User form-data to update query PHP

Question

I have basic question about storing $variable data and later use in html script, anyone who can help me? Right now, the variable $gset is not stored.

<?php
                
// Update Strictness value
if(isset($_POST['strictness'])){
    $gset = $_POST['strictness'];
    $strictnessUpdate = "UPDATE users SET strictness = '$gset' WHERE user_id = 1";
    mysqli_query($conn, $strictnessUpdate);
    echo "strictness value updated";
}

?>

<form method="POST" class="form-align" action="">
    <h5 class="my-6">Current Strictness :</h5> <?php echo $gset; ?><br>
    <select name="strictness" required>
        <option value=""></option>
        <option value="15">15</option>
        <option value="31">31</option>
    </select>
    <input type="submit" name="substrict" value="CHANGE">
</form>

`$gset` is only set when the user submits the form. When the page is displayed before submitting the form, it's not set. You should fetch it from the database. — Barmar, Aug 17 '21 at 16:12
You should also use a prepared statement to prevent SQL injection. — Barmar, Aug 17 '21 at 16:13
If you think it's not being stored when the user submits the form, you're wrong. — Barmar, Aug 17 '21 at 16:16
Thank you for your input! How am I supposed to tackle this then? — Dr Charms, Aug 17 '21 at 16:33
Do a `SELECT` query before displaying the form to get the current value of `strictness` — Barmar, Aug 17 '21 at 16:36

Dr Charms · Answer 1 · 2021-08-17T17:00:01.563

            <?php
            
            $_grabStrictness ="SELECT strictness FROM users WHERE id = 1";

            $gs_query = mysqli_query($conn, $_grabStrictness);
            $gs_result = mysqli_fetch_array($gs_query);

            if ($gs_result > 0) {
                while ($result = mysqli_fetch_array($gs_query)) {
                    $gset = $result['strictness'];
                }
            }
            
            if(isset($_POST['strictness'])){
                $gset = $_POST['strictness'];
                $strictnessUpdate = "UPDATE users SET strictness = '$gset' WHERE user_id = 1";
                mysqli_query($conn, $strictnessUpdate);
                echo "strictness value updated";
            }

            ?>

            <form method="POST" class="form-align" action="setStrictness(<?php $conn ?>)">
                <h5 class="my-6">Current Strictness :</h5> <?php echo $gset; ?><br>
                <select name="strictness" required>
                    <option value=""></option>
                    <option value="15">15</option>
                    <option value="31">31</option>
                </select>
                <input type="submit" name="substrict" value="CHANGE">
            </form>

1. You don't need to do the fetch query if the form field is posted, so you could put it in an `else` statement after the `if(isset` fragment. 2. You are not using a prepared statement, so this is prone to MySQL injection https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1 3. Why are you fetching the array twice? I haven't used PHP in about 5 years so maybe I'm missing something, but I think you should be able to re-use `$gs_result` — OskarD90, Aug 18 '21 at 12:36

User form-data to update query PHP

1 Answers1