Update MySQL using HTML Form input and php

Question

I have MYSQL incoming data in HTML form inputs at page opening. When I press the update button after changing the information, the update operation is successful, but the data is not updated.

<?php


$servername = "";
$username = "";
$password = "";
$dbname = "";

$baglan = mysqli_connect($servername,$username,$password,$dbname) or die(myslqi_error());


$place = $_POST['n_place'];
$description = $_POST['n_description'];
$latitude = $_POST['lat'];
$longitude = $_POST['long'];
$kayitliyer = $_POST['search_new_places'];
$yetkiliad = $_POST['n_yetkiliad'];
$magazaad = $_POST['n_magazaad'];
$telefon = $_POST['n_telefon'];
$yetkilitelefon = $_POST['y_telefon'];
$derece = $_POST['derece'];
$country = $_POST['country'];


$sql =  "UPDATE tbl_places SET place='$place',description='$description',lat='$latitude', lng='$longitude', kayitliyer='$kayitliyer',
yekiliad='$yetkiliad', magazaad='$magazaad', telefon='$telefon', yetkilitelefon='$yetkilitelefon', derece='$derece' WHERE place_id='$gID' ";



if (mysqli_query($baglan,$sql)) {
  echo '<br/><div class="container"><div class="alert alert-success" role="alert">
              Kayıt Güncelleme <b>Başarılı :-)</b> <a href=javascript:history.back(-1)>Geri Dön</a>
             </div></div> ';
}else {
  echo '<br/><div class="container"><div class="alert alert-danger" role="alert">
              Güncelleme İşlemi <b>Başarız!</b> <a href=javascript:history.back(-1)>Geri Dön</a>
             </div></div>'. mysqli_error($baglan);
}



?>

HTML Page Form SELECT Query.Thanks for your reply. I get the value of "$ gID" from the HTML form page, where I entered the DB data with a SELECT query.UPDATE

  <?php
 //UPDATE ID
   $gID = $_GET["place_id"];

   include ("baglanti.php");

 $sorgu = mysqli_query($baglan,"select * from tbl_places where place_id='$gID'");


  while($goster = mysqli_fetch_array($sorgu)){
  $grupadi = $goster["place"];
  $id = $goster["place_id"];
  $desc = $goster["description"];
  $adres = $goster["kayitliyer"];
  $yetkiliad = $goster["yekiliad"];
  $magazaad = $goster["magazaad"];
  $telefon = $goster["telefon"];
  $yetkilitelefon = $goster["yetkilitelefon"];
  $derece = $goster["derece"];
  $country = $goster["country"];
  $lat =$goster["lat"];
  $long = $goster["lng"];
  }
 ?>
<!DOCTYPE html>
<html lang="tr">
<head>

`WHERE place_id='$gID'` from where are you getting the `$gID` value? — prakash tank, Feb 22 '18 at 09:47
$gID not exits. for avoid SQL injection you should read -https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php — coder001, Feb 22 '18 at 09:52
Possible duplicate of [mysql Update doesn't update?](https://stackoverflow.com/questions/22313836/mysql-update-doesnt-update) — Cemal, Feb 22 '18 at 10:07

score -3 · Answer 1 · answered Feb 22 '18 at 09:50

-3

You should be using PDO for this, for security and code cleaniness. Apart from that, and without more info on where $gID comes from, I'd try removing the single quotes around the value it's compared to, since it probably is an integer and not a string:

$sql =  "... WHERE place_id=$gID";

answered Feb 22 '18 at 09:50

Miguel Calderón

3,001
1
16
18

It doesn't really make a difference between using `mysqli_` or `PDO_` - the real difference is using `prepared statements` vs. not using them. Prepared statements can be used with mysqli_ as well as with PDO_. So to use "PDO for security" isn't true. Its about using "prepared statements for security" - PDO and prepared statements are not the same!!! http://bobby-tables.com – Twinfriends Feb 22 '18 at 09:53
PDO compels you to use prepared statements, while mysqli doesn't. That's one reason I prefer PDO and the reason I recommend it. – Miguel Calderón Feb 22 '18 at 09:57
Thanks for your reply. I get the value of "$ gID" from the HTML form page, where I entered the DB data with a SELECT query. – CodeOfis Feb 22 '18 at 09:58
Can you add the part of your PHP code where you get its value, please? – Miguel Calderón Feb 22 '18 at 09:59
Why does PDO compels me to use prepared statement? – Twinfriends Feb 22 '18 at 10:06
I downvoted because you're making an advice not providing an answer. – Cemal Feb 22 '18 at 10:06
Vote as you wish, but I did provide an answer with example code. – Miguel Calderón Feb 22 '18 at 10:12
@Miguel Still wondering where PDO compels me to use prepared statements? – Twinfriends Feb 22 '18 at 10:17
If you check the API and examples of PDO, you'll see it's supposed to be used with prepared statements. You don't just throw an SQL query at it as you do (did) with mysql and friends. – Miguel Calderón Feb 22 '18 at 10:21
@Miguel And what holds me back from doing `$conn->query("SELECT * FROM table WHERE attr = $value")->fetchAll();` - Nothing. So I don't really see why it "compels" me to use prepared statements. You can write insecure statements with PDO as well, so saying "use PDO for security reason" is just simply not true at all. – Twinfriends Feb 22 '18 at 10:26
Of course you can! I didn't say otherwise. But it's supposed to be used with prepared statements, it has an API for that, it compels you to use them (but it doesn't force you to). – Miguel Calderón Feb 22 '18 at 10:30
Well, "compels" means "to force" ;) - Also `mysqli_*` can be used with prepared statements as well. So I don't really see any point of switching to PDO as long as you don't have any performance problems. For my part I always use PDO just because I know the syntax, but there's no advantage to `mysqli` in terms of security. – Twinfriends Feb 22 '18 at 10:33
1

As I said, I prefer PDO, coding with it looks cleaner to me, and encourages (better than "compels", right?) good security practices. Use whatever you prefer, I recommend PDO. – Miguel Calderón Feb 22 '18 at 10:39

Update MySQL using HTML Form input and php

1 Answers1