Select a card and update it's rows

Question

I'm making a card update button, wherewith users can update their card's information. I'm stuck with the card id because my update page doesn't get it. If I use an existing id, like 1 the inputs get data but can't update them.

My database looks like this:

id-   name-   phone-  phone2-  email-  zipcode-  address-  job-  description-  visibility-  userid-
-----------------------------------------------------------------------------------------------------
1    John      112     233    a@a.com    2435     dfdf 34.  test     uzlh           0            1

Here's the button that redirect the user to the update page:

<a href="update.php" class="btn btn-succes" role="button">Edit</a>

And here's my update page:

<?php
session_start();
include_once 'db_connect.php';
if(count($_POST)>0) {
mysqli_query($conn,"UPDATE cards set id='$id', name='" . $_POST['name'] . "', phone='" . $_POST['phone'] . "', phone2='" . $_POST['phone2'] . "', email='" . $_POST['email'] . "' , zipcode='" . $_POST['zipcode'] . "', address='" . $_POST['address'] . "', job='" . $_POST['job'] . "', description='" . $_POST['description'] . "', userid='" . $_SESSION['userid'] . "' WHERE id='" . $_SESSION['id'] . "'");
$message = "Succes";
}
$result = mysqli_query($conn,"SELECT * FROM cards WHERE id='$id'");
$row= mysqli_fetch_array($result);
?>
<html>
<head>
<title>Edit</title>
</head>
<body>
<form name="frmUser" method="post" action="">
<div style="width:500px;">
<div class="message"><?php if(isset($message)) { echo $message; } ?></div>
<table cellpadding="10" cellspacing="0" width="500" class="tblSaveForm">
<tr class="header">
<td colspan="2">Edit Card</td>
</tr>
<tr>
<td><label>Username</label></td>
<td><input type="hidden" name="name" class="txtField" value="<?php echo $row['name']; ?>">
</tr>
<tr>
<td><label>phone</label></td>
<td><input type="text" name="phone" class="txtField" value="<?php echo $row['phone']; ?>"></td>
</tr>
<td><label>phone2</label></td>
<td><input type="text" name="phone2" class="txtField" value="<?php echo $row['phone2']; ?>"></td>
</tr>
<tr>
<td><label>email</label></td>
<td><input type="text" name="email" class="txtField" value="<?php echo $row['email']; ?>"></td>
</tr>
<tr>
<td><label>zipcode</label></td>
<td><input type="text" name="zipcode" class="txtField" value="<?php echo $row['zipcode']; ?>"></td>
</tr>
<tr>
<td><label>address</label></td>
<td><input type="text" name="address" class="txtField" value="<?php echo $row['address']; ?>"></td>
</tr>
<tr>
<td><label>job</label></td>
<td><input type="text" name="job" class="txtField" value="<?php echo $row['job']; ?>"></td>
</tr>
<tr>
<td><label>description</label></td>
<td><input type="text" name="description" class="txtField" value="<?php echo $row['description']; ?>"></td>
</tr>
<tr>
<td colspan="2"><input type="submit" name="submit" value="Submit" class="buttom"></td>
</tr>
</table>
</div>
</form>
</body>
</html>

Your code is vulnerable to SQL injection. You should use prepared statements. You should fix it immediately. — Dharman, Feb 22 '20 at 11:45
The SQL part. It's vulnerable, because you put variable input directly into SQL. — Dharman, Feb 22 '20 at 11:50
If you are unsure what SQL injection or what are prepared statements you should read about it first: https://phpdelusions.net/sql_injection and https://bobby-tables.com/ — Dharman, Feb 22 '20 at 11:57

Sumit De · Accepted Answer · 2020-02-22T13:03:55.497

You can pass the id like this:

