0

Just trying to query the database to UPDATE a row (and the data in it) from a web UI. I have a table "customer" - Simply want too update the records (I have already achieved INSERT and DELETE).

I am echoing the table and including the option to update through this syntax: 

<td><a href =Scripts/Update.php?id=".$row['Customer_ID'].">Update</a> </td>";

This shows "update" at the end of every row just like I need, and when I click it, it runs the update script. GREAT.

whilst echoing the table I have also changed the input type to text, so the user can click there, Edit the data and click the update button.

The problem is however, when I try and update a record within the table, it refreshes back to the chosen header page but has not updated any of the information, just returns the row with cleared data cells. (It did not delete the row from the database, as I display the Customer ID in the table and that's still there).

my Update.php script is as follows:

     <?php
    include "../Connection.php";

    $Firstname = mysqli_real_escape_string($con, $_POST['FirstName']);
    $Lastname = mysqli_real_escape_string($con, $_POST['LastName']);
    $CusEmail = mysqli_real_escape_string($con, $_POST['Email']);
    $CusUsername = mysqli_real_escape_string($con, $_POST['Username']);
    $CusPhone = mysqli_real_escape_string($con, $_POST['Phone']);   
    $CusCountry = mysqli_real_escape_string($con, $_POST['Country']);
    $CusTown = mysqli_real_escape_string($con, $_POST['Town']);
    $CusAddress = mysqli_real_escape_string($con, $_POST['Address']);
    $CusPostcode = mysqli_real_escape_string($con, $_POST['Postcode']);

            $sqlupdate = "UPDATE customer SET Customer_FirstName = '$Firstname', Customer_LName ='$Lastname', Customer_Email ='$CusEmail', Customer_Username ='$CusUsername', Customer_Phone ='$CusPhone', Customer_Country ='$CusCountry', Customer_Town ='$CusTown', Customer_Address = '$CusAddress', Customer_Postcode = '$CusPostcode' WHERE Customer_ID ='$GET_[id]'";

mysqli_query($con, $sqlupdate);
mysqli_close($con);

    if($sqlupdate){
        header('Location:../CustomerRecords.php');
        }
        else{
            echo "Failed!";
            }

There are a few things I have tried, for example, I usually do this from a HTML form, with the method POST, whereas this way I am doing it from an echo a href... (which is my first time). I have used this same method on the DELETE function and it works great. To follow on from that, I would usually add:

if ($_SERVER["REQUEST_METHOD"] == "POST") {

And 

if(isset($_POST)){

Where needed, but again, tried this and get the same results.

It may be my SQL syntax is wrong but I can't figure it out, if anyone can advise that'd be great.

Thank You.

UPDATE:

I have made some changes above, I have been staring at this code a while now and just "playing" with it now... I have also tried this, but it throws errors, which seems worse off than it is now:

        $sqlupdate = "UPDATE customer SET Customer_FirstName = '$Firstname', Customer_LName ='$Lastname', Customer_Email ='$CusEmail', Customer_Username ='$CusUsername', Customer_Phone ='$CusPhone', Customer_Country ='$CusCountry', Customer_Town ='$CusTown', Customer_Address = '$CusAddress', Customer_Postcode = '$CusPostcode' WHERE Customer_ID ='$_GET[id]'";


    if(mysqli_query($con, $sqlupdate)){
        header('Location:../CustomerRecords.php');
        }
        else{
            echo "Failed!";
            }
Tipping44
  • 281
  • 4
  • 16
  • 1
    $_GET and not $GET at the end of your query. Then see the answer below since you are not running the query – Lelio Faieta Oct 28 '17 at 15:36
  • Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) – RiggsFolly Oct 28 '17 at 15:37
  • Placing a sql query in a string literal does not execute that query against your database. Where is your `mysqli_query()` call? – RiggsFolly Oct 28 '17 at 15:38
  • $_GET changed, Thank you. Totally missed that. – Tipping44 Oct 28 '17 at 17:57
  • Thanks guys, I have edited the question with what I think your talking about. At current, there are no errors being thrown, it's simply taking me back to my original home screen, but updates have taken no effect. And thank you @RiggsFolly - I know it's perhaps the worst way to learn, but wanted to get my head around it working, once completed going to educate myself on sql security etc. – Tipping44 Oct 28 '17 at 18:03

1 Answers1

0

You're not actually performing the query. After:

$sqlupdate = "UPDATE customer SET Customer_FirstName = '$Firstname', Customer_LName ='$Lastname', Customer_Email ='$CusEmail', Customer_Username ='$CusUsername', Customer_Phone ='$CusPhone', Customer_Country ='$CusCountry', Customer_Town ='$CusTown', Customer_Address = '$CusAddress', Customer_Postcode = '$CusPostcode' WHERE Customer_ID ='$GET[id]'";

You need to add:

mysqli_query($con,$sqlupdate);
Chris
  • 4,672
  • 13
  • 52
  • 93