0

When i try to modify the values on the database with the form on the page, it simply gives me the successful message but it doesnt do anything.

<?php
include "header.php";
include "conexao.php";
echo "<h1>Pagina para alterar familia</h1><hr>";
$referencia=$_GET['id'];


$sql = "SELECT * ";
        $sql = $sql . " FROM tb_familia ";
        $sql = $sql . " WHERE fa_codigo='".$referencia."'";
        $produtos = $db->query($sql);
        foreach ($produtos as $produto) {
            $referencia = $produto["fa_codigo"];
            $nome = $produto["fa_descricao"];
            //$preco = $produto["pr_preco"];
            $disponivel = $produto["fa_disponivel"];
        }
        echo "<h2>Referencia: ".$referencia."</h2>";
        echo "<h2>Nome: ".$nome."</h2><hr>";

?>

<form action="confirmaAlterarfamilia.php">
Referencia: <input type="text" name="referencia" value="<?php echo         $referencia?>">
Nome: <input type="text" name="nome" value="<?php echo $nome?>">
<button>Alterar</button>
</form>
<p><p>

This is the other part of the code where it actually tries to modify things.

<?php

include "conexao.php";
$nome=$_GET['nome'];
$referencia=$_GET['referencia'];
$sql="UPDATE tb_familia SET fa_descricao='".$nome;
$sql.= " WHERE fa_codigo='".$referencia."'";
try{
    $comando=$db->prepare($sql);
    $comando->execute();
    echo "<h1>Alterado com sucesso</h1>";
}
catch (PDOException $e){
    echo "A";
}
Bruno Reis
  • 27
  • 7
  • 1
    Print your sql query and run it on database and check if it is working fine? – Mayank Pandeyz Aug 23 '16 at 09:02
  • 1
    You miss a single quoting SET fa_descricao='".$nome."'"; – donald123 Aug 23 '16 at 09:04
  • `` attribute attached – RiggsFolly Aug 23 '16 at 09:06
  • You do know that scalar variables are automatically expanded in a double quoted string? `$sql="UPDATE tb_familia SET fa_descricao='$nome' WHERE fa_codigo='$referencia'";` is a lot easier to code and debug – RiggsFolly Aug 23 '16 at 09:09
  • But that does nean that Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) – RiggsFolly Aug 23 '16 at 09:12
  • Thanks for the tips i'll keep them in mind next time. – Bruno Reis Aug 24 '16 at 04:17

2 Answers2

1

By default PDO doesn't throw exception you have to do something like this if you want to catch PDOException:

$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

You should also prefer prepared statements over string concatenation :

$sql="UPDATE tb_familia SET fa_descricao=? WHERE fa_codigo=?";
$comando=$db->prepare($sql);
$comando->execute(array($nome,$referencia));
n00dl3
  • 21,213
  • 7
  • 66
  • 76
0

Try now:

$sql="UPDATE tb_familia SET fa_descricao='".$nome."'";
$sql.= " WHERE fa_codigo='".$referencia."'";

You missed quotation mark

Bart
  • 1,268
  • 2
  • 12
  • 14