-2

I'm converting my Access Database to MYSQL.

I slowly working my way towards completion. All I'm trying to do is update a row on a table, after it's displayed. The Code Below, will display the table and contents NO problem.

I tried different methods, and this is the closest I've gotten. After displaying the table on a Browser, I change the data in a field and click Update, but it does not Update. NO errors occur, just does not get updated.

I Suspect the issue is on the line thats starts with mysqli_query($con,$updatequery);

<html>
<body>
<?php
$servername = "localhost";
$username = "root";
$password = "password";
$dbname = "CallsDB";

// Create connection
$con = @new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($con->connect_error) {
   echo "Error: " . $con->connect_error;
    exit();
}

if(isset($_POST['update'])){
$updatequery = "UPDATE calls SET idcalls='$_POST[idcalls]', 
callscompanyname='$_POST[callscompanyname]', 
callsemployeename='$_POST[callsemployeename]', 
callsdate='$_POST[callsdate]', callsphonenumber='$_POST[callsphonenumber]', 
callsstatus='$_POST[callsstatus]' WHERE idcalls'$_POST[hidden]'";
mysqli_query($con,$updatequery);

}



$sql = "SELECT * FROM calls";

$mydata = mysqli_query($con, $sql);

echo "<TABLE BORDER=1><TR><TD>Call_id</FONT></TD><TD>Company</TD>
<TD>Name</TD><TD>Date</TD><TD>Phone</TD><TD>Status</TD><td></td></TR>";

while ($record = mysqli_fetch_array($mydata))
{
echo "<form action=edit_specific_call.php method=post>";   
echo "<tr>";
echo "<td>" . "<input type=text name=idcalls value=" . $record['idcalls'] . 
" ></td>";
echo "<td>" . "<input type=text name=callscompanyname value=" . 
$record['callscompanyname'] . " ></td>";
echo "<td>" . "<input type=text name=callsemployeename value=" . 
$record['callsemployeename'] . " ></td>";
echo "<td>" . "<input type=text name=callsdate value=" . 
$record['callsdate'] . " ></td>";
echo "<td>" . "<input type=text name=callsphonenumber value=" . 
$record['callsphonenumber'] . " ></td>";
echo "<td>" . "<input type=text name=callsstatus value=" . 
$record["callsstatus"] . " ></td>";
echo "<td>" . "<input type=hidden name=hidden value=" . $record['idcalls'] . 
" ></td>";
echo "<td>" . "<input type=submit name=update value=update" . " ></td>
</tr>";
echo "</form>";
}

echo "</table>";
mysqli_close($con);

?> 
</body>
</html>
Neil
  • 14,063
  • 3
  • 30
  • 51
Vin Catrambone
  • 1
  • 2
    Please use prepared statements. Please! Has this code gone live?? If so, undeploy it immediately. Security is the main factor in programming. – Rotimi Nov 23 '17 at 03:12
  • Also I would strongly advise that you use an mvc structure of creating applications. It'll help separate html from php. – Rotimi Nov 23 '17 at 03:14
  • 1
    `mysqli_error()` will tell you about the missing `=` – mario Nov 23 '17 at 03:18
  • You are wide open to [**SQL injection**](https://www.owasp.org/index.php/SQL_Injection). You need to use prepared statements, rather than concatenating variables into your query. See [How can I prevent SQL injection in PHP?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1). – elixenide Nov 23 '17 at 03:29

1 Answers1

0

One of the main issues I spotted was

WHERE idcalls'$_POST[hidden]'

Should be

WHERE idcalls = '$_POST[hidden]'

But there are certainly some other security issues with this as well, but that's another topic.

Joshua Weeks
  • 21
  • 3