<a href="update.php?id=<?php echo $row['id']; ?>" class="btn btn-succes" role="button">Edit</a>

and get the id in update.php

<?php
session_start();
include_once 'db_connect.php';
$id = $_GET['id'];
if(count($_POST)>0) {
mysqli_query($conn,"UPDATE cards set name='" . $_POST['name'] . "', phone='" . $_POST['phone'] . "', phone2='" . $_POST['phone2'] . "', email='" . $_POST['email'] . "' , zipcode='" . $_POST['zipcode'] . "', address='" . $_POST['address'] . "', job='" . $_POST['job'] . "', description='" . $_POST['description'] . "', userid='" . $id . "' WHERE id='" . $id . "'");
$message = "Success";
}
$result = mysqli_query($conn,"SELECT * FROM cards WHERE id='$id'");
$row= mysqli_fetch_array($result);
?>
<html>
<head>
<title>Edit</title>
</head>
<body>
<form name="frmUser" method="post" action="">
<div style="width:500px;">
<div class="message"><?php if(isset($message)) { echo $message; } ?></div>
<table cellpadding="10" cellspacing="0" width="500" class="tblSaveForm">
<tr class="header">
<td colspan="2">Edit Card</td>
</tr>
<tr>
<td><label>Username</label></td>
<td><input type="hidden" name="name" class="txtField" value="<?php echo $row['name']; ?>">
</tr>
<tr>
<td><label>phone</label></td>
<td><input type="text" name="phone" class="txtField" value="<?php echo $row['phone']; ?>"></td>
</tr>
<td><label>phone2</label></td>
<td><input type="text" name="phone2" class="txtField" value="<?php echo $row['phone2']; ?>"></td>
</tr>
<tr>
<td><label>email</label></td>
<td><input type="text" name="email" class="txtField" value="<?php echo $row['email']; ?>"></td>
</tr>
<tr>
<td><label>zipcode</label></td>
<td><input type="text" name="zipcode" class="txtField" value="<?php echo $row['zipcode']; ?>"></td>
</tr>
<tr>
<td><label>address</label></td>
<td><input type="text" name="address" class="txtField" value="<?php echo $row['address']; ?>"></td>
</tr>
<tr>
<td><label>job</label></td>
<td><input type="text" name="job" class="txtField" value="<?php echo $row['job']; ?>"></td>
</tr>
<tr>
<td><label>description</label></td>
<td><input type="text" name="description" class="txtField" value="<?php echo $row['description']; ?>"></td>
</tr>
<tr>
<td colspan="2"><input type="submit" name="submit" value="Submit" class="buttom"></td>
</tr>
</table>
</div>
</form>
</body>
</html>

Thanks. The input fields get the datas but can't update them for some reason. — Mower, Feb 22 '20 at 11:53
Please change the SQL mysqli_query($conn,"UPDATE cards set name='" . $_POST['name'] . "', phone='" . $_POST['phone'] . "', phone2='" . $_POST['phone2'] . "', email='" . $_POST['email'] . "' , zipcode='" . $_POST['zipcode'] . "', address='" . $_POST['address'] . "', job='" . $_POST['job'] . "', description='" . $_POST['description'] . "', userid='" . $_SESSION['userid'] . "' WHERE id='" . $id . "'"); I have updated the answer also. — Sumit De, Feb 22 '20 at 11:55
**Warning:** You are wide open to [SQL Injections](https://stackoverflow.com/a/60496/1839439) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/5741187) — Dharman, Feb 22 '20 at 11:57
Try this one : `mysqli_query($conn,"UPDATE cards set name='" . $_POST['name'] . "', phone='" . $_POST['phone'] . "', phone2='" . $_POST['phone2'] . "', email='" . $_POST['email'] . "' , zipcode='" . $_POST['zipcode'] . "', address='" . $_POST['address'] . "', job='" . $_POST['job'] . "', description='" . $_POST['description'] . "', userid='" . $id . "' WHERE id='" . $id . "'");` — Sumit De, Feb 22 '20 at 13:04

Select a card and update it's rows

1 Answers1