Updating data in php(using html form) causes to update all row's data

Question

i want to edit my data in database called simple_stall with table order_detail...currently i have done a page that shows a list of data with No Name Ordered_Item Quantity. When user click the No, they'll be redirected to a new page that shows only the data of that he clicked.

Now, when user click on Edit button, they'll be redirected to a new page called update_info.php. Here is a form to change Name Ordered_Item and Quantity...but now when i click update order button, it will update all rows to be the data that user just put in... What i want is to UPDATE only the data of that No that user click

this is the code order_detail.php

<?php

include_once 'dbh.php';

$query = "SELECT * FROM order_detail"; //You don't need a ; like you do in SQL
$result = mysqli_query($connection, $query);

echo "<table border = 1px>"; // start a table tag in the HTML

while($row = mysqli_fetch_array($result))
{   
    $no = $row['No'];
    //Creates a loop to loop through results
    echo  "<tr><td style = 'width:30px;'>" . "<a href='view_more.php?no=$no'>" .$row['No'] . "</td>
               <td style = 'width:30%;'>" . $row['Name'] . "</td>
               <td style = 'width:30%;'>" . $row['Ordered_Item'] . "</td>
               <td>" . $row['Quantity'] . "</td></tr>";  //$row['index'] the index here is a field name
}

echo "</table>"; //Close the table in HTML
echo "<button type='button'><a href='./index.php'>Back</a></button>";

view_more.php

if (isset($_GET['no']))
{
    include_once 'dbh.php';

    $no = $_GET['no'];
    $query = "SELECT * FROM order_detail WHERE No = '$no'";

    $result = mysqli_query($connection, $query);

    echo "<table border = 1px>"; // start a table tag in the HTML

    while($row = mysqli_fetch_array($result))
    {   

        //Creates a loop to loop through results
        echo  "<tr><td style = 'width:30px;'>" . $row['No'] . "</td>
                   <td style = 'width:30%;'>" . $row['Name'] . "</td>
                   <td style = 'width:30%;'>" . $row['Ordered_Item'] . "</td>
                   <td>" . $row['Quantity'] . "</td></tr>";  //$row['index'] the index here is a field name
    }

    echo "</table>"; //Close the table in HTML

    echo "<button type='button'><a href='./update_info.php?no=$no'>Edit</a></button>";
    echo "<button type='button'><a href='#'>Delete</a></button>";
    echo "<button type='button'><a href='./order_detail.php'>Back</a></button>";

    mysqli_close($connection);

update_info.php

<form action="update_data.php" method="POST">
            <div>
                <input type="text" name="NewName" placeholder="Name">
            </div>
            <div>
                <input type="text" name="NewOrder" placeholder="Order">
            </div>
            <div>
                <input type="text" name="NewQuantity" placeholder="Quantity">
            </div>
            <div>
                <button type="submit" name="submit">Update Order</button>
            </div>
        </form>

update_data.php

if(isset($_POST['submit']))
{
    include_once 'dbh.php';

    $update = "UPDATE order_detail SET Name='$_POST[NewName]', Ordered_Item='$_POST[NewOrder]', Quantity='$_POST[NewQuantity]' ";

    if (mysqli_query($connection, $update))
    {
        header("Location: ./order_detail.php");
        exit();
    }
    else
    {
        header("Location: ./order_detail.php?update=failed");
        exit();
    }
}

Your update doesn't have a WHERE clause, which will mean it will update every row in the table. — Nigel Ren, Jul 28 '18 at 08:43
Also _never_ concatenate superglobals like `$_POST` directly into a query. This leaves you wide open to [SQL injection](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1). Use `filter_input` and prepared queries. — Vince0789, Jul 30 '18 at 07:49

sn n · Answer 1 · 2018-07-30T07:36:49.970

0

Add the Where clause and pass your id whose value you want to edit.Have a look at code below

 if(isset($_POST['submit']))
    {
        include_once 'dbh.php';

        $update = "UPDATE order_detail SET Name='$_POST[NewName]', Ordered_Item='$_POST[NewOrder]', Quantity='$_POST[NewQuantity]' WHERE No='$_GET[no]' ";

        if (mysqli_query($connection, $update))
        {
            header("Location: ./order_detail.php");
            exit();
        }
        else
        {
            header("Location: ./order_detail.php?update=failed");
            exit();
        }
    }

edited Jul 30 '18 at 07:36

answered Jul 28 '18 at 08:54

sn n

319
1
5
19

i got this error Parse error: syntax error, unexpected '' (T_ENCAPSED_AND_WHITESPACE), expecting '-' or identifier (T_STRING) or variable (T_VARIABLE) or number (T_NUM_STRING) in C:\xampp\htdocs\simple_stall\update_data.php on line 7 – Amrin Jul 28 '18 at 13:42

score 0 · Answer 2 · answered Jul 28 '18 at 08:59

Specify which order you want to update

look at the HTML and SQL I have change

<form action="update_data.php" method="POST">
            <div>
                <input type="text" name="NewName" placeholder="Name">
            </div>
            <div>
                <input type="text" name="NewOrder" placeholder="Order">
            </div>
            <div>
                <input type="text" name="NewQuantity" placeholder="Quantity">
            </div>
            <div>





                <input type="hidden" name="No">
                <!-- Specify which order you want to update  -->




                <button type="submit" name="submit">Update Order</button>
            </div>
        </form>

update_data.php

if(isset($_POST['submit']))
{
    include_once 'dbh.php';


    $update = "UPDATE order_detail SET 
            Name='$_POST[NewName]', 
            Ordered_Item='$_POST[NewOrder]', 
            Quantity='$_POST[NewQuantity]' 
     WHERE No = {$_POST['No']} ";
   // add where clause in sql to specify which you want to update


    if (mysqli_query($connection, $update))
    {
        header("Location: ./order_detail.php");
        exit();
    }
    else
    {
        header("Location: ./order_detail.php?update=failed");
        exit();
    }
}

Use prepared statement, it is safer

score 0 · Answer 3 · answered Jul 30 '18 at 07:47

add a hidden input with the value of $no to your update_info.php like this

<form action="update_data.php" method="POST">
    <input type="hidden" name="no" value="<?php $_GET['no']; ?>" />
        <div>
            <input type="text" name="NewName" placeholder="Name">
        </div>
        <div>
            <input type="text" name="NewOrder" placeholder="Order">
        </div>
        <div>
            <input type="text" name="NewQuantity" placeholder="Quantity">
        </div>
        <div>
            <button type="submit" name="submit">Update Order</button>
        </div>
    </form>

and then change your sql query in update_data.php to be like this

"UPDATE order_detail SET Name='$_POST[NewName]', Ordered_Item='$_POST[NewOrder]', Quantity='$_POST[NewQuantity]' where = {$_POST['no']} ";

Updating data in php(using html form) causes to update all row's data

3 Answers3