when update the table in mysql through dropdown, all the row also updated

Question

I try to do a web page that contains a dropdown.

When dropdown is selected, I want to update the mark into MySQL database based on Enum, but the code does not work.

I use javascript with PHP to query into MySQL.

<form  id="myForm" method="post" onsubmit="return submitform()">
    <select id="lvl" name="lvl" style="height:30px;">    
            
        <option value="std1"selected="selected">
            <?php echo $stu1name["Stu_name"] ?>
        </option>
        <option value="std2" >  
            <?php echo $stu2name["Stu_name"] ?>
        </option>
        <option value="std3" >
            <?php echo $stu3name["Stu_name"] ?>
        </option>
        <option value="std4" >
            <?php  echo $stu4name["Stu_name"] ?>
        </option>
        <option value="std5" >
            <?php  echo $stu5name["Stu_name"] ?>
        </option>
                                        
    </select>
    <p><input type="submit" name="submit" value="Submit"></p>
</form>

This is my javascript with PHP:

function submitform() {
    var option= document.getElementById('lvl').value;
    if (option == "std1"){
        ?php
            mysqli_query($conn, 
                "UPDATE evaluation set mid_mark='" . $_POST["mid_mark"] . 
                "',end_mark='" . $_POST["end_mark"] . 
                "', performance='" . $_POST["performance"] . 
                "' WHERE Enum ='1'"
            ); 
        ?>
        return true;
    }
    if (option == "std2"){
        <?php
            mysqli_query($conn, 
                "UPDATE evaluation set mid_mark='" . $_POST["mid_mark"] . 
                "',end_mark='" . $_POST["end_mark"] . 
                "', performance='" . $_POST["performance"] . 
                "' WHERE Enum ='2'"
            ); 
        ?>
        return true;
    }   
    if (option == "std3"){
        <?php
            mysqli_query($conn, 
                "UPDATE evaluation set mid_mark='" . $_POST["mid_mark"] . 
                "',end_mark='" . $_POST["end_mark"] . 
                "', performance='" . $_POST["performance"] . 
                "' WHERE Enum ='3'"
            ); 
        ?>
        return true;
    }   
    if (option == "std4"){
        <?php
            mysqli_query($conn, 
                "UPDATE evaluation set mid_mark='" . $_POST["mid_mark"] . 
                "',end_mark='" . $_POST["end_mark"] . 
                "', performance='" . $_POST["performance"] . 
                "' WHERE Enum ='4'"
            ); 
        ?>
        return true;
    }
    if (option == "std5"){
        <?php
            mysqli_query($conn, 
                "UPDATE evaluation set mid_mark='" . $_POST["mid_mark"] . 
                "',end_mark='" . $_POST["end_mark"] . 
                "', performance='" . $_POST["performance"] . 
                "' WHERE Enum ='5'"
            ); 
        ?>
        return true;
    }       
}

but when I update, all the row is updated like this image

I don't know where I'm doing wrong here. I'm completely lost here.

you have to post the form (either with action="submit.php" or use ajax) — Chris P, May 18 '21 at 19:10
**Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/5741187) — Dharman, May 18 '21 at 20:10

score 0 · Accepted Answer · answered May 18 '21 at 21:17

This is because php run in the server and all code run before your page is loading, so you can't control it by script in the browser like javascript. You can insert data in tour database without javascript with this php code put at the top of your page. You have to delete the onsubmit statement in your form.

<?php
if (isset($_POST['lvl'])) {
$enum = substr($_POST['lvl'], -1, 1); 
$sql = "UPDATE evaluation SET mid_mark=:mid_mark, end_mark=:end_mark, performance=:performance WHERE Enum='$enum'";
$stmt = $pdo->prepare($sql);                                  
$stmt->bindParam(':mid_mark', $_POST['mid_mark'], PDO::PARAM_STR);       
$stmt->bindParam(':end_mark', $_POST['end_mark'], PDO::PARAM_STR);    
$stmt->bindParam(':performance', $_POST['performance'], PDO::PARAM_STR);  
$stmt->execute(); 

}      
?>

oh, i see, didn't know about it before. Thank youu, it works but I just use mysqli since I'm not familiar with PDO. may I know, is it better to use PDO? its look quite complicated for me as a beginner > — jih77, May 18 '21 at 22:12
The problem is when you directly put in your query $_POST variables. If a user fills input with malicious or wrong code you can lose your entire dabase. With prepare statement it's impossibile. If you want to know more about you can search on web "SQL injection risk" — Stefino76, May 19 '21 at 05:39

when update the table in mysql through dropdown, all the row also updated

1 Answers1