0

I'm working on a website and I want the user to be able to update informations of a client.I researched and tried so many times to make it work, I wrote the code just like it was on the examples, but the update query doesn't work on database, no error appeared. So I hope to find out what making the update does not happen in database.

Here is the output when updating:

"Record updated successfully"

Here is update_prospect.php :

<?php
include 'connexion.php';

if(isset($_POST['telephone'])){$telephone= $_POST['telephone'];} else {             $telephone='';}

if(isset($_POST['adresse'])){$adresse= $_POST['adresse'];} else { $adresse='';}
if(isset($_POST['ville'])){$ville= $_POST['ville'];} else { $ville='';}
if(isset($_POST['codepostal'])){$codepostal= $_POST['codepostal'];} else { $codepostal='';}
if(isset($_POST['mobile'])){$mobile= $_POST['mobile'];} else { $mobile='';}
if(isset($_POST['fax'])){$fax= $_POST['fax'];} else { $fax='';}
if(isset($_POST['email'])){$email= $_POST['email'];} else { $email='';}
if(isset($_POST['Typeprospect'])){$Typeprospect= $_POST['Typeprospect'];} else { $Typeprospect='';}
if(isset($_POST['observations'])){$observations= $_POST['observations'];} else { $observations='';}
if(isset($_POST['rcs'])){$rcs= $_POST['rcs'];} else { $rcs='';}
if(isset($_POST['numtva'])){$numtva= $_POST['numtva'];} else { $numtva='';}
if(isset($_POST['fonctionclient'])){$fonctionclient= $_POST['fonctionclient'];} else { $fonctionclient='';}
if(isset($_POST['raisonsociale'])){$raisonsociale= $_POST['raisonsociale'];} else { $raisonsociale='';}
if(isset($_POST['suffixedomaine'])){$suffixedomaine= $_POST['suffixedomaine'];} else { $suffixedomaine='';}


mysqli_begin_transaction($conn, MYSQLI_TRANS_START_READ_WRITE);

$sql ="UPDATE Client
SET
adresse='{$adresse}',
ville='{$ville}',
codepostal='{$codepostal}',
mobile='{$mobile}',
fax='{$fax}',
email='{$email}',
Typeprospect='{$Typeprospect}',
observations='{$observations}',
rcs='{$rcs}',
numtva='{$numtva}',
fonctionclient='{$fonctionclient}',
raisonsociale='{$raisonsociale}',
suffixedomaine='{$suffixedomaine}'
WHERE
telephone='{$telephone}'";

if (mysqli_query($conn,$sql) === TRUE)
{
echo "Record updated successfully";
}
else
{
echo "Error: " . $sql . "<br>" . $conn->error;
}

mysqli_commit($conn);
mysqli_close($conn);
?>
John Conde
  • 217,595
  • 99
  • 455
  • 496
Aloui Khalil
  • 11
  • 2
  • 2
    best to use `mysqli_affected_rows()` in order to tell if the update was truly successful. – Funk Forty Niner Apr 10 '17 at 15:16
  • Just because the query was successful doesn't mean it matched any rows in the database. What is the actual query you're executing after all of these SQL-injectable strings are muxed into it? When you run that query manually in MySQL, what happens? – David Apr 10 '17 at 15:19
  • 1
    do `echo $sql;` and run it manually in mysql. – Bhaskar Jain Apr 10 '17 at 15:20
  • 1
    [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Apr 10 '17 at 15:24
  • when using echo $sql; i found an empty value of $telephone, this value is meant to specify the row to be updated. – Aloui Khalil Apr 10 '17 at 15:33
  • Thank you guys it works now – Aloui Khalil Apr 10 '17 at 15:48

0 Answers0