PHP Value didn't pass in update query

Question

I was looking why my mysql doesn’t work, but didn’t find anything helping me in this case.

My issue is that I want to update my database by insering a date in it with a specific id taken in $_GET. Here was looking at :

$date = date('Y-m-d', time());

session_start();
header( 'content-type: text/html; charset=utf-8' );
require_once("cnx_db_inventory.php");
$idComputer=$_GET['idComputer'];
$query="select computer.computer_id,
    computer.computer_name
    from computer
    where computer.computer_id='$idComputer'";
$data = get_array($query);
foreach($data as $value) {
    $computername=$value['computer_name'];
}

//Update the database
if(isset($_GET['validate'])){
    $idComputer;
    $query="UPDATE computer
    SET deleted_date='$date'
    WHERE computer.computer_id=$idComputer";
    mysql_query($query);
    echo $query;
}

My echo of my query looks like this went validate :

UPDATE computer SET deleted_date='2017-04-07' WHERE computer.computer_id=

And if I put some quotes (' ') to $idComputer, the echo gave me this :

UPDATE computer SET deleted_date='2017-04-07' WHERE computer.computer_id=”

But it gave me the id if I echo outside the isset() (see here). Why then, when I click on validate, the computer_id didn’t pass through?

My form look like this :

<form id="general" name="general" action="delete.php" method="get">
    Are you sure you want to delete this?<br />
    <strong><font size="2" color ="black">Computer name </font></strong>
    <input type="text" id="computername" name="computername" value="<?php echo $computername;?>"/><br />
    <input type="submit" name="validate" value="Validate" class="button">
    <input type="submit" name="cancel" class="button" value="Cancel" onClick="general.action='researchInventory.php'; return true;"/>
</form>

I try to put the $IdComputer in the isset, but doesn’t change anything. I’ve got a similar issue like that before and that was helping me fixed it, but not in this case. I try to pass the mysql_query outside the if(){}. I try to call computer.deleted_date in the SELECT, but give nothing has well.

I try to put an hidden input with the value of computer_id, try the $_post method (looking with this one), but nothing change when I validate! The computer_id doesn't pass anyway.

class DBConnection{
private static $_singleton;
private $_connection;
private function __construct(){
    $ip =$_SERVER['REMOTE_ADDR'];
    $this->_connection = @mysqli_connect(DB_HOST, DB_USER, DB_PASS,DB_NAME) or die("Could not connect to database");
mysqli_set_charset($this->_connection,"utf8");
}
public static function getInstance(){
    $ip =$_SERVER['REMOTE_ADDR']; 
    if (is_null (self::$_singleton)) {
        self::$_singleton = new DBConnection();
            mysqli_set_charset('utf8');//Line 20;
    }
        return self::$_singleton;
    }
    public  function getHandle(){
        return $this->_connection;
    }
}

