Using values from links in mysql update statement

Question

i've been searching related questions for answers but it seems like my case is unique. Am attempting use values passed in a link in an update statement. Am able to populate my update form using the values passed in the link, but the update fails even though i have all variable set.

This is the link returning the value

<a href="edit_student.php?student=<?php echo urldecode($student["student_id"]) ?>"><span class="glyphicon glyphicon-pencil"></span></a>

This is my function

function find_student_by_id($student_id) {
    global $connection;

    $query = "select * from students where student_id = {$student_id} limit 1";
    $found_student = mysqli_query($connection, $query);
    confirm_query($found_student);
    return $found_student;
}

This is my update code

<?php 
// Checking for a set employee ID
if (isset($_GET["student"])) {
    $selected_student = find_student_by_id($_GET["student"]);
}

// Processing the form
if (isset($_POST['submit'])) {
    # process the form

    $student_id = $_GET["student"];
    $fname = ucfirst($_POST["s_fname"]);
    $lname = ucfirst($_POST["s_lname"]);
    $mname = ucfirst($_POST["s_mname"]);
    $sex = $_POST["sex"];
    $dob = $_POST["s_dob"];
    $home_address = ucwords($_POST["home_address"]);
    $guardian = ucwords($_POST["guardian"]);
    $contact_address = ucwords($_POST["contact_address"]);
    $phone = $_POST["g_phone"];
    $email = $_POST["g_email"];
    $year = $_POST["entry_year"];

    $query  = "update students set s_fname = '{$fname}', s_lname = '{$lname}', s_mname =  '{$mname}', sex = '{$sex}', s_dob = {$dob}, home_address = '{$home_address}', guardian = '{$guardian}', contact_address = '{$contact_address}', g_phone = {$phone}, g_email = '{$email}', entry_year = {$year}) where student_id = {$student_id}";

    $result = mysqli_query($connection, $query);

    if ($result) { 
        # successful
        $_SESSION["message"] = "Updated student information successfully.";
        if ($year == 0) {
            redirect_to("preschool.php");
        } elseif ($year == 1) {
            redirect_to("year1.php");
        } elseif ($year == 2) {
            redirect_to("year2.php");
        } elseif ($year == 3) {
            redirect_to("year3.php");
        } elseif ($year == 4) {
            redirect_to("year4.php");
        } elseif ($year == 5) {
            redirect_to("year5.php");
        } elseif ($year == 6) {
            redirect_to("year6.php");
        }
    } else {
        # failure
        $_SESSION["message"] = "Update unsuccessful.";
        redirect_to("edit_student.php");
    }
}

?>

When i submit the form, i get the error in the image attached

I have selected_student set at the top of my code, yet i still get undefined variable warning. How do i fix this, i have been on it for some hours now. Appreciate any help

[Your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) — Jay Blanchard, Dec 09 '15 at 19:20
@JayBlanchard i will be using prepared statements eventually — Mena, Dec 09 '15 at 19:26
If you start out using them you don't have to go back and replace. — Jay Blanchard, Dec 09 '15 at 19:30
you're getting a false positive. Use `affected_rows` instead on update. make sure you started the session also — Funk Forty Niner, Dec 09 '15 at 19:33
What is at line 76? My guess is the undefined variable `$selected_student` is occurring because when the query is unsuccessful, you are redirecting to the same page but without the `student` key set in the url. — kunruh, Dec 09 '15 at 19:34
plus, your fetch_assoc related error; no code to support the question/error and something obviously failed you. — Funk Forty Niner, Dec 09 '15 at 19:36
@kunruh This is what's on line 76 while ($current_student = mysqli_fetch_assoc($selected_student)) { — Mena, Dec 09 '15 at 19:43
@Fred-ii- am not sure what you mean by using affected_rows on update. If i change the where clause to use a name instead of an id, the update is successful. How do i get to use the id properly? i don't know if this is right $student_id = $_GET["student"]; — Mena, Dec 09 '15 at 19:47
@Mena Okay, then it looks like that's the same issue. Both those errors are due to not actually having `$selected_students` set after you are redirected. Something went wrong with your first query, and when you redirect after the unsuccessful result, you aren't setting `$selected_students` because it is inside an if statement. You'll need some more condition checking or initialize `$selected_students` before the if statement. — kunruh, Dec 09 '15 at 19:49
@kunruh ok i set $selected_student = "null" before the if statement and that has dealt with the undefined variable error leaving the second error which is a warning. Am sorry but am stuck right now so i need help in a bid to fix this — Mena, Dec 09 '15 at 19:59
This is because even though you initialized it, you are still passing `null` to `mysqli_fetch_assoc` on line 76. A quick fix for this would be to put that statement in a if statement and only execute it if `$selected_students` is not null. Remember, when you hit that failure redirect, those GET variables are gone. If you want to retain that, set it in your redirect url as well. But this is only just fixing your error output; I think the real issue here is your first `mysql_query` statement is returning false. Which means there is something wrong with your sql statement. Look over that — kunruh, Dec 09 '15 at 20:07

Using values from links in mysql update statement

0 Answers0