Nothing happens when UPDATE button is pressed. Using Prepared Statements

Question

Form That send data to the php file is given below:

<center>
<form action="update.php" method="post">
<fieldset style="width:50%"><legend>Please do the required changes</legend><br>
<label for="Name">Name :<br></label><input name="name" type="text" size="20" maxlength="40" value="<?php echo $data2[Name]?>"><br>
<label for="CNIC">CNIC :<br></label><input name="cnic" type="text" size="20" maxlength="15" value="<?php echo $data2[CNIC]?>"><br>
<label for="Date">Booking Date :<br></label><input name="booking-date" type="date" size="20" value="<?php echo $data2[Date]?>"><br>

<!-- <label for="Ocassion">Ocassion :<br></label> -->
<label for="Ocassion">Ocassion :<br></label><input name="ocassion" type="text" size="20" maxlength="15" value="<?php echo $data2[Ocassion]?>"><br>

<label for="Address">Address :<br></label><input name="address" type="text" size="20" maxlength="11" value="<?php echo $data2[Address]?>"><br>

<label for="Phone Number">Phone Number :<br></label><input name="phone-no" type="text" size="20" maxlength="11" value="<?php echo $data2[Phone_No]?>"><br>
<label for="Bride Mobile">Bride Mobile :<br></label><input name="bride-mobile" type="number" size="20" maxlength="11" value="<?php echo $data2[Bride_Mobile]?>"><br>
<label for="Groom Mobile">Groom Mobile :<br></label><input name="groom-mobile" type="number" size="20" maxlength="11" value="<?php echo $data2[Groom_Mobile]?>"><br>
<label for="Family Mobile">Family Mobile :<br></label><input name="family-mobile" type="number" size="20" maxlength="11" value="<?php echo $data2[Family_Mobile]?>"><br>
<label for="Email">Email :<br></label><input name="email" type="text" size="20" maxlength="30" value="<?php echo $data2[EMail]?>"><br>
<label for="Who may I Thank for Refering You?">Who may I Thank for Refering You? :<br></label><input name="refering" type="text" size="20" maxlength="40" value="<?php echo $data2[Referring]?>"><br>
<label for="Do you provide consent to share images on our official web page">Do you provide consent to share images on our official web page? :<br><br></label><input type="radio" name="share" <?php echo ($data2[Share]=='Yes')?'checked':'' ?> value="Yes">Yes<br>
<input type="radio" name="share" <?php echo ($data2[Share]=='No')?'checked':'' ?> value="No">No<br><br>
<label for="If yes, with Identity">If yes, with Identity? :<br><br></label><input type="radio" name="permission" <?php echo ($data2[Permission]=='Yes')?'checked':'' ?> value="Yes">Yes<br>
<input type="radio" name="permission" <?php echo ($data2[Permission]=='No')?'checked':'' ?> value="No">No<br><br>
<!-- To center the button i'm embedding the buttons in a paragraph with an id as well. the id is used for CSS in head -->
<p id="btn">
<input type="submit" value="Update Record" name="submit_display_data_form" style="font-size:16px"></p>
</fieldset>
</form>
</center>
</body>
</html>

The php file is:

<?php error_reporting(0);
$server="localhost";
$user="root";
$password="";
$database="camouflage_studio";

$con = mysqli_connect($server,$user,$password,$database);
if (mysqli_connect_errno())
  {
  echo "Connection Error: " . mysqli_connect_error();
  }
// Updation
$stmt = $con->prepare("UPDATE 'personal_detail' SET Name = ?, CNIC = ?, Date = ?, Ocassion = ?, Address = ?, Phone_No = ?, Bride_Mobile = ?, Groom_Mobile = ?, Family_Mobile = ?, EMail = ?, Referring = ?, Share = ?, Permission = ? WHERE CNIC = ?");

$stmt->bind_param('ssssssiiissss', $_POST['name'], $_POST['cnic'], $_POST['booking-date'], $_POST['ocassion'], $_POST['address'], $_POST['phone-no'], $_POST['bride-mobile'], $_POST['groom-mobile'], $_POST['family-mobile'], $_POST['email'], $_POST['refering'], $_POST['share'], $_POST['permission'], $_POST['cnic']);

if(mysqli_stmt_execute($stmt))
{
echo '<script language="javascript" type="text/javascript"> 
                alert("Record Updated Successfully");
                window.location = "admin.php";
        </script>';
}
else
echo "Prepare Error: ",$con->error;     //remove $con->error before making ONLINE THE CODE.