Please do not use `mysql_*` functions. it's deprecated in PHP5 and removed in PHP7. Use MySQLi or PDO instead. — node_modules, Apr 10 '17 at 13:40
`Give me 'array'` you didnt say that or? The function name say that, but what does it? but wahtever, check for typos you are talking about `$IdComputer` and `$idComputer` and i dont know what else is messed up. im out , have a nice — JustOnUnderMillions, Apr 10 '17 at 13:44
Use print_r or var_dump to display $iDcomputer. For your query to work, it has to be a single value. Also, echo comment from @C0dekid -- don't use depreciated mysql, use mysqli instead. — Sloan Thrasher, Apr 10 '17 at 13:45
please try `if(isset($_GET['validate'])){ $idComputer=$_GET['idComputer']; echo"$idComputer"; ` and see what happens — OldPadawan, Apr 10 '17 at 13:46
`get_array()` what does that method do? Edit: Oh, it's already been asked; so... what *does* it do? and where is it? — Funk Forty Niner, Apr 10 '17 at 13:47
I think it's safe to say that `$_GET['idComputer']` has no value. Where and how is that coming from? If it's from the form, there's no name attribute to match it. I do see `name="computername"` though, and is the reason it failed you; undefined index. — Funk Forty Niner, Apr 10 '17 at 13:48
ok, I change mysql for mysqli.... `$data` was for the foreach to get computer name value.... When i echo the `$idComputer`, put it at the end of my `update` query, but still don't update the date in my `database` — Nexis, Apr 10 '17 at 13:51
`WHERE computer.computer_id=$idComputer";` if that's a string; it needs to be quoted. — Funk Forty Niner, Apr 10 '17 at 13:52
The `$_GET['idComputer'] take the value from the 'https://www.example.com/tickets/testMel/delete.php?idComputer=596' — Nexis, Apr 10 '17 at 13:53
You seem to want to run the update query after the validate button was clicked in the generated form. Bad news: there is no idComputer parameter available in that case. I do not get at all what you are trying to achieve here. — Shadow, Apr 10 '17 at 13:54
I had '$idComputer' just before the update query. Now, it give me the id I needed, but doesn't upadate it! See it in my question — Nexis, Apr 10 '17 at 13:56
@Shadow, what I want, it's to update deleted_date of database with the date from '$date' of the idComputer that I get with $idComputer — Nexis, Apr 10 '17 at 13:59
I wonder if... as you use `$query` twice with different values, you might have to free it before ? let's say that `error_reporting(E_ALL); ini_set('display_errors', 1); `on top of page + [PPS : Prepared Parameterized Statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) would have helped... — OldPadawan, Apr 10 '17 at 14:06
You want to know the warning coming with the error_reporting I suppose? — Nexis, Apr 10 '17 at 14:15
Warning: mysqli_set_charset() expects exactly 2 parameters, 1 given in /var/www/html/tickets/testMel/cnx_db_inventory.php on line 20 Warning: mysqli_query() expects at least 2 parameters, 1 given in /var/www/html/tickets/testMel/delete.php on line 56 — Nexis, Apr 10 '17 at 14:21
warning 1 : mysqli_set_charset('utf8'); .... Warning 2 : mysqli_query($query); — Nexis, Apr 10 '17 at 14:22
See https://pastebin.com/KjLF7rAn. (Also, this way you can't downvote me again.) — Dave, Apr 10 '17 at 14:24
@Nexis : `cnx_db_inventory.php` must have some weird things in it :) put a mask on data like pwd and show code of it please — OldPadawan, Apr 10 '17 at 14:30
@OldPadawan - Look into my top message for the line 20!! Put away the mysqli and right now, have only warning for mysqli_query! — Nexis, Apr 10 '17 at 14:33
@Dave : Notice: Undefined variable: mysqli in /var/www/html/tickets/testMel/delete_test2.php on line 64 Fatal error: Call to a member function prepare() on a non-object in /var/www/html/tickets/testMel/delete_test2.php on line 64 - that was your code from your commet give me... Line 64 = $stmt = $mysqli->prepare($query); — Nexis, Apr 10 '17 at 14:44
@Nexis Where are you setting up your database connection? I was assuming you properly set up a mysqli connection called $mysqli. If it's called something else, adjust appropriately. — Dave, Apr 10 '17 at 14:54
@Nexis : I have set up a example [HERE](https://pastebin.com/w9EgVmgR) -> please check it and let us know — OldPadawan, Apr 10 '17 at 14:59

score 0 · Accepted Answer · edited May 23 '17 at 11:46

Working example : added POST method just because I don't like GET that much :) and a hidden field with ID

<?php

error_reporting(E_ALL);
ini_set('display_errors', 1);

include"config.inc.php"; // only DB parameters in here

$mysqli = mysqli_connect("$host", "$user", "$mdp", "$db");

if (mysqli_connect_errno()) { echo "Error connecting : " . mysqli_connect_error($mysqli); }

$id = $_GET['id']; /* assuming that your reach this page with an URL parameter ?id=3 ou any number */
echo"[ 1st check on ID -> $id ]";

// TODO -> clean var ID and check if set/numeric

if(isset($id)) {

/* prepare select */

$query = " SELECT computer_id, computer_name FROM computer WHERE computer_id=? ";
$stmt = $mysqli->prepare($query);

