-2

I have a form that takes variables from another form like so:

$employeeid = $_POST['modifyid'];
$fname = $_POST['modifyfn'];
$lname = $_POST['modifyln'];
$staffno = $_POST['modifysn'];
$empusername = $_POST['modifyeu'];

</br>
<td><form action="empmodify.php" method="post">
     <?php echo 
     "<div class='form-group'>
            <tr><td>ID:</td><td>
                <input type='text' class='form-control' name='modid' value='" . $employeeid . "'/>
            </td></tr>
        </div>

     <div class='form-group'>
            <tr><td>First Name:</td><td>
                <input type='text' class='form-control' name='modfn' value='" . $fname . "'/>
            </td></tr>
        </div>

        <div class='form-group'>
            <tr><td>Surname Name:</td><td>
                <input type='text' class='form-control' name='modln' value='" . $lname . "'/>
            </td></tr>
        </div>

        <div class='form-group'>
            <tr><td>Staff number:</td><td>
                <input type='text' class='form-control' name='modsn' value='" . $staffno . "'/>
            </td></tr>
        </div>

        <div class='form-group'>
            <tr><td>Username:</td><td>
                <input type='text' class='form-control' name='modeu' value='" . $empusername . "'/>
            </td></tr>
        </div>


     <button type='submit' class='btn btn-default'>Modify this Employee</button>"?>
            </form></td>

  </div>

These variables are already in the database - This part is working. What I would like is that when the user clicks submit it updates the record with anything they have changed in this form. Here is my empmodify.php:

$employeeid = $_POST['modid'];
    $fname = $_POST['modfn'];
    $lname = $_POST['modln'];
    $staffno = $_POST['modsn'];
    $empusername = $_POST['modeu'];


   $result = mysql_query("UPDATE employee SET fname = '$fname', lname = '$lname', staffno = '$staffno', empusername = '$empusername' WHERE employeeid = '$employeeid'");

I have tried so many things with my variables but the update statement just doesn't seem to be working. I tried single quotes, double quotes, post, and concatenating them but nothing.. any ideas? :)

sd0093
  • 13
  • 7
  • did you tried debugging it ? – Ravi Apr 02 '17 at 11:27
  • check the real content of $_POST .. var_dump($_POST) .. – ScaisEdge Apr 02 '17 at 11:30
  • I got it! Thank you both – sd0093 Apr 02 '17 at 11:50
  • ***Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php).*** [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Apr 25 '17 at 13:45
  • [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)***. Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Apr 25 '17 at 13:45

1 Answers1

-1

Try with something like this:

$result = mysql_query('UPDATE employee SET fname = "'.$fname.'", lname = "'.$lname.'", staffno = "'.$staffno.'", empusername = "'.$empusername.'" WHERE employeeid = "'.$employeeid.'"');
szymon
  • 830
  • 1
  • 7
  • 11
  • This worked!! Thank you :) – sd0093 Apr 02 '17 at 11:49
  • Do you know if I could use this method to update passwords as well? – sd0093 Apr 02 '17 at 11:51
  • [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)***. Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Apr 25 '17 at 13:45
  • Let's not teach/propagate sloppy and dangerous coding practices. If you post an answer without prepared statements [you may want to consider this before posting](http://meta.stackoverflow.com/q/344703/). Additionally [a more valuable answer comes from showing the OP the right method](https://meta.stackoverflow.com/a/290789/1011527). – Jay Blanchard Apr 25 '17 at 13:45
  • Few years later I understand this answer was big mistake, but I cannot delete is as it's accepted answer... :( – szymon Feb 02 '20 at 19:51