mysql update setting all fields the same

Question

This is my php code:

if (isset($_POST['data']) && is_array($_POST['data'])) {
                foreach ($_POST['data'] as $row => $data) {
                    $result = mysql_query("UPDATE orders SET project_ref='".$data['project_ref']."' where order_id = '".$data['order_id']."'") or die(mysql_error());
                    $result1 = mysql_query("UPDATE orders SET supp_short_code='".$data['supp_short_code']."' where order_id = '".$data['order_id']."'") or die(mysql_error());
                    $result2 = mysql_query("UPDATE orders SET om_part_no='".$data['om_part_no']."' where order_id = '".$data['order_id']."'") or die(mysql_error());
                    $result3 = mysql_query("UPDATE orders SET description='".$data['description']."' where order_id = '".$data['order_id']."'") or die(mysql_error());
                    $result4 = mysql_query("UPDATE orders SET quantity='".$data['quantity_input']."' where order_id = '".$data['order_id']."'") or die(mysql_error());
                    $result5 = mysql_query("UPDATE orders SET cost_of_items='".$data['cost_of_items']."' where order_id = '".$data['order_id']."'") or die(mysql_error());
                    $result6 = mysql_query("UPDATE orders SET cost_total='".$data['cost_total_td']."' where order_id = '".$data['order_id']."'") or die(mysql_error());
                }
            }

So when the user wants to edit order id: 1, i hope it will update all rows where the order_id is 1, but what this code is doing is setting all fields to "1"??

EDIT:

This is how i'm sending the data to the PHP:

$('#submit').live('click',function(){               
                    var postData = {};
                    postData['data[order_id]'] = $('#order_id').text();
                    $('#items tr').not(':first').each(function(index, value) {
                        var keyPrefix = 'data[' + index + ']';
                        postData[keyPrefix + '[supp_short_code]'] = $(this).closest('tr').find('.supp_short_code').text();
                        postData[keyPrefix + '[project_ref]'] = $(this).closest('tr').find('.project_ref').text();
                        postData[keyPrefix + '[om_part_no]'] = $(this).closest('tr').find('.om_part_no').text();
                        postData[keyPrefix + '[description]'] = $(this).closest('tr').find('.description').text();
                        postData[keyPrefix + '[quantity_input]'] = $(this).closest('tr').find('.quantity_input').val();
                        postData[keyPrefix + '[cost_of_items]'] = $(this).closest('tr').find('.cost_of_items').text();
                        postData[keyPrefix + '[cost_total_td]'] = $(this).closest('tr').find('.cost_total_td').text();
                    });

                $.ajax
                    ({
                    type: "POST",
                    url: "updateorder.php",
                    dataType: "json",
                    data: postData,
                    cache: false,
                    success: function()
                        {
                            alert("Order Updated");
                        }
                    });
            });

score 1 · Answer 1 · edited May 23 '17 at 11:56

you can start by reading this which will save you lots of trouble in the future.

Also, you don't need to create a query for each field you need to update. Disregarding security issues, you can do something like:

$q = "
  UPDATE orders 
  SET    project_ref='".$data['project_ref']."' ,
         supp_short_code='".$data['supp_short_code']."' ,
         om_part_no='".$data['om_part_no']."' ,
         description='".$data['description']."' ,
  // .... remaining fields here, don't forget   ^  the coma
  WHERE  order_id = '".$data['order_id']."'
";

mysql_query($q) or die(mysql_error());

What this code is doing is setting your table fields project_ref, supp_short_code, om_part_no, ... to something (which comes from $_POST['data']) to whatever order_id comes from $_POST['data']['order_id'].

If all your fields are becoming 1, you probably have some trouble at the data you send from the form. Try a print_r($_POST) to help you fix it.

score 1 · Answer 2 · answered Nov 12 '10 at 09:59

$_POST data is usually provided by the user, so there's no way it's a native PHP array unless you make it yourself ($_POST['data'] = array()).

