0

I am trying to add an update functionality which work as follows: A form will have an add,search,update button which works as the name describes. On search button the values will be fetched from database and will be retrive into the textbox of the form where we can edit it and then update. Am unable to achieve this. I am trying with following code.M directly getting result error message dont know where i am going wrong 

<html>
<head>
<?php
include 'dbconfig.php';
$fname="";
$lname="";
$age="";
$email="";
?>
</head>
<body>
<form action="sql.php" method="POST">
<input type="text" name="fname" placeholder="Fname" value="<?php echo $fname;?>"><br>
<input type="text" name="lname" placeholder="Lname" value="<?php echo $lname;?>"><br>
<input type="number" name="age" placeholder="Age"value="<?php echo $age;?>"><br>
<input type="email" name="email" placeholder="Email" value="<?php echo $email;?>"><br><br>
<div>
<input type="submit" value="Insert" name="submit">
<input type="submit" value="search" name="search">
<input type="submit" value="Update" name="update"> 
</div>
</form>
</body>
<?php 


function getPosts()
{
    $posts = array();
    $posts[0] = $_POST['fname'];
    $posts[1] = $_POST['lname'];
    $posts[2] = $_POST['age'];
    $posts[3] = $_POST['email'];
    return $posts;
}

if(isset($_POST['search']))
{
    $data = getposts();
    $search_query = "SELECT * from 'info' WHERE fname = $data[0]";




    if($result = mysqli_query($conn,$search_query))
    {
        if(mysqli_num_rows($result))
        {
            while($row = mysqli_fetch_array($result))
            {
                $fname = $row['fname'];
                $lname = $row['lname'];
                $age = $row['age'];
                $email = $row['email'];
            }
        }else{
            echo 'no data found';
        }
    }else{
        echo 'result error';
    }
}
?>
</html>
Shahzad Khoja
  • 11
  • 4
  • **You are wide open to [SQL Injections](http://php.net/manual/en/security.database.sql-injection.php) and should really use [Prepared Statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php)** instead of concatenating your queries. Specially since you're not escaping the user inputs at all! – M. Eriksson Apr 16 '17 at 12:04
  • You should also make sure that you have error_reporting turned on and that you check your error log for errors. Unless `fname` is a number, your query should definitely give you an error. You can check out this answer: http://stackoverflow.com/questions/5438060/showing-all-errors-and-warnings – M. Eriksson Apr 16 '17 at 12:07
  • but data is not getting retrieve which is the main cause for this post – Shahzad Khoja Apr 16 '17 at 12:24
  • 1
    Yes, and the reason is that your query fails. The link in the first comment explains why. The second comment talks about security and the recommended approach to make queries containing user inputs (and it would solve your issue as well). The third comment is about finding out _why_ your code doesn't work and how you can debug your code better. – M. Eriksson Apr 16 '17 at 12:27

0 Answers0