Update user Input by name

Question

I'm trying to make a script that updates a row, from the user input row (2 different rows).

Lets say, the table has 'timeleft', and 'user'. The user will type in the 'user', and the time, so the 'timeleft' gets updated.

I've tried doing it, but I can't as I just starded learning PHP like for a week now.

$db = mysql_connect(dbhost, dbuser,dbpass);
if($db){
    mysql_select_db(dbname);

    print('
        <form action="" method="POST">
                <div class="InputLine"><span class="CTBanForm">Nombre: </span><input type="text" name="IntroducedName" placeholder="Nombre..."></div>
                <div class="InputLine"><span class="CTBanForm">Tiempo: </span><input type="text" name="IntroducedTime" placeholder="Tiempo en numeros..."></div>
                <input type="submit" value="Borrar" name="PerformDelete">
        </form>
        ');
    if(empty($_POST['IntroducedName'])){
        echo '<div id="IDEmpty">Introduzca un nombre porfavor...</div>';
    }else if(empty($_POST['IntroducedTime'])){
        echo '<div id="IDEmpty">Introduzca un numero porfavor...</div>';
    }else{

        /* SQL STATEMENTS! */
        $IntroducedNameSQLSelect = 'SELECT '.$_POST['IntroducedName'].'" FROM CTBan_Log';

        $IntroducedTimeSQLUpdate = 'UPDATE '.$_POST['IntroducedTime'].'" FROM CTBan_Log WHERE timeleft=?';
        /* END SQL STATEMENTS! */
        if(!empty($_POST['IntroducedName'])){

            mysql_query($IntroducedNameSQLSelect);
            if(mysql_query($delete)){
                echo '<div id="Hecho"> Hecho. </div>';
            }
            else{
                echo '<div id="NoHecho"> Error, no se pudo realizar. </div>';
            }
        }
        else if(!empty($_POST['IntroducedTime'])){

            mysql_query($IntroducedTimeSQLUpdate);
            if(mysql_query($delete)){
                echo '<div id="Hecho"> Hecho. </div>';
            }
            else{
                echo '<div id="NoHecho"> Error, no se pudo realizar. </div>';
            }
        }
    }
    mysql_close($db);
}

Issues with best practices etc. aside (you may want to take a look at this [site](http://www.phptherightway.com) for some hints). What are the errors actual you encounter? — Nikolas Grottendieck, Apr 05 '15 at 20:18
You've broken a few rules in SQL. You're introducing SQL injection, then you're using a prepared statements' method with `WHERE timeleft=?` and not binding anything. Don't ask yourself why your code isn't working. — Funk Forty Niner, Apr 05 '15 at 20:23
Here, do this `mysql_query($IntroducedNameSQLSelect) or die(mysql_error());` and you'll see what I mean. — Funk Forty Niner, Apr 05 '15 at 20:32
Fred, i'd actualy like to thank You! And thank hr.anvari! I almost done fixing my script! — YassineR, Apr 05 '15 at 21:36
You're very much welcome, glad to know you've found your solution, *cheers* — Funk Forty Niner, Apr 05 '15 at 22:05

YassineR · Accepted Answer · 2017-07-07T14:15:21.047

I've found the solution:

I fixed the SQL statement, thanks to hr.anvari. I used this:

'UPDATE CTBan_Log SET timeleft="'.$time.'" WHERE perp_name="'.$_POST['IntroducedName'].'"'

$time = mysql_real_escape_string($_POST['IntroducedTime']); // Had to use this to get numbers passed to Mysql.

instead of this(wth :P):

    /* SQL STATEMENTS! */
    $IntroducedNameSQLSelect = 'SELECT '.$_POST['IntroducedName'].'" FROM CTBan_Log';

    $IntroducedTimeSQLUpdate = 'UPDATE '.$_POST['IntroducedTime'].'" FROM CTBan_Log WHERE timeleft=?';
    /* END SQL STATEMENTS! */

Thats all. I need to use mysqli tho. Thanks both Fredy, and hr.anvari(SQL).

You can also accept your own answer when Stack lets you ;-) – Funk Forty Niner Apr 05 '15 at 22:06 — Funk Forty Niner, Apr 05 '15 at 22:06

score 0 · Answer 2 · edited May 23 '17 at 11:43

First of all, you should stop using mysql extension because it is deprecated. More details on this here: Why shouldn't I use mysql_* functions in PHP?

Second, the answer to your question:

displayform.html:

<form action="processform.php" method="POST">
  <div class="InputLine">
    <span class="CTBanForm">Nombre: </span>
    <input type="text" name="IntroducedName" placeholder="Nombre...">
  </div>
  <div class="InputLine">
    <span class="CTBanForm">Tiempo: </span>
    <input type="text" name="IntroducedTime" placeholder="Tiempo en numeros...">
  </div>
  <input type="submit" value="Borrar" name="PerformDelete">
</form>

processform.php:

<?php

if (isset($_POST['IntroducedName']) && isset($_POST['IntroducedTime'])) {

    $mysqli = new mysqli('localhost', 'user', 'password', 'mysampledb');

    if (mysqli_connect_errno()) {
        printf("Connect failed: %s\n", mysqli_connect_error());
        exit();
    }

    $stmt = $mysqli->prepare("UPDATE CTBan_Log SET timeleft=? WHERE user=?");
    // assuming user is [s]tring and timeleft is [i]nteger
    $stmt->bind_param('is', $timeleft, $user);   

    $user = $_POST['IntroducedName'];
    $timeleft = $_POST['IntroducedTime'];

    /* execute prepared statement */
    $stmt->execute();

    printf("%d Row(s) updated.\n", $stmt->affected_rows);

    /* close statement and connection */
    $stmt->close();

    /* close connection */
    $mysqli->close();
}
else{
    echo "Please go back and complete all form fields!"
}

?>

So, what did you change that will inform others visiting the question? Oh, I see...a total rewrite. Doesn't really answer the question as to why their code is failing. — Funk Forty Niner, Apr 05 '15 at 20:41

Update user Input by name

2 Answers2