PHP?](http://stackoverflow.com/q/12859942/283366) – Phil Jan 13 '14 at 22:17
  • thanks for the observation im bit huggard hehe..well thank you you have help me alot – jcbbea Jan 13 '14 at 22:17

4 Answers4

0

It should simply be 

$id = $_GET['pid'];
emsoff
  • 1,585
  • 2
  • 11
  • 16
0

Use Quotes on your $_GET array access

$pid = $_GET['pid'];

Also, you are mixing $_GET and $_POST. You should use one or the other, depending on your form's method (GET or POST).

You also want to change all the areas you access it. IE

barangay = '$_POST[brgy]';

This should be, and all other lines after it

barangay = $_POST['brgy'];
Rottingham
  • 2,593
  • 1
  • 12
  • 14
  • Your comment about mixing GET and POST is incorrect. You can POST to a URI with GET parameters and each set of data will be available in their respective super global array (`$_GET` and `$_POST`) – Phil Jan 13 '14 at 22:13
  • thanks for the reply . now i got this error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '. civilian='1', ifirefighter='3', icivilian='8', occupancy='Structural', ' at line 7 – jcbbea Jan 13 '14 at 22:14
  • I can rephrase to SHOULD to make you happy, but its rather confusing to have both intermixed. – Rottingham Jan 13 '14 at 22:14
  • @Rottingham I don't think so. I'd rather POST data to `someUri?id=123` than attempting to inject `id=123` as a hidden form field or similar – Phil Jan 13 '14 at 22:16
  • Your syntax error is because you are trying to concatenate the string improperly. All of the field name = value pairs need corrected. – Rottingham Jan 13 '14 at 22:18
  • @Rottingham Your last point is also incorrect. Within a double-quoted string, array indexes to do not need to be quoted, eg this is ok (from a pure string interpolation view) `"barangay = '$_POST[brgy]'"` – Phil Jan 13 '14 at 22:21
0
$pid = isset($_GET['pid']) ? 0 : intval($_GET['pid']) //to avoid problems in this case
Dani J
  • 174
  • 6
0

@Up, in the example above it still should work, but will cause php warning saying that undefined php constant will be assumed as string.

I would dump get global and see if variable is there, eg var_dump($_GET);

Irek Kubicki
  • 67
  • 3