Update Input with DECIMAL input (php, mysql)

Question

other update functions works well, but i tried to update any data, the exisitng value of payment rate turned to 0. other values seems to be updated well. only the payment rate turned to 0.

below is the html for the decimal input

    <div class="form-group">
    <label class="control-label col-sm-4" >Payment Rate:</label>
    <div class="col-sm-4">
        <input type="decimal" class="form-control" name="payment" value="<?php echo "RM"; ?> <?php if(isset($row['payment_puspakom'])){ echo $row['payment_puspakom']; } ?>" required placeholder="Enter Payment Rate (RM)">
    </div>
</div>

this is my update sql statement.

if(isset($_POST['submit'])){
$id = mysqli_real_escape_string($link, $_POST["puspaid"]);
$vehicle = mysqli_real_escape_string($link,$_POST["vehicle"]);
$date = date("Y-m-d",strtotime($_POST["date"]));
$specification = mysqli_real_escape_string($link,$_POST["specification"]);
$stats = mysqli_real_escape_string($link,$_POST["stats"]);
$next = date("Y-m-d",strtotime($_POST["next"]));
$payment = mysqli_real_escape_string($link,$_POST["payment"]);
$status = mysqli_real_escape_string($link,$_POST["status"]);
$update = mysqli_real_escape_string($link,$_SESSION["idinfostaf"]);

$updpuspa="UPDATE puspakom SET id_fkVehicle='$vehicle', id_fkPuspakomStatus='$stats', date_puspakom='$date', specification='$specification', payment_puspakom='$payment', dateNext_puspakom='$next', status_puspakom='$status', updateby_puspakom='$update' WHERE id_puspakom=".$id;
$respuspa=mysqli_query($link,$updpuspa);
if($respuspa){
  $success = "Record Updated Successfully";
}
else{
  $error = "Error Updating Record. Try Again...".mysqli_error($link);
}
 }

i cant seem to find the mistake that i did.

[Little Bobby](http://bobby-tables.com/) says [your script is at risk for SQL Injection Attacks](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). Learn about [prepared statements](http://en.wikipedia.org/wiki/Prepared_statement) for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe. — junkfoodjunkie, Jun 07 '17 at 01:36
@junkfoodjunkie the type is decimal(10,2). how can i say bye2 to little bobby? cant escaping do this? — yuki, Jun 07 '17 at 02:13

score 0 · Accepted Answer · answered Jun 19 '17 at 03:41

thanks for those that tried to answer my problem..solved this already. i just remove the echo RM

  <div class="form-group">
<label class="control-label col-sm-4" >Payment Rate:</label>
<div class="col-sm-4">
    <input type="decimal" class="form-control" name="payment" value="<?php if(isset($row['payment_puspakom'])){ echo $row['payment_puspakom']; } ?>" required placeholder="Enter Payment Rate (RM)">
 </div>

the field is set as decimal(10,2). putting echo RM there, causes the rm is carried along with the decimal values. thats why the values became zero after update.

Update Input with DECIMAL input (php, mysql)

1 Answers1