0

I'm wanting to allow my user to edit rows in the database. I'm following along on a tutorial and i can't seem to get it working. I'm at a lost as i have no idea why my variables aren't being declared when i clearly have (in my head).

     <?php
    // including the database connection file
    include_once("connect.php");

    if(isset($_POST['update']))
    {    
        $StaffID = $_POST["StaffID"];

        $Name=$_POST["Name"];
        $Address=$_POST['Address'];
        $Telephone=$_POST['Telephone'];  
        $BusinessID=$_POST['BusinessID'];

         $result = mysqli_query($conn, "UPDATE staff SET Name='{$Name}',Address='{$Address}',Telephone='{$Telephone}', BusinessID='{$BusinessID}' WHERE StaffID = $StaffID");

        //redirectig to the display page. In our case, it is index.php
        header("Location: HomePHP.php");
    }
}
?>
<?php
//getting id from url
$StaffID = $_GET['StaffID']; //this is what is giving me the error even though it is exactly how it appears in my database

//selecting data associated with this particular id
$result = mysqli_query($conn, "SELECT * FROM staff WHERE StaffID=$StaffID");

while($res = mysqli_fetch_array($result))
{


    $Name = $res['Name'];
    $Address = $res['Address'];
    $Telephone = $res['Telephone'];
    $BusinessID = $res['BusinessID'];
}
?>

    <html>
    <head>    
        <title>Edit Data</title>
    </head>

    <body>
        <a href="select.php">Home</a>
        <br/><br/>

        <form name="form1" method="post" action="select.php">
            <table border="0">
                <tr> 
                    <td>Name</td>
                    <td><input type="text" name="name" value="<?php echo $Name;?>"></td>
                </tr>
                <tr> 
                    <td>Age</td>
                    <td><input type="text" name="age" value="<?php echo $Address;?>"></td>
                </tr>
                <tr> 
                    <td>Email</td>
                    <td><input type="text" name="email" value="<?php echo $Telephone;?>"></td>
                </tr>
                  <tr> 
                    <td>BusinessID</td>
                    <td><input type="text" name="email" value="<?php echo $BusinessID;?>"></td>
                </tr>
                <tr>
                    <td><input type="hidden" name="id" value=<?php echo $_GET['StaffID'];?>></td>
                    <td><input type="submit" name="update" value="Update"></td>
                </tr>
            </table>
        </form>
    </body>
    </html>
  • 1
    `BusinessID='$BusinessID',` <<< it's a TYPO – Funk Forty Niner Mar 20 '17 at 19:03
  • 2
    Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). – John Conde Mar 20 '17 at 19:05
  • 1
    and I don't do typos; I'd be the laughing stock of stack – Funk Forty Niner Mar 20 '17 at 19:06
  • 1
    oh and `Name` != `name` same goes for the others; more typos. So, go back and use the tools to check errors with, because you have many. The `!=` btw, is php for "does not equal". – Funk Forty Niner Mar 20 '17 at 19:08
  • 1
    Thankyou for the reply, what line are you seeing the BusinessID='$BusinessID' typo on? unless you mean i can't have the '$' in it? Sorry i'm very new to php so it feels all a bit much atm. –  Mar 20 '17 at 19:21

1 Answers1

0

1) In SQL is error, after BusinessID='$BusinessID' cannot be , (it is last assignment).

2) $id from SQL is not defined.

Lawondyss
  • 95
  • 6