0

I am trying to have an Edit page that fetch the data selected by user and display them in a form. I manage to display the data from database and allow user to edit the data in the form. But my UPDATE query won't work in php. I tried echo the query and run it manual in xampp, it turns out to be ok and it was able to update manual in xampp but not in php. Can anyone help me with the codes? many thanks

this is my php coding

<?php
session_start();
include_once 'dbconnect.php';


 if(isset($_POST['btn-update']))
{
  $ProdCode = mysql_real_escape_string($_POST['productCode']);
 $ProdType = mysql_real_escape_string($_POST['productType']);
 $ProdDes = mysql_real_escape_string($_POST['product_description']);
 $ProdCol = mysql_real_escape_string($_POST['productColour']);
 $ProdPrice = floatval($_POST['productPrice']);
 $XSsize = mysql_real_escape_string($_POST['XSquantity']);
 $Ssize = mysql_real_escape_string($_POST['Squantity']);
 $Msize = mysql_real_escape_string($_POST['Mquantity']);
 $Lsize = mysql_real_escape_string($_POST['Lquantity']);
 $XLsize = mysql_real_escape_string($_POST['XLquantity']);
 $XXLsize = mysql_real_escape_string($_POST['XXLquantity']);
 if(isset($_FILES['productImg'])){

      $file_name = $_FILES['productImg']['name'];
      $file_size = $_FILES['productImg']['size'];
      $file_tmp = $_FILES['productImg']['tmp_name'];
      $file_type = $_FILES['productImg']['type'];
      $file_ext=strtolower(end(explode('.',$_FILES['productImg']['name'])));

      $expensions= array("jpeg","jpg","png");

      if(in_array($file_ext,$expensions)=== false){
         $errors="Please choose JPEG/PNG file.";
         $errorTrigger =true;
      }

      if($file_size > 2097152) {
         $errors='File size must be excately 2 MB';
         $errorTrigger =true;
      }

      if(empty($errors)==true) {
         move_uploaded_file($file_tmp,"images/".$file_name);

               } }
 $query = "UPDATE product SET product_code='$ProdCode', product_type='$ProdType' ,description='$ProdDes' ,colour='$ProdCol',price= '$ProdPrice',size_xs='$XSsize',size_s='$Ssize',size_m='$Msize',size_l='$Lsize',size_xl='$XLsize',size_xxl='$XXLsize' WHERE product_code='%". $ProdCode ."%'";
 echo $query;
if(mysql_query($query))
 {
  echo "<script>
    alert('Product Updated');
        </script>";
 }
 else
 {
     echo mysql_error();
  ?>
        <script>alert('Error while updating');</script>
        <?php
 }
 }

?>
kojh
  • 269
  • 1
  • 6
  • 15
  • 3
    Are you meaning to use `product_code LIKE '%". $ProdCode ."%'"`? Using equals with percents seems suspiciously like you're trying to match with wildcards and using the wrong operator. – Joachim Isaksson Mar 29 '16 at 16:25
  • 2
    [Your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Jay Blanchard Mar 29 '16 at 16:25
  • 2
    Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Mar 29 '16 at 16:25
  • 1
    @devlincarnate Why do you think that would be a problem? `mysql_query()` doesn't execute multiple queries. – Barmar Mar 29 '16 at 16:25
  • 1
    `echo mysql_error();` said what *exactly?* and http://php.net/manual/en/function.error-reporting.php – Funk Forty Niner Mar 29 '16 at 16:26
  • 1
    add `error_reporting(E_ALL);ini_set('display_errors',1);` after `session_start();` and check for errors. Also use `mysqli_*` or `PDO`. `mysql_*` is deprecated now. – Alive to die - Anant Mar 29 '16 at 16:26
  • could you define "won't work"? are you getting an error or just not seeing the expected result? you can literally copy the echoed query and paste it into your DB and it works without modification? I'm suspicious of the `%`s in the `where` clause of your `update` query. also, please please please please please use parameterized queries – hair raisin Mar 29 '16 at 16:27
  • @devlincarnate Also, the URL parameters are all escaped with `mysql_real_escape_string` and put in quotes in the query. – Barmar Mar 29 '16 at 16:27
  • @Barmar Not in the first select, just for the update. – Joachim Isaksson Mar 29 '16 at 16:28
  • @Barmar - the first one isn't. `$productCode = $_GET['pc']; $sql = "Select * FROM product WHERE product_code LIKE '%". $productCode ."%'";` – devlin carnate Mar 29 '16 at 16:29
  • @Joachim Isaksson, thanks for the heads up. In deed the problem was the '%' i put in my query. This is my first trial in php, I will try with PDO later once my basic page is ready. – kojh Mar 29 '16 at 16:36

0 Answers0