$stmt->bind_param("s", $id); /* if integer ID -> 's' becomes 'i' */

$results = $stmt->execute();
$stmt->bind_result($computer_id, $computer_name);
$stmt->store_result();

if ($stmt->num_rows > 0) {

while($stmt->fetch()){
echo"[ $computer_id -> $computer_name ]<br />";
}
}
else { echo"[ no data ]"; }

//$stmt->free_result();

} else { echo"[ no ID defined ! ]"; }

// Update the database
if(isset($_POST['validate'])){

$date = date('Y-m-d', time());
$idComp = $_POST['computerID'];

/* prepare update */

$query1 = " UPDATE computer SET deleted_date=? WHERE computer_id=? ";
$stmt1 = $mysqli->prepare($query1);

$stmt1->bind_param("ss", $date, $idComp); /* if integer ID -> 'ss' becomes 'si' */

if (!$stmt1->execute()) { echo"false -> update failed"; echo $stmt1->error; } else { echo"true -> update ok"; }

$stmt1->free_result();
}

?>

<form id="general" name="general" action="delete.php" method="post">
<input type="hidden" id="computerID" name="computerID" value="<?php echo"$computer_id"; ?>" />
Are you sure you want to delete this ?<br />
<strong>Computer name</strong>
<input type="text" id="computername" name="computername" value="<?php echo"$computer_name"; ?>" /><br />
<input type="submit" name="validate" value="Validate" class="button" />
</form>

EDIT : As mysql_* was deprecated in PHP 5.5 (please refer to PHP doc) you should prefer PPS : Prepared Parameterized Statements. This will help Preventing SQL injection

Small question about the execute : can we pass more than a value (now is only `$date`)... like if I would like to pass a number in an other colum name number? Should I ajust like : $number = "1" and `$query1 = " UPDATE computer SET deleted_date=?, number=? WHERE computer_id=? ";` `$stmt1->bind_param("ss", $date,$number, $idComp);` ? — Nexis, Apr 10 '17 at 17:16
Any parameter set with ? in the query must then be added in bind_param, I'll show you an example if needed asap — OldPadawan, Apr 10 '17 at 17:21
For sure, since I try it and give me an error = Warning: mysqli_stmt::bind_param(): Number of elements in type definition string doesn't match number of bind variables in /var/www/html/tickets/testMel/delete.php on line 82 false -> update failedNo data supplied for parameters in prepared statement... That what I did $query1 = " UPDATE computer SET deleted_date=?, hidden=? WHERE computer_id=? "; $stmt1->bind_param("ss", $date, $hide, $idComp); /* if integer ID -> 'ss' becomes 'si' */ — Nexis, Apr 10 '17 at 17:34
@Nexis : `$query1 = " UPDATE computer SET deleted_date=?, hidden=? WHERE computer_id=? ";` = 3 questions mark -> `$stmt1->bind_param("sss", $date, $hide, $idComp);` /* 3 s or i -> one for each parameter, according to his type */ — OldPadawan, Apr 10 '17 at 17:37

score -1 · Answer 2 · answered Apr 10 '17 at 13:57

$idComputer=$_GET['idComputer'];
$query="select computer.computer_id,
    computer.computer_name
    from computer
    where computer.computer_id='$idComputer'";

.
.
.

$query="UPDATE computer
    SET deleted_date='$date'
    WHERE computer.computer_id=$idComputer";

Is computer.computer_id a string-type column? If so, the value in your update statement has to be in single quotes.

Also, this is very bad practice. Someone could visit http://yoursite.com/yourscript.php?idComputer=Boston';DROP TABLE computer;-- and really mess you up. You should use prepared statements, or at least use the mysql_escape_string() function.

The same kind of idea applies to your HTML output as well.

<input type="text" id="computername" name="computername" value="<?php echo $computername;?>"/><br />

This should be something like

<input type="text" id="computername" name="computername" value="<?php echo htmlspecialchars($computername); ?>"/><br />

PHP Value didn't pass in update query

2 Answers2