SQL Errors on my HTML form which should update my MySQL Database

Question

I am working on a form which allows the user to update the details of this MySQL database through a HTML form but I get a few Undefined index/variable errors when they have clearly been assigned.

Code from the page called "eventEdit.php" with the html form

 <form action ="PHP/Validation.php" method = "get" >

Choose Venue:

<?php
$eventID=$_GET["info"];
echo "<select name = 'venueName'>";
$queryresult2 = mysql_query($sql2) or die (mysql_error());
while   ($row = mysql_fetch_assoc($queryresult2))  {
echo "\n";
$venueID = $row['venueID'];
$venueName = $row['venueName'];
echo "<option value = '$venueID'";
#carries the venueID from a seperate table and links it to the table with the     required infomation
if ($venueID2 == $venueID) {
    echo " option selected= 'selected'";}
    echo ">$venueName</option>";
}# when the option selected matches the queryresult it will echo this

echo "</select>";
mysql_free_result($queryresult2);
mysql_close($conn);
?>

<br /><br />
<h2>Choose Category</h2>
<?php
    include 'PHP/database_conn.php';

$sql3 ="SELECT catID, catDesc
FROM te_category";

 echo "<select name = 'catdesc'>";
$queryresult3 = mysql_query($sql3) or die (mysql_error());
while   ($row = mysql_fetch_assoc($queryresult3))  {
echo "\n";
$catID = $row['catID'];
$catDesc = $row['catDesc'];
echo "<option value = '$catID'";
if ($catID2 == $catID) {
echo " option selected= 'selected'";}
echo ">$catDesc </option>";
}

echo "</select>";
mysql_free_result($queryresult3);
mysql_close($conn);
?>
<br />
<h2>Change Event Title</h2>

Enter title <input type="text" name="D_EventTitle" value ="<?php echo $eventT; ?>" />

<br /><br />
<h2>Change Event Description</h2>

Enter description <input type="text" name="D_desc" value="<?php echo $eventDescription; ?>" />

<br /><br />
<h2>Change Event Price </h2>

Enter price <input type="text" name="D_price" value="<?php echo $EventP; ?> "/>

<br /><br />
<h2>Change Event Start Date  </h2>  <!-- Date format-->

Enter start date  <input type="date" name="D_SD" value="<?php echo $eventSD; ?>" />

<br /><br />
<h2>Change Event End Date </h2> <!-- Date format-->

Enter End Date <input type="date" name="D_ED" value="<?php echo $eventED; ?>" />


<input type="hidden" name="catID" value="<?php echo $catID; ?>" />
<input type="hidden" name="eventID" value="<?php echo $eventID; ?>" />
<input type="hidden" name="venueID" value="<?php echo $venueID; ?>" />
<input name="update" type="submit" id="update" value="Update Changes">



 </form>

The code that deals with processing the form data which should update the MYSQL table, which is called validation.php

<?php

include 'database_conn.php';

$eventT = $_REQUEST['D_EventTitle'];
$eventDescription = $_REQUEST['D_desc'];
$EventP = $_REQUEST['D_price'];
$eventSD = $_REQUEST['D_SD'];
$eventED = $_REQUEST['D_ED'];
$catDesc = $_REQUEST['catdesc'];
$venueName = $_REQUEST['venueName'];
$catID = $_REQUEST['catID'];
$info = $_REQUEST['eventID'];
$venueID = $_REQUEST['venueID'];

$sql  = "
UPDATE te_events
SET `eventID` = $info,
`eventTitle` = $eventT,
`eventDescription` = $eventDescription,
 `VenueID`= $venueID,
`catID` = $catID,
`eventStartDate` = $eventSD,
`eventEndDate` = $eventED,
`eventPrice` = $EventP
WHERE 'eventID' = $info;";
mysql_query($sql) or die (mysql_error()); mysql_close($conn);


?>

These are the errors I receive when I submit the form details

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Christmas Carol, `eventDescription` = Visit the three ghosts of Christmas this' at line 3

pictures of the Database: https://i.stack.imgur.com/QKdDR.jpg

`Protip::` Look at the commas. But that's just "one" of the problems. There's no way I'm putting in an answer. Classic. — Funk Forty Niner, May 04 '14 at 23:35
You didn't take my advice in your [other question](http://stackoverflow.com/q/23461791/) (now deleted, and unseen by some). — Funk Forty Niner, May 04 '14 at 23:40

Niro · Answer 1 · 2014-05-05T00:23:20.490

The problem is in your HTML. You're missing the form fields:

catID 
eventID

They're not submitted, so the PHP in Validation.php can't find them.

To fix it, you should add the following to the form.

<input type="hidden" name="catID" value="<?php echo $catID; ?>" />
<input type="hidden" name="eventID" value="<?php echo $eventID; ?>" />

The issue with venueID is that the form field is called venue when it should be called 'venueID'. So, renaming it should solve that problem.

On a related note, that PHP code is extremely vulnerable to SQL Injection attacks. You should make sure to use Prepared Statements if you're going to make this open to the public.

Edit: In order to save it to the database, add the following line to "validation.php"

Your SQL has some mistakes, so rewrite it like so:

$update_te_category = "UPDATE `te_category`
    SET `catdesc` = '$catDesc'
    WHERE `catID` = '$catID';";

$update_te_events = "UPDATE `te_events`
    SET `eventTitle` = '$eventT',
    `eventDescription` = '$eventDescription',
    `eventStartDate` = '$eventSD',
    `eventEndDate` = '$eventED',
    `eventPrice` = '$EventP'
    WHERE `eventID` = '$info';";

$update_te_venue = "UPDATE `te_venue`
    SET `venueName` = '$venueName'
    WHERE `venueID` = '$venueID';";

$result_update_te_category = $db->query($update_te_category);
$result_update_te_events = $db->query($update_te_events);
$result_update_te_venue = $db->query($update_te_venue);

Replace $db with whatever you called your Database connection variable in 'database_conn.php' Like I said before, this is still very vulnerable and I suggest learning about Prepared Statements next.

There are more things from with this code. For example, he uses $_REQUEST to get all the data instead of $_GET (or even better, POST). He opens a new mysql server connection for each query instead of opening a connection once, running the queries and closing the connection at the end. And his HTML markup could be better too. But looking at the code I'm thinking he's in the process of learning PHP so lets not be to hard on him. But you do make a valid point. — Bernhard, May 04 '14 at 23:21
yes, I am currently learning the ropes, but I have made those suggestions, no errors seem to occur but it doesn't update the database with the new information. — Nabil Aziz, May 04 '14 at 23:27
Not a problem, we all learn the same way. Just thought I'd point out the major security issue. The reason it's not updating, is because it's missing one more line. I'll update the answer to include that. — Niro, May 04 '14 at 23:32
Just so you know: Your edit, will fail. Plus, no error reporting and open to SQL injection. — Funk Forty Niner, May 04 '14 at 23:46
It's obviously pretty amateur code, but I guess he's gotta learn somewhere. I've already provided him a link to Prepared statements. He can figure out the rest from there. — Niro, May 04 '14 at 23:57

SQL Errors on my HTML form which should update my MySQL Database

Choose Venue:

1 Answers1