Sanitize your input, and log it before running any query... print_r($_POST['data'])... be sure it contains the data that you actually want.

score 1 · Answer 3 · answered Nov 12 '10 at 10:00

1

Maybe check out the DB Type for order_id in MySQL. I assume that it's defined as an INT. If so, remove the single quotes here:

where order_id = ".$data['order_id']."

answered Nov 12 '10 at 10:00

leudanielm

31
5

score 1 · Accepted Answer · answered Nov 12 '10 at 10:03

1

Well first of all, is $_POST['data'] an array of arrays? Seems a bit odd to me. A foreach loop iterates through each item in the array, and retrieves the key and value after the as. So is this what you meant?

if (isset($_POST['data']) && is_array($_POST['data'])) {
  foreach ($_POST['data'] as $row => $data) {
    $result = mysql_query("UPDATE orders SET $row='$data' WHERE order_id = '" . $_POST['data']['order_id'] . "';");
  }
}

Second point is that you shouldn't create a new SQL query for each field. Try this:

if (isset($_POST['data']) && is_array($_POST['data'])) {
  $sql = "UPDATE orders SET ";
  foreach ($_POST['data'] as $row => $data) {
    $sql .= "$row = '$data'";
  }
}
$sql .= " WHERE order_id = '" . $_POST['data']['order_id'] . "'";
$result = mysql_query($sql);

And thirdly, read up on SQL injection. At the very minimum, put mysql_real_escape_string() around the $row and $data variables and the $_POST['data']['order_id']. So:

if (isset($_POST['data']) && is_array($_POST['data'])) {
  $sql = "UPDATE orders SET ";
  foreach ($_POST['data'] as $row => $data) {
    $sql .= "mysql_real_escape_string($row) = 'mysql_real_escape_string($data)'";
  }
}
$sql .= " WHERE order_id = '" . mysql_real_escape_string($_POST['data']['order_id']) . "'";
$result = mysql_query($sql);

answered Nov 12 '10 at 10:03

Nathan MacInnes

11,033
4
35
50

Ok some progress. Its now not setting all fields to "1" or whatever the order_id is but it not changing any values in the fields?? What other code can i put up to make this easier?? – benhowdle89 Nov 12 '10 at 10:10
Are you sure that `$POST['data']` actually is an array? Try `var_dump ($_POST['data']);`, or even `var_dump($_POST);`. – Nathan MacInnes Nov 12 '10 at 10:20
this is the PHP response: array(2) { ["order_id"]=> string(1) "2" [0]=> array(7) { ["supp_short_code"]=> string(0) "" ["project_ref"]=> string(0) "" ["om_part_no"]=> string(8) "16511316" ["description"]=> string(16) "EarthTerminal6mm" ["quantity_input"]=> string(1) "2" ["cost_of_items"]=> string(4) "2.34" ["cost_total_td"]=> string(4) "2.34" } } – benhowdle89 Nov 12 '10 at 10:26
i think its seeing order_id as a string, thats maybe where i'm going wrong? – benhowdle89 Nov 12 '10 at 10:27
Element 0 is an array... seems quite odd to me and rather difficult to manage. How did that happen? – Nathan MacInnes Nov 12 '10 at 10:36
i have no idea!? i adjusted my php and echo'd $sql query and its trying to execute 2 queries where i'm only trying to edit one row. No idea why that would be doing that... – benhowdle89 Nov 12 '10 at 10:42
I think we'll need to see more code before we can work out what has happened. $_POST elements don't just become arrays on their own, so how have you interacted with $_POST already. – Nathan MacInnes Nov 12 '10 at 11:00
I might be wrong but does that jQuery code above not explain how it became an array!? I'm not sure – benhowdle89 Nov 12 '10 at 11:05
Oh your right, it does... I didn't know you could do that! I'll see if I can work it out. – Nathan MacInnes Nov 12 '10 at 11:07

mysql update setting all fields the same

4 Answers4