-1

Can I please have some help with a problem I'm having updating a mysql database with PHP.
I'm sorry to ask a question that has been asked a lot of times before, it's just driving me a bit nuts, and I've looked through similar questions but the answers don't seem to help with my problem.

I'm using two files, an admin page (admin.php) to edit content with, and an update file that is meant to update the database when the submit button is pressed.
Everything seems to be working fine, the values are being posted to the update.php page (I can see them when I echo them out) but it wont update the database.

If anyone can please point me in the right direction or tell me what I'm doing wrong I'd be very grateful!

Thank you very much:)

This is my admin.php page;

<head>
<?php

/*
Check to see if the page id has been set in the url. 
If it has, set it as the $pageid variable,
If it hasn't, set the $pageid variable to 1 (Home page)
*/
if (isset($_GET['pageid'])) {
$pageid = $_GET['pageid'];
}
else { 
$pageid = '1';
}

//Database connection variables
$servername = "localhost";
$username = "root";
$password = "";
$database = "cms";

// Create connection
$conn = new mysqli($servername, $username, $password, $database);
// Check connection
if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
}

//Get information from the database
$sql = "SELECT title, sub_title, tab1, tab2, tab3, content FROM data WHERE id='$pageid'";
$result = $conn ->query($sql);

if ($result->num_rows > 0)
{
while($row = $result->fetch_assoc()) {
$conn->close();

//Store database information in variables to display in the form
$title = $row["title"];
$sub_title = $row["sub_title"];
$tab1 = $row["tab1"];
$tab2 = $row["tab2"];
$tab3 = $row["tab3"];
$content = $row["content"];
}
} else {
echo "0 results";
}
?>
</head>
<body>

//basic navigation
<a href="admin.php?pageid=1">Page 1</a>  |  <a href="admin.php?pageid=2">Page 2</a>  |  <a href="admin.php?pageid=3">Page 3</a>

<form action="update.php" method="post" name="adminform">
<input type="hidden" name="pageid" value="<?php echo "$pageid";?>">
NAME:<br>
<input type="text" name="title" value="<?php echo $title;?>"><br><br>
EMAIL:<br>
<input type="text" name="sub_title" value="<?php echo $sub_title;?>"><br><br>
CONTENT:<br>
<input type="text" name="tab1" value="<?php echo $tab1;?>"><br><br>
CONTENT:<br>
<input type="text" name="tab2" value="<?php echo $tab2;?>"><br><br>
CONTENT:<br>
<input type="text" name="tab3" value="<?php echo $tab3;?>"><br><br>
CONTENT:<br>
<textarea rows="4" cols="50" name="content">
<?php echo $content;?>
</textarea>
<br><br>
<input type="submit">
</form>         

</body>

And this is the update.php page;

<?php
/*Values passed from the admin form, to be used as update variables*/
if (isset($_POST['adminform'])) 
{  
$pageid = $_POST["pageid"];
$titleu = $_POST["title"];
$sub_titleu = $_POST["sub_title"];
$tab1u = $_POST["tab1"];
$tab2u = $_POST["tab2"];
$tab3u = $_POST["tab3"];
$contentu = $_POST["content"];      
}
?>

<?php
if(isset($_POST['adminform']))    
{      
// Create connection
$conn = new mysqli($servername, $username, $password, $database);
// Check connection
if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
}

//Update the database
$sql = "UPDATE data SET title='$titleu', sub_title='$sub_titleu', tab1='$tab1u', tab2='$tab2u', tab3='$tab3u', content='$contentu' WHERE id =='$pageid'";
$result = $conn ->query($sql);   
$conn->close();
}
?>
user2817369
  • 1
  • 4
    change `WHERE id =='$pageid'";` to `WHERE id ='$pageid'";` MySQL doesn't uses `==` for comparison – Abhishek Jun 14 '18 at 09:29
  • If you had any error reporting, you would have probably found this already. – Nigel Ren Jun 14 '18 at 09:30
  • 3
    Also, http://bobby-tables.com to learn about SQL injections. Your code is really vulnerable to injections and your whole database could be deleted in a few seconds without any problems. Just use prepared statements whenever you query the database with user inputs. – Twinfriends Jun 14 '18 at 09:32
  • This should be a MySQL syntax error. A lot of problems can be detected and resolved by [enabling exceptions in `mysqli`](https://stackoverflow.com/questions/14578243/turning-query-errors-to-exceptions-in-mysqli) so mistakes aren't easily ignored. – tadman Jun 14 '18 at 09:50

2 Answers2

0

You're using == instead of = on the where clause. On the other hand, don't pass user values to the query without validation and sanitization if you don't want to be vulnerable to sql injection attacks.

$sql = "UPDATE data SET title='" . $conn->real_escape_string($titleu) . "', sub_title='" . $conn->real_escape_string($sub_titleu) . "', tab1='" . $conn->real_escape_string($tab1u) . "', tab2='" . $conn->real_escape_string($tab2u) . "', tab3='" . $conn->real_escape_string($tab3u) . "', content='" . $conn->real_escape_string($contentu) . "' WHERE id = " . (int)$pageid;

This will work, but is not very elegant solution. You may use prepared statements instead, to pass the correct types and prevent sql injection.

David Strencsev
  • 1,065
  • 11
  • 11
  • 1
    Using prepared statements would actually be a shorter answer than what you've got here with manual escaping. – tadman Jun 14 '18 at 09:49
-2

Check your DB Connections and test whether you are connected to DB or not.

Change your query as below

$sql = "UPDATE data SET title='".$titleu."', sub_title='".$sub_titleu."', tab1='".$tab1u."', tab2='".$tab2u."', tab3='".$tab3u."', content='".$contentu."' WHERE id ='$pageid'";
sree
  • 389
  • 5
  • 17
  • I see this all the time and I'm always baffled by it. PHP can interpolate variables inside of strings, there's no reason to switch to concatenation. This code is functionally identical, just a whole lot longer. – tadman Jun 14 '18 at 09:50