PHP form can't be updated

Question

I am currently making a system for a client database management. There are four tables in mySQL for this system, which are; admin, staff, client, and project. The project table has one foreign key from the client table, which is the clientid.

Now, I have made forms for all these tables so that the user can input the data into them. Weirdly, the only form that can be updated successfully is the staff one. Both the client and project forms cannot be updated at all. It returns as successful, but the data are not altered.

Below is the staff update code.

    <?php 
    include 'database.php';

    $staffid = $_GET['staffid'];
    $sql = "SELECT * FROM staff WHERE staffid='$staffid'";
    $result = mysqli_query($conn,$sql);

    while ($row=mysqli_fetch_array($result)){
      $staffname = $row['staffname'];
      $staffemail = $row['staffemail'];
      $staffphone = $row['staffphone'];
    }

   if(isset($_POST['submit'])){
     $staffname = $_POST['staffname'];
     $staffemail = $_POST['staffemail'];
     $staffphone = $_POST['staffphone'];

   $sql = "UPDATE staff SET   

    staffname='$staffname',staffemail='$staffemail',staffphone='$staffphone'  WHERE staffid='$staffid'";

    $result = mysqli_query($conn,$sql);

    if($result){
        echo "<table><td><tr><h4>Record has been updated successfully!<br></tr></td></h4></table>";
    }
    else {
        echo "<h4>Record has <b>NOT</b> been updated successfully<br></h4>";
    }
}
?>


<form action="" method="post">
<table class ="table1">
<tr>
<td>Staff Name:</td> <td><input type="text" name="staffname" size="50" value="<?php echo $staffname;?>"></td>
</tr>

<tr>
<td>Staff Email:</td> <td><input type="text" name="staffemail" size="50" value="<?php echo $staffemail;?>"></td>
</tr>

<tr>
<td>Staff Phone No:</td> <td><input type="text" name="staffphone" size="50" value="<?php echo $staffphone;?>"></td>
</tr>

<td><input type="submit" value="Update" name="submit"> <input type="button" value="View" name="view" onclick='location.href="viewstaff.php"'></td>
</table>
</form>

Okay now is the update code for the client table.

<?php 
include 'database.php';

$clientid = $_GET['clientid'];
$sql = "SELECT * FROM client WHERE clientid='$clientid'";
$result = mysqli_query($conn,$sql) or die ("Error in query: $query. ".mysqli_error());

while ($row=mysqli_fetch_array($result)){
    $clientid = $row['clientid'];
    $clientname = $row['clientname'];
    $clientno = $row['clientno'];
    $clientemail = $row['clientemail'];
    $clientadd = $row['clientadd'];
}

if(isset($_POST['submit'])){
    $clientid = $row['clientid'];
    $clientname = $row['clientname'];
    $clientno = $row['clientno'];
    $clientemail = $row['clientemail'];
    $clientadd = $row['clientadd'];

    $sql = "UPDATE client SET clientid='$clientid',clientname='$clientname',clientno='$clientno',clientemail='$clientemail',clientadd='$clientadd' WHERE clientid='$clientid'";

    $result = mysqli_query($conn,$sql) or die ("Error in query: $query. ".mysqli_error());

    if($result){
        echo "<table><td><tr><h4>Record has been updated successfully!<br></tr></td></h4></table>";
    }
    else {
        echo "<h4>Record has <b>NOT</b> been updated successfully<br></h4>";
    }
}
?>


<form action="" method="post">
<table class ="table1">
<tr>
<td>Client ID:</td> <td><input type="text" name="clientid" size="50" value="<?php echo $clientid;?>"></td>
</tr>

<tr>
<td>Client Name:</td> <td><input type="text" name="clientname" size="50" value="<?php echo $clientname;?>"></td>
</tr>

<tr>
<td>Client Phone No.:</td> <td><input type="text" name="clientno" size="50" value="<?php echo $clientno;?>"></td>
</tr>

<tr>
<td>Client Email:</td> <td><input type="text" name="clientemail" size="50" value="<?php echo $clientemail;?>"></td>
</tr>

<tr>
<td>Client Address:</td> <td><input type="text" name="clientadd" size="50" value="<?php echo $clientadd;?>"></td>
</tr>

<td><input type="submit" value="Update" name="submit"> <input type="button" value="View" name="view" onclick='location.href="viewclient.php"'></td>
</table>
</form>

Maybe I'm stupid or what but I've been trying to figure out the problem for 3 hours and I'm this close to crying lol. Been reading all the threads here about updating form but still, no answer. Hope that anyone here could help me. Thank you.

Answer 1

The code you use for the client table update uses this code:

if(isset($_POST['submit'])){
    $clientid = $row['clientid'];       // $row should be $_POST
    $clientname = $row['clientname'];   // $row should be $_POST
    $clientno = $row['clientno'];       // $row should be $_POST
    $clientemail = $row['clientemail']; // $row should be $_POST
    $clientadd = $row['clientadd'];     // $row should be $_POST

But those $rows should be $_POST, else the updated data will be the same as the previous data (since $row is the result from the query SELECT * FROM client WHERE clientid='$clientid'). You do it correctly in the staff table update code:

 if(isset($_POST['submit'])){
     $staffname = $_POST['staffname'];
     $staffemail = $_POST['staffemail'];
     $staffphone = $_POST['staffphone'];

---

Please note that your your script is at risk of SQL Injection Attack. Have a look at what happened to Little Bobby Tables. Even if you are escaping inputs, its not safe!. Use prepared parameterized statements instead.