beginner form with "update from" and "remove" buttons

Question

I'm a beginner with PHP. I watched a tutorial to create a form which modifies my wamp-created mysql database table. Copied the video at first, but then made my own table from scratch and tried to upgrade it.

My add row works correctly, but the update and remove do not. I think the WHERE clause is not correct, referencing reg_id.

I created a unique primary key, which auto-increments and cannot be modified; this is what I want to reference when changes are made (since it cannot be changed).

if (isset($_POST['update'])){
$UpdateQuery = "UPDATE register SET First_Name='$_POST[first_name]', Last_Name='$_POST[last_name]', Breed='$_POST[breed]', Weight='$_POST[weight]', Age='$_POST[age]', Sex='$_POST[sex]' WHERE '$_POST[reg_id]'='$_POST[reg_id]'";
mysqli_query($con,$UpdateQuery);};

if (isset($_POST['delete'])){
$DeleteQuery = "DELETE FROM register WHERE reg_id='$_POST[reg_id]'";
mysqli_query($con,$DeleteQuery);};

Here is the rest of it where the form is located:

while($record=mysqli_fetch_array($myData)){
  echo "<form action=register.php method=post>";
  echo "<tr>";
  echo "<td>" . $record['reg_id'] . " </td>";
  echo "<td>" . "<input type=text name=first_name value=" . $record['First_Name'] . " </td>";
  echo "<td>" . "<input type=text name=last_name value=" . $record['Last_Name'] . " </td>";
  echo "<td>" . "<input type=text name=breed value=" . $record['Breed'] . " </td>";
  echo "<td>" . "<input type=int name=weight value=" . $record['Weight'] . " </td>";
  echo "<td>" . "<input type=int name=age value=" . $record['Age'] . " </td>";
  echo "<td>" . "<input type=text name=sex value=" . $record['Sex'] . " </td>";
  echo "<td>" . "<input type=submit name=update value=update" . " </td>";
  echo "<td>" . "<input type=submit name=delete value=delete" . " </td>";
  echo "</tr>";
  echo "</form>";
}

Please help me fix it.

now is a good time to get in the habit of quoting your input attribute values, ie. `... name='first_name' value ='" . $record['First_Name'] . "' ...`. unquoted values for your attributes is going to cause you headaches very soon. Also, you are not closing your `name=update`/`name=delete` inputs. They are missing the `/>`. — Sean, Feb 16 '16 at 04:49
You should use prepared statements, this is open to SQL injections. You where clause is missing the column you want to check the `id` against the column should also be in backticks, not quotes. — chris85, Feb 16 '16 at 04:50
Your `reg_id` is not in an input, so there is no `$_POST['reg_id']` -> `echo "" . $record['reg_id'] . " ";` — Sean, Feb 16 '16 at 04:56
instead input type="submit" use `Edit` the redirect to an edit form — Matt Magallo, Feb 16 '16 at 04:59
Guys - Thanks for the responses. I will clean the code up, and yes, I have an error with the reg_id. Thats what I need help with. How should it be changed? — Nicho247, Feb 16 '16 at 05:13

score 0 · Answer 1 · edited May 23 '17 at 10:32

You are using $_POST without '.

Try this : {$_POST['first_name']} and replace all $_POST according to this.

So your update query will be like this :

"UPDATE register SET First_Name='{$_POST['first_name']}', Last_Name='{$_POST['last_name']}', Breed='{$_POST['breed']}', Weight='{$_POST['weight']}', Age='{$_POST['age']}', Sex='{$_POST['sex']}' WHERE reg_id='{$_POST['reg_id']}'";

There is no field with name reg_id, so your $_POST['reg_id'] will not work.Also please change your where condition. You are matching same value in where condition.

And your delete query will be :

"DELETE FROM register WHERE reg_id='{$_POST['reg_id']}'";

Your query is open for sql injection. Refer this :How can I prevent SQL injection in PHP?

inside double quotes `"$_POST[first_name]"`, keys don't need to be quoted. But if they are quoted, then the brackets `{ }` are required. — Sean, Feb 16 '16 at 04:51

Matt Magallo · Answer 2 · 2016-02-16T05:42:49.143

0

display page

while($record = mysqli_fetch_array($myData)) {
            echo "<table>";
            echo "<tr>";
            echo "<td>".$record['reg_id']."</td>";
            echo "<td>".$record['First_Name']."</td>";
            echo "<td>".$record['Last_Name']."</td>";
            echo "<td>".$record['Breed']."</td>";
            echo "<td>".$record['Weight']."</td>";
            echo "<td>".$record['Age']."</td>";
            echo "<td>".$record['Sex']."</td>";
            echo "<td><a href='edit.php?reg_id=".$record['reg_id']."'>EDIT</a></td>";
            echo "<td><a href='delete.php?reg_id=".$record['reg_id']."'>DELETE</a></td>";
            echo "</tr>";
            echo "</table>";
        }

delete.php

  <?php 
    if (isset($_POST['delete'])){
    $DeleteQuery = "DELETE FROM `register` WHERE `reg_id`={$_GET['reg_id']}'";
    mysqli_query($con,$DeleteQuery);
   header("Location: your display page");
};
    ?>

