Why is my gap using both insert and update?

Question

I want to update and insert using an if-else statement, but the query always goes "Insert" data. No "update" anyway. My code is below:

<form method="post" action="">
    <label>ID: </label> <input type="text" name="id">
    <label>Subject: </label> <input type="text" name="subject">
    <input type="submit" name="submit">
</form>

<?php 
$conn = new mysqli("localhost", "root", "", "zidm"); 

$id=$_POST['id'];
$subject=$_POST['subject'];


if (isset($_POST['submit'])){
      $sql = "UPDATE exam  SET $subject = '$marks'  WHERE id = '$id'";    
    mysqli_query($conn,$sql);
    echo "Data Updated";
  }
  else {
 $sql="INSERT INTO exam ($subject, x_sess, x_class, x_exam, x_roll) VALUES ('$marks', '$ex_sess', '$class', '$exam', '$roll')";
    mysqli_query($conn,$sql);
    echo "Data Inserted";
  }

  ?>

The first time you load the page `$_POST['submit']` is not defined thus the if statement goes to the `else` clause causing the insert query to be executed. — Tom Udding, May 24 '18 at 07:03
Your script is at risk of [SQL Injection Attack](https://stackoverflow.com/q/60174/5914775). Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/). Even [if you are escaping inputs, its not safe!](https://stackoverflow.com/q/5741187/5914775). Use [prepared parameterized statements](https://php.net/manual/en/mysqli.quickstart.prepared-statements.php) instead. — Tom Udding, May 24 '18 at 07:03
I don't know what your script does besides what you show us, but I suggest you don't do anything on the page load (unless necessary) and than after the form submit check if the data (`id`?) exists and if it does exist execute the update query. — Tom Udding, May 24 '18 at 07:11
Write another `if` statement inside you current `if` based on the condition you want (which you haven't stated here, so we don't know it) — brombeer, May 24 '18 at 07:11
Read up on the INSERT statement, and all the wonderful options contained therein — Strawberry, May 24 '18 at 07:28

score 0 · Answer 1 · edited May 24 '18 at 07:47

<form method="post" action="">
    <label>ID: </label> <input type="text" name="id">
    <label>Subject: </label> <input type="text" name="subject">
    <input type="submit" name="submit">
</form>

<?php 
    $conn = new mysqli("localhost", "root", "", "zidm"); 

    $id=$_POST['id'];
    $subject=$_POST['subject'];


    if (isset($_POST['submit'])){

     $sql = "select id from exam WHERE id = $id";    
     $result = mysqli_query($conn,$sql);
      if($result)
      {
         $sql = "UPDATE exam  SET $subject = $marks WHERE id = $id";    
         mysqli_query($conn,$sql);
         echo "Data Updated";
      }
      else
      {
         $sql="INSERT INTO exam ($subject, x_sess, x_class, x_exam, x_roll) VALUES ($marks, $ex_sess, $class, $exam, $roll)";
         mysqli_query($conn,$sql);
         echo "Data Inserted";
      }
   }
?>

I want to insert a value which has not inserted before. If data has already inserted before then I want to update previous data. I think it was simple but I failed. — IT Circle, May 24 '18 at 11:56

Why is my gap using both insert and update?

1 Answers1