1

I need my input box to be able to read the current value from the database, but also be able to change that value.

When I input something into this inputbox such as 1000, it gets posted fine. My post results from PHP look like:

Data updated col1 Supplies col2 col3 1000 col4 servicereq 2 owneremail test2 piemail test2 id1 466

So the value for col3 = 1000, but it does not get entered into the mysql database. But for the dropdown menus (serreqid, owneremail, piemail) update in mysql fine.

How the input box is generated:

<form  action='insert.php' method='post'>    
<input type='text' name=col3 id=col3 value='$col3' size='11' onblur='this.form.submit()'>

Mysql update:

$col1=$_POST['$col1'];
$col2=$_POST['$col2'];
$col3=$_POST['$col3'];
$col4=$_POST['$col4'];
$serreqid = $_POST['servicereq'];
$owneremail = $_POST['owneremail'];
$piemail = $_POST['piemail'];
$id1 = $_POST['id1'];

$sql = "UPDATE reportlog SET service_quantity = ('$col3'), 
service_request_id = ('$serreqid'), owner_email = ('$owneremail'), 
pi_email = ('$piemail') WHERE id = ('$id1')";

if(!mysqli_query($con, $sql))
{
    echo "not updated  ";
}else{
echo "Data updated  ";
}
pandemic
  • 13
  • 4
  • 1
    [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Apr 17 '17 at 13:01
  • How are you setting `$_POST['id']`? – Jay Blanchard Apr 17 '17 at 13:03
  • I'll work on preventing Little Bobby Tables later, thanks for the information. In my table the id is a surrogate key that I use for updating different rows. – pandemic Apr 17 '17 at 13:07
  • $col8 = $row['id']; – pandemic Apr 17 '17 at 13:08
  • Have you checked the error logs? – Jay Blanchard Apr 17 '17 at 13:08
  • 1
    If you don't have time to do it right the first time, when will you find the time to add it later? I hate when people say *"I'm not that far along..."* or *"This site will not be public..."* or *"It's only for school, so security doesn't matter..."*. If teachers and professors are not talking about security from day one, they're doing it wrong. Challenge them. They're teaching sloppy and dangerous coding practices which students will have to unlearn later. I also hate it when folks say, *"I'll add security later..."* or *"Security isn't important now..."* or *"Ignore the security risk..."*. – Jay Blanchard Apr 17 '17 at 13:09
  • I have not checked error logs, I am trying to figure out where those are located. And you are absolutely right about security. I need to implement protection from sql injection. – pandemic Apr 17 '17 at 13:14

2 Answers2

0

Your HTML field names do not match the names of the $_POST keys.

$col3=$_POST['$col3'];

should be

$col3=$_POST['col3'];
Jay Blanchard
  • 34,243
  • 16
  • 77
  • 119
cmerriman
  • 305
  • 1
  • 7
  • That works, I knew it was something simple. Thank you. – pandemic Apr 17 '17 at 13:37
  • 1
    Let's not teach/propagate sloppy and dangerous coding practices. If you post an answer without prepared statements [you may want to consider this before posting](http://meta.stackoverflow.com/q/344703/). Additionally [a more valuable answer comes from showing the OP the right method](https://meta.stackoverflow.com/a/290789/1011527). – Jay Blanchard Apr 17 '17 at 14:51
-2

Use this code for updating

$col1=$_POST['col1'];
$col2=$_POST['col2'];
$col3=$_POST['col3'];
$col4=$_POST['col4'];

and

$sql = "UPDATE reportlog SET name = '$col3',service_request_id = '$serreqid',owner_email = '$owneremail',pi_email = '$piemail'  WHERE id = 1";
Jay Blanchard
  • 34,243
  • 16
  • 77
  • 119
Gandhivasan
  • 11
  • 3
  • [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Apr 17 '17 at 13:59
  • Let's not teach/propagate sloppy and dangerous coding practices. If you post an answer without prepared statements [you may want to consider this before posting](http://meta.stackoverflow.com/q/344703/). Additionally [a more valuable answer comes from showing the OP the right method](https://meta.stackoverflow.com/a/290789/1011527). – Jay Blanchard Apr 17 '17 at 13:59