PHP Mysql update table using form will not update

Question

Ok so I am trying to get my form to update my table to edit a contact but for some reason with 0 errors it just won't update and I just can not figure out why as it all looks good to me.

Here is the edit contact script

// Connect to database
$dbc = mysql_connect("localhost", "root");
if (!$dbc) 
    die("Could not connect: " . mysql_error());

// Select database
$db_select = mysql_select_db( "contactmanager", $dbc );
if (!$db_select)
    die("Could not select DB: " . mysql_error());


// Build update function for form
if(isset($_POST['update'])){
    mysql_query("UPDATE contacts SET Name='$_POST[name]', Address='$_POST[address]', Phone='$_POST[phone]', Mobile='$_POST[mobile]', Email='$_POST[email]' WHERE ContactID = $contactID") or trigger_error(mysql_error());

    echo 'Update has been pushed and fucntion has run';


} else {
    echo 'Update has not been pushed.';
}

// initialize form control values
$name = '';
$address = '';
$phone = '';
$mobile = '';
$email = '';

// Get ID of contact selected for editing
$contactID = $_GET['id'];

// build sql select statement
$query = "SELECT * FROM contacts WHERE ContactID = '$contactID'";

// Run sql statement against database
$result = mysql_query($query, $dbc);

if ($result) {

    $row = mysql_fetch_assoc($result);

    $name = $row["Name"];
    $address = $row["Address"];
    $phone = $row["Phone"];
    $mobile = $row["Mobile"];
    $email = $row["Email"];
}
else { 
    // If there is an error display message
    echo '<p><b class="error">Error with $rst: ' . mysql_error($dbc) . '</b></p>';
}

?>


    <form name="editcontact" method="post" action="edit-contact.php" id="editcontact">
        <fieldset>
            <dl>
                <dt><label for="name">Name</label></dt>
                <dd><input name="name" type="text" value="<?php echo $name; ?>" size="33" maxlength="50" tabindex="1" /></dd>
            </dl>   
            <dl>
                <dt><label for="address">Address</label></dt>
                <dd><textarea name="address" cols="33" rows="5" tabindex="2"><?php echo $address; ?></textarea></dd>
            </dl>   
            <dl>
                <dt><label for="phone">Phone</label></dt>
                <dd><input name="phone" value="<?php echo $phone; ?>" type="text" size="33" maxlength="50" tabindex="3" /></dd>
            </dl>   
            <dl>
                <dt><label for="mobile">Mobile</label></dt>
                <dd><input name="mobile" value="<?php echo $mobile; ?>" type="text" size="33" maxlength="50" tabindex="4" /></dd>
            </dl>
            <dl>
                <dt><label for="Email">Email</label></dt>
                <dd><input name="email" value="<?php echo $email; ?>" type="text" size="33" maxlength="50" tabindex="5" /></dd>
            </dl>
            <dl>
                <dt></dt>
                <dd><input type="submit" value="Update" name="update" tabindex="6" style="margin-left:7.3%;" /></dd>
                <dd><a href="list-contacts.php" alt="Contacts List"><p style="margin-left:7.3%;">Back to contacts list</p></a></dd>
            </dl>

        </fieldset>
    </form>

<?php


?>

Answer 1

Everything outside of the if(isset($_POST['update'])){...} conditional statement will be ignored upon submitting, which is where your $contactID = $_GET['id']; is presently located.

Place it within the conditional statement.

<?php
...

if(isset($_POST['update'])){

    // $contactID = $_GET['id']; // original
    $contactID = intval($_GET['id']); // recommended for (INT) type
    $name = mysql_real_escape_string($_POST['name']); // etc.

...

}

---

Sidenote: Your present code is open to SQL injection. Use mysqli_* functions. (which I recommend you use and with prepared statements, or PDO)

You should change:

$name = $_POST['name'];

to:

$name = mysql_real_escape_string($_POST['name']);

for the time being, and do the rest for the others, following the same convention.

Then do SET Name='$name' etc., and do the same for the others. That will give you some security until you get familiar with prepared statements, or PDO.

---

mysql_* functions deprecation notice:

http://www.php.net/manual/en/intro.mysql.php

This extension is deprecated as of PHP 5.5.0, and is not recommended for writing new code as it will be removed in the future. Instead, either the mysqli or PDO_MySQL extension should be used. See also the MySQL API Overview for further help while choosing a MySQL API.

These functions allow you to access MySQL database servers. More information about MySQL can be found at » http://www.mysql.com/.

Documentation for MySQL can be found at » http://dev.mysql.com/doc/.

Here are a few tutorials on prepared statements that you can study and try:

• Tutorial one
• Tutorial two
• Tutorial three

Here are a few tutorials on PDO:

• PDO tutorial one
• PDO tutorial two
• PDO tutorial three

Answer 2

The id or contactID never makes it through the form and into the processing portion of the code. Just before the final set of <dl> tags in your form, you can add a hidden input to pass the ID through the form and into $_POST array:

<dl>
    <dt></dt>
    <dd><input name="contactID" value="<?php echo $contactID; ?>" type="hidden" /> </dd>
</dl>

Then in the processing portion, you can add a line to grab the value again:

if(isset($_POST['update'])){

    $id = mysql_real_escape_string($_POST['contactID']);
    $name = mysql_real_escape_string($_POST['name']);
    $address = mysql_real_escape_string($_POST['address']);
    $phone = mysql_real_escape_string($_POST['phone']);
    $mobile = mysql_real_escape_string($_POST['[mobile']);
    $email = mysql_real_escape_string($_POST['email']);

    mysql_query("UPDATE contacts SET Name='$name', Address='$address', Phone='$phone', Mobile='$mobile', Email='$email' WHERE ContactID = $id") or trigger_error(mysql_error());

    echo 'Update has been pushed and function has run';

} else {//as before...

Also, take a good hard look at the comment about using mysqli from @Fred-ii-