Edit Form

while($record = mysqli_fetch_array($myData)) {
    echo '<form action="edit.php" method="Post">
            <input type="text" name="First_Name" value="'.$record['reg_id'].'"/>
            <input type="text" name="First_Name" value="'.$record['First_Name'].'"/>
            <input type="text" name="Last_Name" value="'.$record['Last_Name'].'"/>
            <input type="text" name="Breed" value="'.$record['Breed'].'"/>
            <input type="text" name="Weight" value="'.$record['Weight'].'"/>
            <input type="text" name="Age" value="'.$record['Age'].'"/>
            <input type="text" name="Sex" value="'.$record['Sex'].'"/>
            <imput type="submit" value="save" name="submit" />
        </form>';
    }

edit.php

       if (isset($_POST['update'])){
        $UpdateQuery = "UPDATE `register` SET `First_Name`='{$_POST['first_name']}', `Last_Name`='{$_POST['last_name']}', `Breed`='{$_POST['breed']}', Weight='{$_POST['weight']}', `Age`={$_POST['age']}, Sex='{$_POST['sex']}' WHERE `reg_id`={$_GET['reg_id']}";
        mysqli_query($con,$UpdateQuery);
        header("Location: your display page");
};

edited Feb 16 '16 at 05:42

answered Feb 16 '16 at 04:52

Matt Magallo

328
1
20

Big problem in that `$_POST['reg_id']` does not exist, as there is not input element with the `reg_id`. – Sean Feb 16 '16 at 04:53
That is even worse. How will the OP get a `$_GET` from `
`? Also, why did you do `$_GET` in the `UPDATE`, but still have `$_POST` in the `DELETE`?
– Sean Feb 16 '16 at 04:58
instead of using input type="submit" use Edit the redirect to an edit form, by the he could $_GET the reg_id @Sean – Matt Magallo Feb 16 '16 at 05:03
well, then that would be good to put in your answer, as that makes a major change to the OP's current structure, as that is their edit form. so now you are recommending that they have a link in their edit form to a new edit form, instead of just posting the data in their current edit form. – Sean Feb 16 '16 at 05:04
yeah, as much as possible i have to be inline with the question and do not revise his whole question. my bad – Matt Magallo Feb 16 '16 at 05:07
1

no, if you feel that there is a better way to do something, you can do that on SO. You just need to clearly explain it in your answer, not as a comment. There are many times that I have given answers that show the OP how to completely redo their code. You just need to give clear reasons why your way would better accomplish what they intend to do. Happy coding! – Sean Feb 16 '16 at 05:12
Matt - Thanks for the recommendation, however it doesn't fix my issue. The update and delete buttons don't work due to my incorrect usage of reg_id. How do I fix that? – Nicho247 Feb 16 '16 at 05:15
i've revised the code for simplicity purposes, that's what i have in mind to avoid you from getting mixed up.. – Matt Magallo Feb 16 '16 at 05:28

Jack jdeoel · Accepted Answer · 2016-02-16T05:35:24.003

0

if (isset($_POST['update'])){
$UpdateQuery = "UPDATE register SET First_Name='".$_POST['first_name']."',Last_Name='".$_POST['last_name']."', Breed='".$_POST['breed']."', Weight='".$_POST['weight']."', Age='".$_POST['age']."', Sex='".$_POST['sex']."' WHERE reg_id ='".$_POST['reg_id']."'";
mysqli_query($con,$UpdateQuery);
};

if (isset($_POST['delete'])){
$DeleteQuery = "DELETE FROM register WHERE reg_id='".$_POST['reg_id']."'";
mysqli_query($con,$DeleteQuery);
};

should be enclosed by ' ,that is optional.add hidden will be more better

echo "<td><input type='hidden' name='reg_id' value='".$record['reg_id']."'></td>";
echo "<td><input type='submit' name='update' value='update'></td>";
echo "<td><input type='submit' name='delete' value='delete'></td>";

edited Feb 16 '16 at 05:35

answered Feb 16 '16 at 05:01

Jack jdeoel

4,554
5
26
52

as mentioned to others, there is an issue with `$_POST['reg_id']`, as the OP has `echo "" . $record['reg_id'] . " ";`. – Sean Feb 16 '16 at 05:04
that looks better, although an explanation about your change to `value='".$record['reg_id']."'` would be helpful. – Sean Feb 16 '16 at 05:14
thanks. this did the trick. looks like i just needed to have the form call & store reg_id into via name='reg_id'. – Nicho247 Feb 16 '16 at 05:46

beginner form with "update from" and "remove" buttons

3 Answers3