PHP form update all mysql rows instead of 1

Question

if (isset($_POST['update'])){
$UpdateQuery = "UPDATE eventcalendar SET Title='$_POST[title]', Detail='$_POST[detail]' WHERE ID='$_GET[ID]'";
mysql_query($UpdateQuery, $con);
}

$sql = "SELECT * FROM eventcalendar";
$myData = mysql_query($sql,$con);

echo "<table border=1'>
<tr>
<th>Id</th>
<th>Title</th>
<th>Detail</th>
<th>Event Date</th>
<th>Date Added</th>
</tr>";

while($row = mysql_fetch_array($myData)){
    echo "<form action=details.php method=post>";
    echo "<tr>";
    echo "<td>" . $row['ID'] . "</td>";
    echo "<td>" . "<input type=text name=title value=" . $row['Title'] . " </td>";
    echo "<td>" . "<input type=text name=detail value=" . $row['Detail'] . " </td>";
    echo "<td>" . $row['eventDate'] . "</td>";
    echo "<td>" . $row['dateAdded'] . "</td>";
    echo "<td>" . "<input type=submit name=update value=update" . " </td>";

    echo "</tr>";
    echo "</form>";
}
echo "</table>";

mysql_close($con);

This is my code, yet when i try to execute it, it execute all my rows in my table instead of the only 1 I edited. I've searched for like 2 hours but still can't find it. Does any of you know maybe how I can fix this?

If you can, you should stop using mysql_* functions. They are officially deprecated. These extensions have been removed in PHP 7. Learn about prepared statements instead, and consider using PDO, it's really not hard. — Jay Blanchard, Sep 16 '15 at 13:38
If you're using `$_GET[ID]` as your identifier for your update you need to add it to the action of your form. — user2959229, Sep 16 '15 at 13:39
Ye i'll try it later definitely but I'm just a newcomer I just started and this is like a small project I have to do. But in the future definitely! — Emre, Sep 16 '15 at 13:40
How do I do that user? So what did I do wrong what do I have to edit? — Emre, Sep 16 '15 at 13:40

score 0 · Accepted Answer · answered Sep 16 '15 at 13:41

Looks like you need to include the ID in the form action.

echo '<form action="details.php?ID='.$row['ID'].'" method="post">';

This will allow the use of the $_GET['ID'] value in your update query.

Alternatively, add the ID as a hidden field in your form like

echo '<input type="hidden" name="ID" value="'.$row['ID'].'">';

And change the SQL query to use $_POST['ID'] instead of $_GET['ID'].

$UpdateQuery = "UPDATE eventcalendar SET Title='$_POST[title]', Detail='$_POST[detail]' WHERE ID='$_POST[ID]'";

Something you also need to look into is escaping the input that you're using with your SQL statement.

score 0 · Answer 2 · edited May 23 '17 at 10:27

0

Aside from the SQL Injection issues, your problem is that:

You're using $_GET[ID] in your query, instead of $_POST[ID]
You aren't posting the ID back to the form at all. Try adding this:

echo "<input type='hidden' name='ID' value='{$row[ID]}'>";

edited May 23 '17 at 10:27

Community

1
1

answered Sep 16 '15 at 13:42

samlev

5,852
1
26
38

I used user2959229's answer and it helped! Thanks for your input tho! – Emre Sep 16 '15 at 13:48

score 0 · Answer 3 · answered Sep 16 '15 at 13:48

Your $_POST[title], $_POST[detail] and $_GET[ID]are interpreted as plain strings, not as the evaluated value, to get the evaluated value, you have to make use of concatenation.

Update this part :

if (isset($_POST['update'])){
   $UpdateQuery = "UPDATE eventcalendar SET Title='$_POST[title]', Detail='$_POST[detail]' WHERE ID='$_GET[ID]'";
   mysql_query($UpdateQuery, $con);
}

to this:

if (isset($_POST['update']))
{
   $UpdateQuery = "UPDATE eventcalendar SET Title='". $_POST['title']. "', Detail='". $_POST['detail']. "' WHERE ID='". $_POST['ID']. "'";
   mysql_query($UpdateQuery, $con);
}

Thank you for your input, User2959229's answer helped! – Emre Sep 16 '15 at 13:50 — Emre, Sep 16 '15 at 13:50

PHP form update all mysql rows instead of 1

3 Answers3