-1

I will describe my problems briefly. There are 2 main issues in my web app:

  1. Date of Birth does not show in the edit page (DONE)
  2. I cannot submit my record to the database (partly due to problem 1)

Here is my code:

<?php
$host = "localhost";
$username = "root";
$password = "";
$database = "students";

$mysqli = new mysqli($host, $username, $password, $database);
if (!$mysqli) {
    die("Cannot connect to mysql");
} 

 if (isset($_POST['save'])) {

        // Display errors if all fields are blank
        $errors = [];
        if (strlen(trim($_POST['student_id'])) === 0) {
            $errors['student_id'] = "Không được để trống trường này";            
        }

        if (strlen(trim($_POST['first_name'])) === 0) {
            $errors['first_name'] = "Không được để trống trường này";
        } 

        if (strlen(trim($_POST['last_name'])) === 0) {
            $errors['last_name'] = "Không được để trống trường này";
        } 

        if (strlen(trim($_POST['email'])) === 0) {
            $errors['email'] = "Không được để trống trường này";
        } else {
            if (!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)) {
                $errors['email'] = 'Email phải đúng định dạng';
            } 
        }

        if (strlen(trim($_POST['dob'])) === 0) {
            $errors['dob'] = "Không được để trống trường này";
        }        
              
    }

    
    // If there is not any black field, show the information at the index page 
        $id = $_GET['id'];
        $sql = "SELECT * FROM students WHERE id = $id";
        $result = $mysqli->query($sql);
        $students = $result->fetch_assoc(); 
        print_r($students) ;

    if (isset($errors) && count($errors) == 0) {       

        $student_id = $_POST['student_id'];
        $first_name = $_POST['first_name'];
        $last_name = $_POST['last_name'];
        $email = $_POST['email'];
        $dob = $_POST['dob'];

        $sql = "UPDATE students(student_id, first_name, last_name, email, dob) 
                SET student_id = '$student_id', first_name = '$first_name', last_name = '$last_name', email = '$email', dob = '$dob'
                WHERE id = '$id'"; 

        $result = $mysqli->query($sql);
        

        if ($result) {
            header('location: index.php');
        }            
}
?>


<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Create Student List</title>
    <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap@4.6.0/dist/css/bootstrap.min.css" integrity="sha384-B0vP5xmATw1+K9KRQjQERJvTumQW0nPEzvF6L/Z6nronJ3oUOFUFpCjEUQouq2+l" crossorigin="anonymous">
    <link rel="stylesheet" href="https://pro.fontawesome.com/releases/v5.10.0/css/all.css" integrity="sha384-AYmEC3Yw5cVb3ZcuHtOA93w35dYTsvhLPVnYs9eStHfGJvOvKxVfELGroGkvsg+p" crossorigin="anonymous"/>
</head>
<body>
    <div class="card">
        <div class="card-body">
            <h3 class="card-title">Create Student</h3>    
            <form method="POST" action="./update.php" id="update">

                <!-- Student ID -->
                <div class="form-group">
                    <label for="student_id">Student ID <span style="color:red;">*</span></label>
                    <input type="text" id="student_id" name="student_id" class="form-control <?php echo isset($errors['student_id']) ? 'is-invalid' : '' ?>" placeholder="" value="<?php echo $students['student_id'] ?>"> 
                    <?php if (isset($errors) && isset($errors['student_id'])) { ?>
                        <small id="helpId" class="invalid-feedback"><?php echo $errors['student_id']; ?></small>
                    <?php } ?> 
                </div>
                
                <!-- First Name -->
                <div class="form-group">
                    <label for="first_name">First Name <span style="color:red;">*</span></label>
                    <input type="text" id="first_name" name="first_name" class="form-control <?php echo isset($errors['first_name']) ? 'is-invalid' : '' ?>" placeholder="" value="<?php echo $students['first_name'] ?> "> 
                    <?php if (isset($errors) && isset($errors['first_name'])) { ?>
                        <small id="helpId" class="invalid-feedback"><?php echo $errors['first_name']; ?></small>
                    <?php } ?> 
                </div>

