unable to update City in only insert is performed

Question

<?php
session_start();
include_once 'DBconfig.php';
extract($_GET);
$CityName = $_POST['CityName'];

if (isset($CityID))
{
    $sql = "UPDATE city SET CityName = '$CityName', Modified = NOW() WHERE city.CityID = $CityID;";
}
else
{
    $sql = "INSERT INTO city (CityID, CityName, Created, Modified) VALUES (NULL, '$CityName', NOW(), NOW());";
}

$result = mysqli_query($con, $sql);
if ($result)
{
    header('location: ListCity.php');
}
else
{
    header('location: AddEditCity.php');
}
?>

only insert block will be executed update not working $CityID variable is come from extract function so no naming convention issue can't resolve it please help

your code is **vulnerable to sql injection** so please use **prepared statemenst with parameters** see .https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php — nbk, Sep 13 '20 at 12:49
also dont use extract, one could define ?con= and break things, is not too bad but is still a vector — Lawrence Cherone, Sep 13 '20 at 12:54

Booboo · Accepted Answer · 2020-09-13T14:32:53.803

0

You are extracting from $_GET (which is always to be avoided) and then taking $CityName from $_POST. That is inconsistent as the request cannot be both a GET and a POST at the same time. It surely must be a POST request or the insert wouldn't be working at all. And as been commented, you should be using a prepared statement to avoid a SQL injection attack:

<?php
session_start();
include_once 'DBconfig.php';

$CityName = $_REQUEST['CityName'];    
if (isset($_REQUEST['CityID']))
{
    $CityID = $_REQUEST['CityID'];
    $sql = "UPDATE city SET CityName = ?, Modified = NOW() WHERE city.CityID = ?";
    $stmt = mysqli_prepare($con, $sql);
    mysqli_stmt_bind_param($stmt, "si", $CityName, $CityID);
}
else
{
    $sql = "INSERT INTO city (CityID, CityName, Created, Modified) VALUES (NULL, ?, NOW(), NOW())";
    $stmt = mysqli_prepare($con, $sql);
    mysqli_stmt_bind_param($stmt, "s", $CityName);
}

$result = mysqli_stmt_execute($stmt);
if ($result)
{
    header('location: ListCity.php');
}
else
{
    header('location: AddEditCity.php');
}

edited Sep 13 '20 at 14:32

answered Sep 13 '20 at 13:13

Booboo

38,656
3
37
60

Thanks bro for suggest me this code but bug remains same it only inserts even when we are updating it update operation is not being performed – Hemal Joshi Sep 13 '20 at 14:03
You may have errors in your form. *If* the form is sending up a field name 'CityID` with a POST request, then I can't see how the above code will do anything but try to do an update, can you?. But maybe that is a big *if*. You haven't show us the form with your question. You need to check that form out carefully. – Booboo Sep 13 '20 at 14:12
– Hemal Joshi Sep 13 '20 at 14:16
You should 1. Update your question, not use a comment. and 2. Put in the entire form. But looking at what little you showed me, I don't see a form at all, but rather a link, which results in a GET request and I see only a CityID being passed up **and no CityName**. This can't possibly work with testing for $_POST values and **missing the city name**. How can you update the city name when you are not passing up the new city name? And you should be using POST requests for updating data – Booboo Sep 13 '20 at 14:30
I have updated the code to look at `$_REQUEST`, which will work with GET or POST requests. But you are still not passing up the city name along with the city id. And you really should be using a post with a form. – Booboo Sep 13 '20 at 14:36

unable to update City in only insert is performed

1 Answers1