Why is my update statement and form not working?

Question

I am relatively new to php. In the following code, I am trying to UPDATE the users 'dietID' (their current diet, of which they selected when they registered) so that it changes their dietID stored in the users database. However upon pressing the 'Change' submit button, nothing happens and nothing gets updated. Can anybody understand why?

Form processing code:

<?php 
if(trim($_POST['submit']) == "Change") {
        require_once("connect.php");
        if (!$db_server) {
            die("Unable to connect to MySQL: " . mysqli_connect_error($db_server));
        } else {
            mysqli_select_db($db_server, $db_database) or die("<h1>Couldn't find db</h1>");
            //UPDATE records of users table
            $query="UPDATE users SET dietID=".$dietopt." WHERE ID= $sess_userID";
            mysqli_query($db_server, $query) or die("Update failed" . mysqli_error($db_server));   
        }
        require_once("db_close.php");
    } else {
        $message= "Your diet has been updated";
}

?>

Form:

Would you like to change what your current diet is? Please select one
<br>
<form action="account.php" method="post">
<td><input type="radio" name="dietopt" value="Meat-eater"/>Meat-eater</td>
<tr>
<td><input type="radio" name="dietopt" value="Vegetarian"/>Vegetarian</td></tr>
<tr>
<td><input type="radio" name="dietopt" value="Vegan"/>Vegan</td></tr>
<br>
<input type="submit" name="Change" value="Change">
<br>
    </form>

and the session variable created on the register page (not in any format, copy and pasted from snippets of the entire code of the register page):

$dietopt = $row['dietID'];

$_SESSION['diet'] = $dietopt;

$dietopt= trim($_POST['dietopt']);

The name of your submit button is "Change" so you have to access `$_POST['Change']` — , Jan 09 '16 at 22:41
Ok i changed that and then got this error: Update failedYou have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE ID= 34' at line 1 — clh, Jan 09 '16 at 22:52
Well if I had to guess, there's something wrong with `$dietopt`. Where do you set the value? — , Jan 09 '16 at 22:55
try `$query="UPDATE users SET dietID=".$_SESSION['diet']." WHERE ID= $sess_userID"` instead of your `$query` var; — Rodney Salcedo, Jan 09 '16 at 23:02
As it stands, *dietopt* (or at least *$_POST['dietopt']*) is a string value, like "Vegan", and the query string does not quote it, so therefore the syntax is invalid. Either it should be quoted, or the option values should be changed to the appropriate numbers. — trincot, Jan 10 '16 at 00:31

score 1 · Accepted Answer · edited May 23 '17 at 12:23

1

Some things to correct:

First the name of the submit button is "Change", so you should change:

if(trim($_POST['submit']) == "Change") {

by:

if(trim($_POST['Change']) == "Change") {

Secondly, the value of $dietopt will be a string, like "Vegan" and thus needs to be quoted. If this is indeed what you expect, then replace this line:

 $query="UPDATE users SET dietID=".$dietopt." WHERE ID= $sess_userID";

By:

 $query="UPDATE users 
         SET dietID='"
            .mysqli_real_escape_string($db_server,$_POST['dietopt']). "'
         WHERE ID= $sess_userID";

I used $_POST['dietopt'] here, but if you are sure the value of $dietopt is correctly set, you can use that instead.

The call to mysqli_real_escape_string protects against SQL injection via that value. I would advise to use prepared statements instead.

Finally, there is also something wrong with where you set the $message variable: it currently sets it when the user gets to this page without having submitted anything. Instead it should be set right after the successful update. So remove this:

} else {
    $message= "Your diet has been updated";

And add the message assignment after the query, like this:

    mysqli_query($db_server, $query) or die("Update failed" . mysqli_error($db_server));   
    $message= "Your diet has been updated";

Then, you should actually display that message somewhere. This depends on what else you want to display, but you could simply add to the end of your PHP block (before the closing ?>) the following:

 if (isset($message)) {
      echo "<h4 style='color:green'>$message</h4>";
 }

...or use whatever HTML and style you want.

To close, one final remark:

Please, don't use mysql_* functions in new code. They are no longer maintained and are officially deprecated. See the red box? Learn about prepared statements instead, and use PDO or MySQLi - this article will help you decide which. If you choose PDO, here is a good tutorial.

edited May 23 '17 at 12:23

Community

1
1

answered Jan 10 '16 at 00:28

trincot

317,000
35
244
286

Thank you for your time to reply, I appreciate it. I did the above but unfortunately get the error message :You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE ID= 32' at line 1. And 32 is the ID of that user, so have i done something wrong by putting sess_userID? – clh Jan 10 '16 at 09:53
No your sess_userID is fine. Please put an `echo $query;` and `print_r ($_POST['dietopt']);` right after you assign the SQL to *$query*, and tell what they print. Probably there is a problem with the *dieopt* parameter. – trincot Jan 10 '16 at 10:01
The error message I get when doing this is: UPDATE users SET dietID= WHERE ID= 32VeganUpdate failedYou have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE ID= 32' at line 1 – clh Jan 10 '16 at 10:03
N.B I didn't change the values of the forms to 1/2/3 as I wasn't sure if this was correct. It would update the column in my database with a number rather than the diet.. or am I understanding it uncorrectly – clh Jan 10 '16 at 10:04
Well, I am not sure how your database is organised. It is just that the column name "dietID" gives the impression it stores a number. But if you are sure that it intended to store values like "Vegan", then don't make the 1/2/3 change I suggest. I just wasn't sure if you had this as you wanted it. I am looking at your error now... – trincot Jan 10 '16 at 10:33
Yeah sorry my mistake of calling the column a strange name! ok I did that and removed the echo query you previously said about. and the error i got was "mysqli_real_escape_string() expects parameter 1 to be mysqli, string given" on line 58 (the line you just updated) – clh Jan 10 '16 at 10:50
Right I re copy and pasted the "$query="UPDATE users SET dietID='" .mysqli_real_escape_string($db_server,$_POST['dietopt']). "' WHERE ID= $sess_userID"; " and this time removed the space I had between the quotation mark and the fullstop after dietID, and its working! It's updating the database. THANK YOU very much for your time and patience. Just one thing, where abouts in my code can I edit so that the page says "your diet as been changed" rather than the page just refreshing and appearing as if it hasnt done anything? – clh Jan 10 '16 at 12:55
Ok thank you. I think I am just going to use an echo statement instead. Sorry one last question if you have the time, how do I echo "Please select a diet"" if the user presses 'change' but does not select anything? i.e if "change" button pressed but no radio button is selected.. echo "Please select a diet" – clh Jan 10 '16 at 13:47
You can test for this condition with `if(!isset($_POST['dietopt'])) { echo "Please select a diet"; } else { ... ` etc. I'll let you work out where to best put that :-) – trincot Jan 10 '16 at 13:53

Why is my update statement and form not working?

1 Answers1