If statement doesn't execute even though condition is true

Question

I'm at a complete loss here. I've written a relatively simple PHP script which updates a database record based on user input from a HTML form. The script contains an 'if' statement which executes based a hidden input. I know that the statement executes because the SQL query executes without a problem. The problem I'm having is that there there is another if statement within which should execute if the query object is set, but apparently it doesn't because the $message variable within is not assigned a value. I know that the query object is set because when I echo it it shows up as '1'. Below is the code block in question:

<?php  
if(isset($_POST['submitted']) == 1) {
$name = mysqli_real_escape_string($dbc, $_POST['name']);
    $q = "UPDATE ".$_POST['table']." SET name = '".$name."' WHERE id = ".$_POST['id'];
    $r = mysqli_query($dbc, $q);
    echo $r;
    print_r($_POST);
    echo mysqli_error($dbc);
    if ($r) {
        $message = '<p>Operation executed successfuly</p>';
    } else {
        $message = '<p>Operation did not execute because: '.mysqli_error($dbc);
        $message .= '<p>'.$q.'</p>';
    } 
}
?>

The echoes and print_r() below the query are for debugging purposes. The code that should echo $message is above the aforementioned code block (in my script) and looks like this:

<?php if(isset($message)) {echo $message;} ?>

Also, I tried using isset() for the $r variable and also changed the condition to $r !== false but that did not make a difference. When I just echo out $message without the isset() i get the obvious " Undefined variable: message in C:\xampp\htdocs\IMS\modify.php on line 47" error. My apologies if I'm missing something glaringly obvious. I did search beforehand but all the answers were too different from my situation and my knowledge of PHP is too small for me to be able to connect dots that are that far away, if you know what I mean.

EDIT: alright, I might as well put in the entire script. It's a bit all over the place, my apologies. The $id and $table variables do show as undefined after the submit button is pressed, could that have something to do with it?

<?php
error_reporting(E_ALL);
include('config/setup.php');

$id = $_GET['id'];
$table = $_GET['table'];

if ($table == "users") {
    header('Location: index.php');
    exit;
}

?>
<html>
<head>
    <title>Update</title>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <link rel="stylesheet" type="text/css" href="css/style.css">
</head>
<body>

    <div class="back">
        <a href="category_list.php">Back</a>
    </div>
    <div class="panel">
        <?php
        if(!isset($_POST['submitted'])) {
            $q = "SELECT name FROM $table WHERE id = $id";
                $r = mysqli_query($dbc, $q);
                $row = mysqli_fetch_assoc($r);
                if($table == "categories"){
                    $type = "category";
                } else if ($table == "products") {
                    $type = "product";
                }

            echo "<p>You are changing the properties of this ".$type.": ".$row['name']."</p>";
        }
        ?>
        <?php if(isset($message)) {echo $message;} ?>
        <form action="modify.php" method="POST">
            <label for="name">New name</label>
            <input type="text" class="form-control" id="name" name="name">
            <button type="submit">Submit</button>
            <input type="hidden" name="submitted" value="1">
            <input type="hidden" name="id" value="<?php echo $id; ?>">
            <input type="hidden" name="table" value="<?php echo $table; ?>">
        </form>
            <?php  
            if(isset($_POST['submitted'])) {
                $name = mysqli_real_escape_string($dbc, $_POST['name']);
                $q = "UPDATE ".$_POST['table']." SET name = '".$name."' WHERE id = ".$_POST['id'];
                $r = mysqli_query($dbc, $q);
                echo $r;

                print_r($_POST);
                echo mysqli_error($dbc);
                if ($r !== false) {
                    $message = '<p>Operation executed successfuly</p>';
                    } else {
                    $message = '<p>Operation did not execute because: '.mysqli_error($dbc);
                    $message .= '<p>'.$q.'</p>';
                    }
                }
            ?>
    </div>
</body>

EDIT2: Alright, I came up with a "fix" that kind of solves the problem, namely, I moved the if condition up before the echo of $message and changed the condition to isset($_POST['submitted']. This will have to do, I suppose. I guess I should read up more about the order of operations when processing submitted data and parsing PHP files in general, because I am quite confused as to why this "fix" even works...

Answer 1

This (conditional) statement is a false positive:

if(isset($_POST['submitted']) == 1)

What you need to do is either break them up into two separate statements:

if(isset($_POST['submitted']) && $_POST['submitted']== 1)

or just remove the ==1.

Your code is also open to a serious SQL injection. Updating a table and setting columns from user input is not safe at all.

At best, use a prepared statement.

• https://en.wikipedia.org/wiki/Prepared_statement

However, please note that you cannot bind a table and/or a column should you want to convert that to a prepared statement method.

Therefore the following will fail (when using a PDO prepared statement as an example):

$q = "UPDATE :table SET :name = :name WHERE id = :id;

or

$q = "UPDATE ? SET name = :name WHERE id = :id;

Read the following about this method, where that cannot be used:

• Can I parameterize the table name in a prepared statement?
• Can PHP PDO Statements accept the table or column name as parameter?