-1

I'm trying to do a function that updates the field 'status' in the database from unpaid to paid on the click of a hyperlink/button. Here is what I'm doing but it is not working. Please help me debug my code.

function pay($idno, $secid) {
    $query = "UPDATE payments SET status='paid' WHERE idNumber = '$idno' AND sec_id = '$secid'";
    $result = mysqli_query($mysqli,$query); }

    $sec_id = '2';
    $idno= '3';
    echo "<td><a href='' onclick='pay($idno, $secid);' >PAY NOW</a></td>";
}

This is what I attempted but nothing is happening. My SQL connection is correct I've checked already.

krlzlx
  • 5,752
  • 14
  • 47
  • 55
Ali
  • 25
  • 7
  • IN where condition of query make idNumber = $idno AND sec_id = $secid, you were passing it as a string.@Ali – Parth Mahida Nov 08 '16 at 13:33
  • Btw, that (JS) `onclick` will never call your `pay()` PHP function. – Funk Forty Niner Nov 08 '16 at 13:36
  • I don't think MySQL cares if it's a string or a number from PHP. It's converted as needed. – mlewis54 Nov 08 '16 at 13:36
  • @Fred-ii- how can i call it? – Ali Nov 08 '16 at 13:39
  • [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! [Don't believe it?](http://stackoverflow.com/q/38297105/1011527) – Jay Blanchard Nov 08 '16 at 13:43

1 Answers1

0

Without more information on the error it appears that your MySQL connection is undefined. You need to pass it as a parameter or reference it as a global:

function pay($idno, $secid) {
    global $mysqli;

   $query = "UPDATE payments SET status='paid' WHERE idNumber = '$idno' AND sec_id = '$secid'";
   $result = mysqli_query($mysqli,$query); }    

$sec_id = '2';

In addition, you can't call a PHP function from HTML as you are attempting to do. You must do an Ajax call to PHP from Javascript.

mlewis54
  • 2,372
  • 6
  • 36
  • 58
  • The SQL connection is fine. – Ali Nov 08 '16 at 13:39
  • Not disagreeing that it's fine, just how it's being referenced. If the posted code is what really is in your program then $mysqli must be unreferenced at that point. You are not passing it and you are not referring to it as a global variable. – mlewis54 Nov 08 '16 at 14:54