-1

I am trying to update my database using a php file that has an html form in it. When I hit 'update' in the url bar, the updated information is showing. But when I go back to my HTML page that shows me everything in my database, it still has the old information.

What am I not doing?

I know there are security issues, like not using a session, or sanitizing the data, or using my_sql in general. This is just for a school project. After the semester I will be closing the hosting account.

EDIT: I moved the "$id = $_GET['id'];" line above the update query so that "$id" would be defined before query. Updated code.

EDIT2: After following the comments about turning on errors and displaying them after the update query. It showed that the ID was not in fact being read back in. So I added a hidden input value for the ID to give back to the file after the submit button was it. 

<?php
error_reporting(E_ALL & ~E_DEPRECATED); 
ini_set('display_errors', 1); 

$host = 'hose';
$user = 'user';
$pass = 'pass';
$database = 'database';
$table = 'table';

//connecting to server
$conn = mysql_pconnect($host,$user,$pass); 

//opening to database
if (!($db = mysql_select_db($database))) {
 echo "Could NOT connect to database.";
}

//gathering new data from update form
if (isset($_GET['submit'])) {
 $title= $_GET['title'];
 $year = $_GET['year'];
 $director = $_GET['director'];
 $genre = $_GET['genre'];
 $runtime = $_GET['runtime'];
 $id = $_GET['id'];
 $query = mysql_query("UPDATE `collection`
         SET `title`='$title', `year`='$year', `director`='$director', `genre`='$genre', `runtime`='$runtime' 
         WHERE `ID`='$id'");
}

//passing in ID number and running query
$id = $_GET['id'];
$query = "SELECT * FROM '$table' WHERE ID = '$id'";
$result = mysql_query($query);
if (!$result) {
 echo 'Could not run query: ' . mysql_error();
 exit;
}

//getting row data for ID number
$row = mysql_fetch_array( $result );

?>

<!DOCTYPE html>
<html>
   <head>
 <meta content="text/html;charset=utf-8" http-equiv="Content-Type">
 <meta content="utf-8" http-equiv="encoding">
 <title>title</title>
 <meta name="viewport" content="width=device-width, initial-scale=1">
 <link rel="stylesheet" href="webpage.css">
 <style type = "text/css">
  table, th, td {
       border: 0px solid black;
       border-collapse: collapse;
   }
  table {
   margin: auto;
   width: 50%;
   }
  td {
       padding: 5px;
   }
  img {
   text-decoration:  none;
  }
 </style>
   </head>
   <body class="subStyle">
   
    <div class="topnav">
    <a href="#">Home</a>
    <a href="#">Database</a>
    <a href="#">Insert</a>
 </div>
 
 <form class='form' method='get'>
 <table border=0>
  <tr>
  <th>Movie Title</th>
  <th>Year Made</th>
  <th>Director</th>
  <th>Genre</th>
  <th>Runtime(Minutes)</th>
  </tr>
  
  <tr>
  <td><input type=text name="title"    id="title"    maxlength=100 size=50 value="<?php echo $row['title']; ?>"></td>
  <td><input type=text name="year"     id="year"     maxlength=4   size=10 value="<?php echo $row['year']; ?>"></td>
  <td><input type=text name="director" id="director" maxlength=100 size=30 value="<?php echo $row['director']; ?>"></td>
  <td><input type=text name="genre"    id="genre"    maxlength=20  size=20 value="<?php echo $row['genre']; ?>"></td>
  <td><input type=text name="runtime"  id="runtime"  maxlength=4   size=20 value="<?php echo $row['runtime']; ?>"></td>
  <td><input type=hidden name="id"  id="id"  value="<?php echo $row['ID']; ?>"></td>
  </tr>
  
  <tr><td></td><td></td><td>
  <button class='submit' type='submit' name='submit' value='update'>Update Movie</button></td></tr>
 </table>
 </form>
   </body>
</html>

<?php

//check if update worked
if (isset($_GET['submit'])) {
 echo '<div class="form" id="form3"><br><br><br><br><br><br>
 <Span>Data Updated Successfuly</span></div>';
}

//close connection
mysql_close($conn); 
?>
Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
Ruttle Head
  • 35
  • 6
  • "What am I not doing?" Not protecting your database in any way from SQL injection attacks. – Devon Bessemer Apr 14 '18 at 01:28
  • I did say that I know that there is no security. I also said that this is just a school project and will be shutting down the page after the semester. – Ruttle Head Apr 14 '18 at 01:29
  • Fair enough, you wrote a lot and included a lot of code so I didn't read it thoroughly. – Devon Bessemer Apr 14 '18 at 01:30
  • dude, free advise: update to php 7.2 and forget all of this. – Cas Bloem Apr 14 '18 at 02:01
  • In regards to your "EDIT 2; why didn't you add your own answer? You're not the one who solved it completely and [by adding something](https://stackoverflow.com/questions/49826998/php-update-query-not-updating-database#comment86669919_49827028). @RuttleHead By the way; you're open to a serious sql injection here. Use a prepared statement if you value your work and the time you spent on it and plan to spend more. You will actually save time by learning mysqli and pdo. Don't wait till it's too late. – Funk Forty Niner Apr 14 '18 at 02:27

1 Answers1

0

Your code is insecure - Why shouldn't I use mysql_* functions in PHP?

I think the issue is down to variables not being defined - in your query:

UPDATE '$table' SET `title`='$title', `year`='$year', 
`director`='$director', `genre`='$genre', `runtime`='$runtime' 
WHERE `ID`='$id'

$id is not defined

Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
bhttoan
  • 2,641
  • 5
  • 42
  • 71
  • $table looks to be defined, but $id is not defined before the update query. – Devon Bessemer Apr 14 '18 at 01:32
  • Good spot, will update the answer as did not see $table – bhttoan Apr 14 '18 at 01:33
  • I moved "$id = $_GET['id'];" above the update query and it still isn't updating the database. – Ruttle Head Apr 14 '18 at 01:38
  • Add an or die(mysql_error()) to the end of your update query – bhttoan Apr 14 '18 at 01:39
  • @bhttoan I added that to the end of the query line, but it doesn't change anything. There are no errors that show. – Ruttle Head Apr 14 '18 at 01:50
  • Turned on errors, now I'm able to see that it is in fact not getting the ID field. I thought that it would keep the id number even if it refreshed because it was in the url bar. I added a hidden input that passed the id back to the php file and now it works. Will show corrected code. Thank you @bhttoan for your help! – Ruttle Head Apr 14 '18 at 02:04