                <!-- Last Name -->
                <div class="form-group">
                    <label for="last_name">Last name <span style="color:red;">*</span></label>
                    <input type="text" id="last_name" name="last_name" class="form-control <?php echo isset($errors['last_name']) ? 'is-invalid' : '' ?>" placeholder="" value="<?php echo $students['last_name'] ?>"> 
                    <?php if (isset($errors) && isset($errors['last_name'])) { ?>
                        <small id="helpId" class="invalid-feedback"><?php echo $errors['last_name']; ?></small>
                    <?php } ?> 
                </div>

                <!-- Email -->
                <div class="form-group">
                    <label for="email">Email <span style="color:red;">*</span></label>
                    <input type="email" id="email" name="email" class="form-control <?php echo isset($errors['email']) ? 'is-invalid' : '' ?>" placeholder="" value="<?php echo $students['email'] ?> "> 
                    <?php if (isset($errors) && isset($errors['email'])) { ?>
                        <small id="helpId" class="invalid-feedback"><?php echo $errors['email']; ?></small>
                    <?php } ?> 
                </div>
                
                <!-- Date of Birth -->
                <div class="form-group">
                    <label for="dob">Date of Birth <span style="color:red;">*</span></label>
                    <input type="date" id="dob" name="dob" class="form-control <?php echo isset($errors['dob']) ? 'is-invalid' : '' ?>" placeholder="" value="<?php echo $students['dob'] ?> "> 
                    <?php if (isset($errors) && isset($errors['dob'])) { ?>
                        <small id="helpId" class="invalid-feedback"><?php echo $errors['dob']; ?></small>
                    <?php } ?> 
                </div>                

                <!-- Buttons -->
                <button type="submit" class="btn btn-primary" name="save">Save</button>
                <a class="btn btn-secondary" href="./index.php">Cancel</a>

            </form>
        </div>
    </div>


    <script src="https://code.jquery.com/jquery-3.5.1.slim.min.js" integrity="sha384-DfXdz2htPH0lsSSs5nCTpuj/zy4C+OGpamoFVy38MVBnE+IbbVYUew+OrCXaRkfj" crossorigin="anonymous"></script>
    <script src="https://cdn.jsdelivr.net/npm/popper.js@1.16.1/dist/umd/popper.min.js" integrity="sha384-9/reFTGAW83EW2RDu2S0VKaIzap3H66lZH81PoYlFhbGU+6BZp6G7niu735Sk7lN" crossorigin="anonymous"></script>
    <script src="https://cdn.jsdelivr.net/npm/bootstrap@4.6.0/dist/js/bootstrap.min.js" integrity="sha384-+YQ4JLhjyBLPDQt//I+STsc9iw4uQqACwlvpslubQzn4u2UU2UFM80nGisd026JF" crossorigin="anonymous"></script>
</body>
</html>

Here is some pictures about those: enter image description here

Hopefully, you can help me solve those problems as much as possible. Thank you!

Hòa Đỗ
  • 37
  • 8
  • 3
    `value=" "` remove that extra space – Kinglish Jun 09 '21 at 05:20
  • Thank you bro. You have solved my first problem – Hòa Đỗ Jun 09 '21 at 05:52
  • **Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/5741187) – Dharman Jun 09 '21 at 10:53
  • [How to get the error message in MySQLi?](https://stackoverflow.com/a/22662582/1839439) – Dharman Jun 09 '21 at 10:53

1 Answers1

0

The date of birth issue: extra space at the end of your value tag

value="<?php echo $students['dob'] ?> "

The database issues:

  • malformed update statement
  • insecure, open-to-attack query

You kind of mixed insert and update.

UPDATE students(student_id, first_name, last_name, email, dob) 
SET student_id = '$student_id', first_name = '$first_name', last_name = '$last_name', email = '$email', dob = '$dob'
WHERE id = '$id'

Update statements don't take a field list in parens like you have it. So the statement is failing. However you should really protect again SQL injection attacks by using query binding and prepared statements. Looks like this:

$sql = "UPDATE students SET student_id = '?', first_name = '?', last_name = '?', email = '?', dob = '?' WHERE id = '?'"; 
$query = $mysqli->prepare($sql);
$query->bind_param("isssi", $student_id, $first_name, $last_name, $email, $dob, $id);
$query->execute();

https://www.w3schools.com/php/php_mysql_prepared_statements.asp

Kinglish
  • 23,358
  • 3
  • 22
  • 43