1

I have a value coming from another form in the same page called $_POST['serial']. And i want to use this value to run a query in another form but after I submit the second form nothing happened and the query not running.

<?php

if (isset($_POST['serial'])) {
    $serial = $_POST['serial'];
?>
    <form action="" method="post">
        <button type="submit" name="submit">Click to use</button>
    </form>
<?php
    if (isset($_POST['submit'])) {
        $query = mysql_query("UPDATE table_name SET status = 'inactive' WHERE serial = '$serial'");
    }
}

?>
Jay Blanchard
  • 34,243
  • 16
  • 77
  • 119
Mahmoud Yhya
  • 31
  • 1
  • 9
  • 3
    [Your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Jay Blanchard Sep 21 '15 at 16:24
  • 6
    If you can, you should [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really not hard](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Sep 21 '15 at 16:24
  • Make the first variable a hidden input value in your second form. – Jay Blanchard Sep 21 '15 at 16:25
  • I got it, Thank you very much. – Mahmoud Yhya Sep 22 '15 at 01:53

2 Answers2

6

To pass the variable along you would create a hidden input on your second form to contain the value:

<?php
    // check and clean up the passed variable 
    $serial = isset($_POST['serial']) ? htmlspecialchars($_POST['serial']) : '';
?>

<form action="" method="post">
    <input type="hidden" name="serial" value="<?php echo $serial; ?>" />        
    <button type="submit" name="submit">Click to use</button>
</form>

For Safety's Sake

Your script is at risk for SQL Injection Attacks.

If you can, you should stop using mysql_* functions. These extensions have been removed in PHP 7. Learn about prepared statements for PDO and MySQLi and consider using PDO, it's really not hard.

Additional Thoughts

If you're planning to do a two-step form you'll likely want to place all of the data processing outside of the form page, in a separate PHP file. With the limited code that you have shown I fear that we will miss something in our answers which will lead you to additional questions because your code still isn't working as you would expect.

Community
  • 1
  • 1
Jay Blanchard
  • 34,243
  • 16
  • 77
  • 119
  • **Danger**: This code is [vulnerable to XSS](https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)). User input needs escaping before being inserted into an HTML document!. – Quentin Sep 21 '15 at 16:31
  • @JayBlanchard — Yes, but the XSS problem is a new one that you introduced (and which your SQL injection focused edit does not address) – Quentin Sep 21 '15 at 16:32
  • @JayBlanchard — `value=""` creates the XSS problem. Prepared statements won't help with it. – Quentin Sep 21 '15 at 16:34
  • Thanks for your advise using another way of mysql statements, and thanks again for your solution, it worked for me :) – Mahmoud Yhya Sep 22 '15 at 01:52
0

A button needs a name and a value to be successful. Your button doesn't have a value so $_POST['submit'] will be undefined.

Add a value attribute to your <button> element.

After you do that, $serial will be undefined because your form doesn't submit that.

You need to include it in your form too:

<input type="hidden" name="serial" value="<?php echo htmlspecialchars($serial); ?>">
Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • 1
    Sidenote: since the OP is using it in the same file, `value=""` will throw an undefined variable serial notice in HTML source on initial page load. – Funk Forty Niner Sep 21 '15 at 16:41