PHP error when updating MySQL row with PDO

Question

I'm trying to make a way to edit my posts on a blog I'm making but for some reason when I try to submit the "update post" form it will give me the error "Something went wrong..." (meaning it got to update post.php) and I'm not sure why. The only thing I could see it being is because I'm using TinyMCE to edit the content of the post and the way I'm doing it is wrong?

editpost.php

    <?php
      include 'php/mysql_connect.php'; // opens a PDO of variable $db
      if(isset($_GET['id'])){
        $q = $db->prepare('SELECT * FROM posts WHERE id=:post_id LIMIT 1');
        $q->execute(array(':post_id'=>$_GET['id']));
        $row = $q->fetch(PDO::FETCH_ASSOC);

        if($row){
          echo '<form method="post" action="php/update_post.php?post_id='.$_GET['id'].'">';
          echo '<div class="form-group">';
          echo '  <input type="text" class="form-control" name="title" id="title" placeholder="Post Title" autocomplete="off" value="'.$row['title'].'" required />';
          echo '</div>';
          echo '<div class="form-group">';
          echo '  <textarea class="form-control" name="body" id="body">'.$row['body'].'</textarea>';
          echo '</div>';
          echo '<input type="submit" value="Update Post" class="btn btn-default" />';
          echo '</form>';
        }
        else{
          echo 'Post not found.';
        }
      }
      else{
        echo 'Post not found.';
      }
    ?>

update_post.php

<?php
$post_id = $_GET['post_id'];
$title = $_POST['title'];
$body = $_POST['body'];
include 'mysql_connect.php'; // establishes $db, a PDO connection

// insert the records
$sql = "UPDATE posts SET title=:title, body=:body WHERE id=:post_id)";
$q = $db->prepare($sql);
if($q->execute(array(':title'=>$title, ':body'=>$body, ':post_id'=>$post_id))){
  echo '<script type="text/javascript">alert("Success!");location.href="../posts.php";</script>';
}
else{
  echo '<script type="text/javascript">alert("Something went wrong...");location.href="../posts.php";</script>';
}
?>

I've changed the form method to GET, and it is passing the variables correctly, so that isn't the problem. The update_post.php is a modified version of my add_post.php, which works perfectly fine so I don't understand why updating it doesn't work right.

You do realise that you can get the database to tell you what went wrong? — Mark Baker, Feb 25 '15 at 16:34
You should go through this [LINK : problem update PDO][1] [1]: http://stackoverflow.com/questions/9209677/mysql-update-using-pdo-and-prepared-statement-not-working — logsv, Feb 25 '15 at 16:41
If you think tinyMCE is the culprit, comment out the tinyMCE JS code so it just uses a plain textarea. If your update still fails, something else is the cause of the problem. — Matt Altepeter, Feb 25 '15 at 17:35
Something to consider OP, you have that post id in plain text as a GET variable. Very dangerous, what if somebody comes in, loads the page , changes that url to a different post id, and submits? — James Spence, Feb 25 '15 at 18:14
I changed the form action to GET to see what it was sending, and it was passing this: `update_post.php?post_id=14&title=Second+Post&body=%3Cp%3E%3Cspan+style%3D%22font-size%3A+24pt%3B%22%3EThis+is+the+Second+Post%3C%2Fspan%3E%3C%2Fp%3E` Should the title and body variables be strings? — xSpartanCx, Feb 25 '15 at 18:21
I have both the edit post page and the update post php file secured and only available to people who enter a password. — xSpartanCx, Feb 25 '15 at 18:22
@xSpartanCx Somebody can still log in and change that id whenever they want. What if they edit a post that belongs to another user? — James Spence, Feb 25 '15 at 18:27
That is an issue, except my website doesn't have multiple users. I've since changed the post id to be sent through post as a hidden element of the form. — xSpartanCx, Feb 25 '15 at 18:28

score 2 · Accepted Answer · answered Feb 27 '15 at 23:38

2

$sql = "UPDATE posts SET title=:title, body=:body WHERE id=:post_id)";
                                             remove this one >-----^

you have a bracket at the end wrong ;)

Remove it and it should work:

$sql = "UPDATE posts SET title=:title, body=:body WHERE id=:post_id";

answered Feb 27 '15 at 23:38

Daniel W.

31,164
13
93
151

1

Wow, I can't believe I missed that (as well as everyone else). I can't award the bounty right now but I will tomorrow (22 hours). Thank you! – xSpartanCx Feb 28 '15 at 00:48

Alex · Answer 2 · 2015-02-25T18:39:33.443

1

If you use GET use GET then ;-)

$post_id = $_GET['post_id'];
$title = $_GET['title'];
$body = $_GET['body'];

if you use POST use POST:

$post_id = $_POST['post_id'];
$title = $_POST['title'];
$body = $_POST['body'];

According to your last comment try change here:

if($row){
          echo '<form method="post" action="php/update_post.php">';
          echo '<input type="hidden" name="post_id" value="'.$_GET['id'].'">';
          echo '<div class="form-group">';
          echo '  <input type="text" class="form-control" name="title" id="title" placeholder="Post Title" autocomplete="off" value="'.$row['title'].'" required />';
          echo '</div>';
          echo '<div class="form-group">';
          echo '  <textarea class="form-control" name="body" id="body">'.$row['body'].'</textarea>';
          echo '</div>';
          echo '<input type="submit" value="Update Post" class="btn btn-default" />';
          echo '</form>';
        }

edited Feb 25 '15 at 18:39

answered Feb 25 '15 at 16:38

Alex

16,739
1
28
51

I think he got mixed up since he was using `$_GET` on the form since the post id was part of the query string. – Matt Altepeter Feb 25 '15 at 17:17
yes, but check his original code that I try to fix. He mixed GET and POST – Alex Feb 25 '15 at 17:18
1

yeah, I see that. I didn't expand enough on my comment. I was guessing he used `$_GET` for the post_id in update_post.php since that's what he was doing in editpost.php. All in all we agree. – Matt Altepeter Feb 25 '15 at 17:30
Actually, upon closer inspection of his original code, I noticed he is passing the ID to the update script as part of the form action – Matt Altepeter Feb 25 '15 at 17:31
Yeah, I was using form action as POST but was passing the post id as GET. I've changed the post id to be sent through a hidden input type, but it hasn't changed the issue. – xSpartanCx Feb 25 '15 at 18:13

PHP error when updating MySQL row with PDO

2 Answers2