-2

I am a beginner to PHP. I want to make an HTML-form, that updates data in database. This is the form:

<!doctype html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Apartments</title>
</head>
<body>
    <form action="test_upd.php" method="POST">
        <p>Введите данные, которые вы хотите изменить:</p>
        <p>Фамилия <input type="text" name="nm" size="10"></p>
    </form>
</body>
</html>

And this is script:

<?php
    $n = $_POST['nm'];
    $link = mysql_connect("localhost", "root") or die(mysql_error());
    mysql_select_db('apartments', $link) or die(mysql_error());
    $query = "UPDATE Customers SET name (".$n");" //Customers - table, name - column in this table 
    mysql_query($query);
    mysql_close($link);
    echo "Запись изменена!";
?>

But when I try to update data, I get an error... What am I doing wrong?

Rob Quincey
  • 2,834
  • 2
  • 38
  • 54
Dremjke
  • 35
  • 2
  • What error do you have ? – Reda Maachi Mar 23 '17 at 10:11
  • 3
    `SET name (".$n");" ` --> `SET name ='".$n"'"` But Attention. You set the namel for all Customers in your table!! – Jens Mar 23 '17 at 10:12
  • 2
    **Stop** using the deprecated `mysql_*` API. use `mysqli_` or `PDO` – Jens Mar 23 '17 at 10:13
  • 1
    you realize that you're updating your entire database. This because without a `WHERE` clause, unless that's what you want. You're also open to a serious sql injection. If you want to keep your site/db intact, don't use this without a prepared statement. – Funk Forty Niner Mar 23 '17 at 12:51

1 Answers1

-1

Here is complete code with mysqli connection and with few improvements. You can also use special filters in input_filter, look here: http://php.net/manual/en/filter.constants.php

<!doctype html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Apartments</title>
</head>
<body>
    <form action="test_upd.php" method="POST">
        <p>Введите данные, которые вы хотите изменить:</p>
        <p>Фамилия <input type="text" name="nm" size="10"></p> <br />
        <input type="submit" name="submit" value="Update">
    </form>
</body>
</html>
<?php
    if(filter_input(INPUT_POST, 'submit')) {
    $n = filter_input(INPUT_POST, 'nm');
    $mysqli = new mysqli("localhost", "root", "", "apartments") or die(mysqli_connect_errno());

    $query = $mysqli->prepare("UPDATE Customers SET name = ?"); //Customers - table, name - column in this table 
    $query->bind_param('s', $n);
    $query->execute();

    $mysqli->close();
    echo "Запись изменена!";
}
Mubashar Iqbal
  • 398
  • 7
  • 18
  • [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! [Don't believe it?](http://stackoverflow.com/q/38297105/1011527) – Jay Blanchard Mar 23 '17 at 14:12
  • This will update every row in the database. – Jay Blanchard Mar 23 '17 at 14:18
  • I know these and I mentioned as well (with few improvements), he is just learning PHP, right now if you see his question he didn't even know about mysqli, I think to tell him everything at once it would be hard for him to digest/understand. – Mubashar Iqbal Mar 23 '17 at 14:28
  • @JayBlanchard Thank you for link. I just want to say attitude should be encouraging rather discouraging for beginners/self learners/starters to ask questions. – Mubashar Iqbal Mar 23 '17 at 14:30
  • We have an obligation to teach new users how to do things correctly regardless of how overwhelming it may be. Continuing to teach dangerous coding practices is something we should not do. – Jay Blanchard Mar 23 '17 at 14:36
  • @JayBlanchard code updated. – Mubashar Iqbal Apr 19 '17 at 11:23
  • This will still update *every* row in the database which is likely not what the OP wants. – Jay Blanchard Apr 19 '17 at 11:47