Edit form using php and mysql

Question

I want to edit the data in the MYSQL. but it is given a error and i can't find this one. this code below is to make the edit possible. thank you for your reply

if (isset($_POST['update']))
{ 
    include $_SERVER["DOCUMENT_ROOT"] . "/EZ2XS/testopdracht/html/config.php";

    $tag            = $_POST['tag'];
    $nr             = $_POST['nr'];
    $reference      = $_POST['reference'];
    $scores         = $_POST['scores'];
    $evaluates      = $_POST['evaluates'];
    $observations   = $_POST['observations'];
    $conform        = $_POST['conform'];
    $reports        = $_POST['reports'];
$query = "UPDATE `afwijking` SET 

    `tag`           ='$tag',
    `nr`            ='$nr',
    `reference`     ='$reference',
    `scores`        ='$scores',
    `evaluates`     ='$evaluates',
    `observations`  ='$observations',
    `conform`       ='$conform',
    `reports`       ='$reports',
     WHERE `ID`.`ID' = '1';";

    $result = mysqli_query($conn, $query);

    if ($conn->query($query) === TRUE)
    {
       echo 'DATA Updated';

    } else {
        echo 'DATA NOT UPDATED';
    }
    mysqli_close($conn);
}

And here my table thats get his info from the myqsl

while($row = mysqli_fetch_array($records))
{
    echo "<tr><form method=post>";
    echo "<td><input type=text name=tag value='".$row['tag']."'></td>";
    echo "<td><input type=text name=nr value='".$row['nr']."'></td>";
    echo "<td><input type=text name=reference value='".$row['reference']."'></td>";
    echo "<td><input type=text name=scores value='".$row['scores']."'></td>";
    echo "<td><input type=text name=evaluates value='".$row['evaluates']."'></td>";
    echo "<td><input type=text name=observations value='".$row['observations']."'></td>";
    echo "<td><input type=text name=reports value='".$row['reports']."'></td>";
    echo "<td><input type=text name=conform value='".$row['conform']."'></td>";
    echo "<input type=hidden name=id value='".$row['ID']."'>";
    echo "<td><input type=submit name=update>";
    echo "</form></tr>";
}

Your script is wide open to [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) in either the `MYSQLI_` or `PDO` API's — RiggsFolly, Jul 10 '18 at 20:59
`WHERE \`ID\`.\`ID\'` 1) Mixing quotes and backticks incorrectly. 2)There is no table in that query called `ID` so try `WHERE ID = 1` — RiggsFolly, Jul 10 '18 at 21:01
There is absolutely one or more errors here. WHERE `ID`.`ID' = '1'...combination of tick and quote. Also, id.id would mean a table called id containing a column called id. — Bleach, Jul 10 '18 at 21:02
Why do you call mysqli_query and $conn->query? Looks like duplicity for me — Eakethet, Jul 10 '18 at 21:02
`WHERE ID.ID = '1';` should be `WHERE afwijking.ID = '1'` .. And remove the backticks they are not needed. — Raymond Nijland, Jul 10 '18 at 21:02
Note: The object-oriented interface to `mysqli` is significantly less verbose, making code easier to read and audit, and is not easily confused with the obsolete `mysql_query` interface. Before you get too invested in the procedural style it’s worth switching over. Example: `$db = new mysqli(…)` and `$db->prepare("…")` The procedural interface is an artifact from the PHP 4 era when `mysqli` API was introduced and should not be used in new code. — tadman, Jul 10 '18 at 21:03
@RaymondNijland I was not picking on you, just pointing out a woops — RiggsFolly, Jul 10 '18 at 21:06
@RaymondNijland Oh good. With the new code of conduct, I am almost afraid to make any kind of comment at all now — RiggsFolly, Jul 10 '18 at 21:10
Wow! hi all..Thank you for your replies. It is for now just to get this on my localhost. it's for own use. that it is open for infections, I do not mind. it is true that I have an ID in my sql and after changing the WHERE var to WHERE afwijking.ID = '1'; as Raymond describes and removed the tickbacks my script is still not working? — Frank Manuela Thijssen, Jul 10 '18 at 21:42

Edit form using php and mysql

0 Answers0