$stmt->close();
$con->close();
?>
<!DOCTYPE html>
<html>
<head>
<title>Record Updation</title>
</head>

<body>
</body>
</html>

The problem is that when i press UPDATE RECORD button so just the update.php file open in browser and nothing happen. Neither error shows nor record updates.

Sorry - which statement are you executing $stmt or $sel_sql?? — Nigel Ren, Jul 21 '17 at 15:38
If you're using prepared statements (which is implied from your code, but not shown to be the case) then use them properly. — Jonnix, Jul 21 '17 at 15:39
You are wide open for SQL injection, and also to very sticky quoting issues that you may never see. Since you're using mysqli, take advantage of [prepared statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and [bind_param](http://php.net/manual/en/mysqli-stmt.bind-param.php). — aynber, Jul 21 '17 at 15:40
If it's really the case that you're executing`$sel_sql`, which is a string, not a statement object, then `mysqli_stmt_execute` won't work. — Jonnix, Jul 21 '17 at 15:43
I updated the question. I'm executing $upd_sql but still getting an error given in the updated question. — Muhammad Aatif, Jul 21 '17 at 15:59
You need to prepare, you need to use placeholders, not `$_POST`. When in doubt view the manual, http://php.net/manual/en/mysqli-stmt.execute.php. — chris85, Jul 21 '17 at 16:00
Possible duplicate of [When to use single quotes, double quotes, and backticks in MySQL](https://stackoverflow.com/questions/11321491/when-to-use-single-quotes-double-quotes-and-backticks-in-mysql) — aynber, Jul 21 '17 at 16:04
It's not really the error if the text something you decided to print. — James Z, Jul 21 '17 at 17:38
`'personal_detail'` should also not be quoted. Is the status code of your page a 500? — chris85, Jul 21 '17 at 22:31

Patrick Simard · Answer 1 · 2017-07-21T19:50:53.877

0

2 things, Date is a mysql reserved word function. In order to pass on that word as a col name you need to wrap it up in backticks. Seconde problem is that backticks are ` not ' (notice the diffrence?)

$stmt = $con->prepare("UPDATE `personal_detail` SET `Name` = ?, `CNIC` = ?, `Date` = ?, `Ocassion` = ?, `Address` = ?, `Phone_No` = ?, `Bride_Mobile` = ?, `Groom_Mobile` = ?, `Family_Mobile` = ?, `EMail` = ?, `Referring` = ?, `Share` = ?, `Permission` = ? WHERE `CNIC` = ?");

Let me know how this one goes

Also, use $stmt->error in order to track sql errors if any

edited Jul 21 '17 at 19:50

answered Jul 21 '17 at 15:40

Patrick Simard

2,294
3
24
38

let me check it. – Muhammad Aatif Jul 21 '17 at 15:43
Something is Wrong...Update Query Not Executed! :( I did as you guided – Muhammad Aatif Jul 21 '17 at 15:54
@chris85 how do i execute this query with good practice? and I'm beginner of web development – Muhammad Aatif Jul 21 '17 at 16:00
I just did the query for you. You probably missed something. – Patrick Simard Jul 21 '17 at 16:01
@MuhammadAatif It would start with `UPDATE personal_detail SET Name = ?, Date = ?....` then bind the values. A longer explanation http://php.net/manual/en/mysqli.quickstart.prepared-statements.php. – chris85 Jul 21 '17 at 16:01
@chris85 then bind->param('sss..',$_Post[...],....) am I right chris? i think i did like this somewhere else, which is the most accurate way of avoiding injection. – Muhammad Aatif Jul 21 '17 at 16:04
@MuhammadAatif Yes, and your query needs question marks, not the quoted values. You also need to remove the quotes from the columns. Quotes are only for strings. – chris85 Jul 21 '17 at 16:04
got it. let me check after some time, will be here at night if anything goes wrong goes again. :( thanks – Muhammad Aatif Jul 21 '17 at 16:06

Nothing happens when UPDATE button is pressed. Using Prepared Statements

1 Answers1