-1

I want to update a row on a table and it is not updating. This is my html and php code : 

<?php
if ($_GET) {
    if (isset($_GET['id'])) {
        $id = preg_replace('#[^0-9]#', '', $_GET['id']);
        echo $id;
        $query = "SELECT * FROM posts WHERE id='{$id}'";
        $result = mysqli_query($connect, $query);
        $rows = mysqli_fetch_assoc($result);
    } elseif (empty($_GET['id'])) {
        header("location: manage_posts.php");
    }
}
?>
<form action="modify_post.php?id=<?php echo $id; ?>" method="post">
    <h3>Post Title <?php //echo $id; ?></h3>
    <input name="title" value="<?php echo $rows['title'];?>" type="text" placeholder="Title here ..." id="title" required>
    <h3>Post Content</h3>
    <textarea name="content" required  placeholder="Title here ..." style="resize: none"><?php echo $rows['content'];?></textarea>
    <br/>
    <input type="submit" value="Update" id="submit"/>
</form>
<?php
if ($_SERVER['REQUEST_METHOD'] === 'POST') {

    if ($_POST['title'] != "" || $_POST['content'] != "") {
        $id = preg_replace('#[^0-9]#', '', $_GET['id']);
        $sql = "UPDATE posts SET title='{$_POST['title']}', content='{$_POST['content']}' WHERE id='{$id}'";
        $update_result = mysqli_query($connect, $sql);

        if (isset($result)) {
            echo "<h2>Update successfully, redirecting back ...</h2>";
        } else {
            echo "Record hasn't been Updated" . mysqli_errno($result);
        }

        header("location: manage_posts.php");
    } else {
        echo "<h3>Please fill all fields</h3>";
    }
}
?>

This is all what I could came up with !

I don't know where is the problem coming from ?

Danila Ganchar
  • 10,266
  • 13
  • 49
  • 75
Bouzaid
  • 66
  • 8

1 Answers1

1

a) avoid sql injections e.g. with prepared statements + parameters
b) add more error handling and parameter checking.

<?php
if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
    echo 'wrong method';
}
else if ( !isset($_POST['title'], $_POST['content']) ) {
    echo 'missing POST parameters';
}
else if ( !isset($_GET['id']) ) {
    echo 'missing GET parameter';
}
else if ($_POST['title'] == "" || $_POST['content'] == "") {
    echo '<h3>Please fill all fields</h3>';
}
else {
    $stmt = $connect->prepare('UPDATE posts SET title=?, content=? WHERE id=?');
    if ( !$stmt ) {
        trigger_error('prepare failed', E_USER_ERROR);
    }
    else  if ( !$stmt->bind_param('sss', $_POST['title'], $_POST['content'], $_GET['id']) ) {
        trigger_error('bind_param failed', E_USER_ERROR);
    }
    else if ( !$stmt->execute() ) {
        trigger_error('execute failed', E_USER_ERROR);
    }
    else {  
        echo '# of updated rows: ', $stmt->affected_rows();
    }
}

see also

VolkerK
  • 95,432
  • 20
  • 163
  • 226
  • that's Object Oriented I think ! – Bouzaid Aug 16 '15 at 15:20
  • Yes, it is! So what? – VolkerK Aug 16 '15 at 15:20
  • I'm still new to this language Only applying What I've just learned on the procedural php – Bouzaid Aug 16 '15 at 15:22
  • `mysqli_prepare($connect, ...)` vs `$connect->prepare()` - not a big deal. – VolkerK Aug 16 '15 at 15:25
  • btw: I didn't take into account that printing the form's code and processing the response happens in the same script, so you probably have to adjust the the first if-condition. – VolkerK Aug 16 '15 at 15:26
  • I really have no Idea about that I've just started learning php 4 days ago ! – Bouzaid Aug 16 '15 at 15:27
  • It really doesn't matter in case of using the mysqli extension. You can always switch forth and back between the procedual style (what you're currently using) and the oo style. see http://docs.php.net/mysqli.quickstart.dual-interface – VolkerK Aug 16 '15 at 15:33