-2
<?php
mysql_connect('localhost','root','admin');
mysql_select_db('test_emilian');

if(isset($_POST['update'])){
    //this is the line where I get the error
    $UpdateQuery = " UPDATE users SET ID='$_POST[id]',first name='$_POST[first_name]',Last Name='$_POST[last_name]',Email Address ='$_POST[email address]',Mobile Phone='$_POST[Mobile_Phone]',Date of Birth='$_POST[Date_of_Birth]',Gender='$_POST[Gender]',CNP='$_POST[CNP]' WHERE ID='$_POST[hidden]'"; 
    mysql_query($UpdateQuery, $con);
}

$sql="SELECT * FROM users";
$records = mysql_query($sql);
?>
<html>
<head>
    <title></title>
</head>
<body>
<div class="container">
    <div class="row">
        <div class="col-md-12">
        <h4>DataBase</h4>
        <div class="table-responsive">
<table id="mytable" class="table table-bordered table-striped" cellpadding="5" cellspacing="0" border="1">
            <thead>

<th><input type="checkbox" id="checkall" /></th>
<tr>

<th>ID</th>
<th>First Name</th>
<th>Last Name</th>
<th>Email Address</th>
<th>Mobile Phone</th>
<th>Date of Birth</th>
<th>Gender</th>
<th>CNP</th>
<th>Action</th>
</tr>
</thead>
<?php
while($user=mysql_fetch_assoc($records)) {

    echo "<form action=mydata3.php method=post>";
    echo "<tr>";
    echo "<td>" . "<input type= text name =ID value" . $user['id']."</br>"." </td>";
    echo "<td>" . "<input type=text name =first_name value". $user['first_name']." </td>";
    echo "<td>" . "<input type=text name =last_name value" .$user['last_name']." </td>";
    echo "<td>" . "<input type=text name =email address value".$user['email address']." </td>";
    echo "<td>" . "<input type=text name =Mobile_Phone value".$user['Mobile_Phone']." </td>";
    echo "<td>".  "<input type=text name =Date_of_Birth value".$user['Date_of_Birth']." </td>";
    echo "<td>".   "<input type=text name =Gender value".$user['Gender']." </td>";
    echo "<td>"."<input type=text name =CNP value".$user['CNP']." </td>";
    echo "<td>" . "<input type= hidden name =hidden value" . $user['id']."</br>"." </td>";
    echo"<td>" . "<input type = submit name = update value=update" . "<td>";
    echo "</tr>";
}
?>
halfer
  • 19,824
  • 17
  • 99
  • 186
Emil
  • 1
  • 2
  • 2
    Try to not use mysql_ and use ehtier PDO or mysqli_ and look into prepared statements. Also try not to have table or column names with spaces in them, this will cause all sorts of problems. – Nigel Ren Jul 10 '17 at 08:40
  • Your column names need to be between `` quotes. And you cannot have space in your database column names. – Milan Chheda Jul 10 '17 at 08:45
  • wrap `$_POST[id]` (and all the others) in `{}` like `{$_POST[id]}`. also, PLEASE don't trust user input. Have some validations in place and use prepared statements – Alex Tartan Jul 10 '17 at 08:46
  • Possible duplicate of [Reference - What does this error mean in PHP?](https://stackoverflow.com/questions/12769982/reference-what-does-this-error-mean-in-php) – gp_sflover Jul 10 '17 at 08:56
  • You have a huge set of SQL injection vulnerabilities in this `UPDATE` statement. Don't go live with this code! – halfer Jul 10 '17 at 10:17

2 Answers2

0

Note that your SQL query has vulnerabilities so you can do a small change to your code like this. This won't work for all scenarios but works up to some extent. key should be inside ''

$id = mysqli_real_escape_string($_POST['id']);
$first_name = mysqli_real_escape_string($_POST['first_name']);
$last_name = mysqli_real_escape_string($_POST['last_name']);
$emailaddress = mysqli_real_escape_string($_POST['emailaddress']);
$Mobile_Phone = mysqli_real_escape_string($_POST['Mobile_Phone']);
$Date_of_Birth = mysqli_real_escape_string($_POST['Date_of_Birth']);
$Gender = mysqli_real_escape_string($_POST['Gender']);
$CNP = mysqli_real_escape_string($_POST['CNP']);
$hidden = mysqli_real_escape_string($_POST['hidden']);

$UpdateQuery = " UPDATE users SET ID='".$id."',first name='".$first_name."',Last Name='".$last_name."',Email Address ='".$emailaddress."',Mobile Phone='".$Mobile_Phone."',Date of Birth='".$Date_of_Birth."',Gender='".$Gender."',CNP='".$CNP."' WHERE ID='".$hidden."'"; mysql_query($UpdateQuery, $con);

Just a suggestion, mysql is deprecated better to use mysqli.

halfer
  • 19,824
  • 17
  • 99
  • 186
Mr.Throg
  • 925
  • 6
  • 21
  • You have replicated serious SQL injection vulnerabilities in this SQL statement. Beginners will often take code and try it verbatim, so it is a good idea to make it safe. At the very least, you should indicate in your answer that it is vulnerable. – halfer Jul 10 '17 at 10:18
  • Thanks for the edit, though escaping can still let problems through in some cases. Parameter binding is the way to go. – halfer Jul 10 '17 at 13:29
  • yes ,you are right if you're using mysqli, then you shouldn't be escaping values yourself. use placeholders and let the database do all the work for you. But otherwise, yes, its also correct. – geekzeus Jul 10 '17 at 13:31
  • Thank you very much for your help. – Emil Jul 11 '17 at 13:58
0
$UpdateQuery = " UPDATE users SET 
ID='".$_POST[id]."',first_name='".$_POST[first_name]."',Last Name='".$_POST[last_name]."',EmailAddress='".$_POST[email_address]."',MobilePhone='".$_POST[Mobile_Phone]."',DateofBirth='".$_POST[Date_of_Birth]."',Gender='".$_POST[Gender]."',CNP='".$_POST[CNP]."' WHERE ID=".$_POST[hidden];

also change your [email address] field to [email_address].also use pdo or mysqli

geekzeus
  • 785
  • 5
  • 14
  • You have replicated serious SQL injection vulnerabilities in this SQL statement. Beginners will often take code and try it verbatim, so it is a good idea to make it safe. At the very least, you should indicate in your answer that it is vulnerable. – halfer Jul 10 '17 at 10:18
  • 1
    i just corrected his mistake,and with answer i suggested him to use pdo or mysqli.. – geekzeus Jul 10 '17 at 13:27