I am not able to update the MySQL database with PHP

Question

I am trying to update the mysql database using PHP but somehow I am not able to do the same. It echos the message that it is successfully updated but it doesn't update it. Please help. Please check the code and tell me the correction: First I am showing the form then the PHP code

<?php
$id=$_GET['id'];
$sql="select * from members_data where id='$id'";
$data=mysql_query($sql);
$row=mysql_fetch_array($data);
?>

<form method="post" action="edit1.php" name="form1" enctype="multipart/form-data">
<table  width="400" align="left">
<tr>
<td style="width:300px;">
Name
</td>
<td><input placeholder="What's the latest news?" type="text" name="name" style="height:20px;      width:300px;" value="<?php echo $row['name']?>" /></td>
</tr>
<tr>
<td style="width:300px;">
Family Image
</td>

<td width="69%" height="25"><input type="file" name="file" style="height:20px; width:300px;" /></td>
</tr>
<tr>
<td style="width:300px;">
Membership No.
</td>
<td><input placeholder="What's your membership number?" type="text" name="membership_no" style="height:20px; width:300px;" value="<?php echo $row['membership_no']?>" /></td>
</tr>
<tr>
<td style="width:300px;">
Address
</td>
<td><input placeholder="What's the latest news?" type="text" name="address" style="height:20px; width:300px;" value="<?php echo $row['address']?>" /></td>
</tr>
<tr>
<td style="width:300px;">
Contact Number
</td>
<td><input placeholder="What's the latest news?" type="text" name="contact_no" style="height:20px; width:300px;" value="<?php echo $row['contact_no']?>" /></td>
</tr>

<tr>
<td>
<input type="hidden" name="id" value="<?php echo $res['id']?>" />
</td>
<td style="text-align:right; width:300px;"><input type="submit" name="edit1" value="Update" /></td>
</tr>
</table>
</form>

Now starts the php code:

<?php
include("conn.php");
?>
<?php


if(isset($_POST['edit1']))
{
$allowedExts = array("gif", "jpeg", "jpg", "png", "pdf", "doc", "docx");
$extension = end(explode(".", $_FILES["file"]["name"]));
if ((($_FILES["file"]["type"] == "image/gif")
|| ($_FILES["file"]["type"] == "image/jpeg")
|| ($_FILES["file"]["type"] == "application/msword")
|| ($_FILES["file"]["type"] == "application/pdf")
|| ($_FILES["file"]["type"] == "application/vnd.openxmlformats-officedocument.wordprocessingml.document")
|| ($_FILES["file"]["type"] == "text/plain")
|| ($_FILES["file"]["type"] == "image/jpg")
|| ($_FILES["file"]["type"] == "image/pjpeg")
|| ($_FILES["file"]["type"] == "image/x-png")
|| ($_FILES["file"]["type"] == "image/png"))
&& in_array($extension, $allowedExts))
  {
  if ($_FILES["file"]["error"] > 0)
    {
    //echo "Return Code: " . $_FILES["file"]["error"] . "<br />";
    }
  else
    {
    //echo "Upload: " . $_FILES["file"]["name"] . "<br />";
    //echo "Type: " . $_FILES["file"]["type"] . "<br />";
    //echo "Size: " . ($_FILES["file"]["size"] / 1024) . " Kb<br />";
    //echo "Temp file: " . $_FILES["file"]["tmp_name"] . "<br />";

    if (file_exists("images/family_pics/" . $_FILES["file"]["name"]))
      {
      //echo $_FILES["file"]["name"] . " already exists. ";
      }
    else
      {
      move_uploaded_file($_FILES["file"]["tmp_name"],
      "images/family_pics/" . $_FILES["file"]["name"]);
      //echo "Stored in: " . "images/" . $_FILES["file"]["name"];
      }
    }
  }
else
  {
  //echo "Invalid file";
  }
$id=$_POST['id'];
$name=$_POST['name'];
$image=$_FILES["file"]["name"];
$membership_no=$_POST['membership_no'];
$address=$_POST['address'];
$contact_no=$_POST['contact_no'];

$query=mysql_query("update members_data set name='$name',family_image='$image',membership_no='$membership_no',address='$address',contact_no='$contact_no' WHERE id='$id'")  or die(mysql_error());

// if successfully updated. 
if($query){
echo "Successful";
echo "<BR>";
echo "<a href='admin_detail.php'>View result</a>";
}

else {
echo "ERROR";
}

}

?>
<?php /*?><script type="text/javascript">window.location="edit_records.php"</script><?php */?>

How does your query look when you just echo the SQL instead of executing it? Like so: `echo "update members_data set name='$name',family_image='$image',membership_no='$membership_no',address='$address',contact_no='$contact_no' WHERE id='$id'"` — Erik Terwan, Sep 13 '14 at 21:11
form is alright. there is no problem in the form. can you please check the update query. — Anil, Sep 13 '14 at 21:22
@NebojsaSusic removing the quotes would only increase the sql injection vulnerability of the already very vulnerable code — andrew, Sep 13 '14 at 22:23
i did, but still it doesnt help. can you copy paste the code at your end and see why it is not working — Anil, Sep 13 '14 at 22:23

score 1 · Answer 1 · edited May 23 '17 at 11:49

1

The likely problem is with line:

<input type="hidden" name="id" value="<?php echo $res['id']?>" />

I didn't see $res defined anywhere.

You probably want:

<input type="hidden" name="id" value="<?php echo $row['id']?>" />

Also I recommend studying this: How can I prevent SQL injection in PHP?

edited May 23 '17 at 11:49

Community

1
1

answered Sep 13 '14 at 22:32

andrew

9,313
7
30
61

lol!! I am such an idiot. Thanks buddy for showing that mistake. I was hitting my head on this since last 5 hours. – Anil Sep 13 '14 at 22:39
You're welcome, do read up on sql injection though :) I think the system will allow you to accept the answer after 10 mins. – andrew Sep 13 '14 at 22:41

I am not able to update the MySQL database with PHP

1 Answers1