1

So, I have the following problem:

I have a table which I fill with the data from my MySQL database and then display on a site. I want to make it so you can change e.g. the description afterwards. Instead what I get right now is that I empty the value. I can't see where my code goes wrong, so I'd appreciate some help. :)

HTML

<tbody>
    <?php
        foreach($records as $r) {                       

    ?>
        <tr><?php
            echo "<td>" . "<div class=table-image>" . "<img src=Assets/Images/" . escape($r->name) . " </td>". "</div>";
            ?>
            <td><div class="data"><?php echo escape($r->name); ?></div></td>
            <td><div class="data"><?php echo escape($r->location); ?></div></td>
            <td><div class="data"><?php echo escape($r->partners); ?></div></td>
            <td><a href="https://goo.gl/maps/S5Drk" target="_blank">◈ Google Maps</a></td>
            <td class="tDesc">
                <div class="desc">
                    <input class="form-control"  value="<? echo escape($r->description); ?>" name="description" type="text">
                </div>
            </td>
            <td>
                <?php echo escape($r->date); ?>
            </td>
            <td>
                <form method="post" action="" enctype="multipart/form-data">
                    <input type="submit" value="<? echo escape($r->id); ?>" name="delete">
                </form>
            </td>
            <td>
                <form method="post" action="" enctype="multipart/form-data">
                    <input type="submit" value="<? echo escape($r->id); ?>" name="update">
                </form>
            </td>
        </tr>
    <?php
        }
    ?>
</tbody>

PHP

if(isset($_POST['update']) ){
    $des = $_POST['description'];
    $UpdateQuery = "UPDATE repo SET description = '$des', date = NOW() WHERE id ='$_POST[update]' ";          
    mysql_query($UpdateQuery);
};
llanato
  • 2,508
  • 6
  • 37
  • 59
Ozymandias
  • 199
  • 6
  • 17
  • 1
    Be thankful it only deletes one record. Your query is as unsafe as it gets! You're using the ***deprecated*** `mysql` extension ([read **the red box** at the top](http://www.php.net/mysql_connect) - it says _warning_ for a reason). Learn about injection attacks, and how to prevent them. Use either one of the modern extensions (`PDO` or `mysqli`): they support prepared statements and are fairly easy to use. [here's an example](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Elias Van Ootegem Jan 21 '15 at 10:26
  • Instead of `mysql_query($UpdateQuery);`, write `die($UpdateQuery);`. What text do you see? Can you explain how it got there? – Konerak Jan 21 '15 at 10:28
  • UPDATE repo SET description = '', date = NOW() WHERE id ='46' That is the text I see. I don't know, sorry. I have been learning php for exactly 24 hours, so my overall understanding of it is still really low. I don't think I made a syntax error. So maybe I declared something wrong? – Ozymandias Jan 21 '15 at 10:32
  • @EliasVanOotegem mentioned very important aspect-security first. When it goes to the actual update, if your record values become empty it most likely means that the new values you're posting are simply empty or do not match field type in the database – jacek_podwysocki Jan 21 '15 at 10:32

1 Answers1

3

Your fields are outside the form, only fields inside the form will be send.

<input name="i_will_not_be_send" />
<form>
    <input name="i_will_be_send" />
</form>

Always escape values you put into your query string, see mysql_real_escape_string

Also read the comments about using the correct mysql library

Bart Haalstra
  • 1,062
  • 6
  • 11
  • `mysql_real_escape_string`, like ***all `mysql_*` functions is deprecated***. _And_ it's always been cumbersome (in that it relies on the programmer to set the charset correctly, _and_ it requires the programmer to keep track of which values have been escaped, and which values aren't). Don't advise the OP to escape, if he has to switch to an extension that supports `prepare` – Elias Van Ootegem Jan 21 '15 at 10:56