0

Here's the code from where I am sending id

In this code I am getting ID by using $_GET['id']. At start the $_GET['id'] fetches id and the first query of SQL works to fetch the data in input fields but soon as I press EDIT button to update the data than the data stays same in database. I used echo after isset($_POST['edit_user']) but there is nothing in $id.

<?php
session_start();
include("config.php");
//echo $id=$_SESSION['id'];
$id = isset($_GET['id']) ? $_GET['id'] : '';

$sql = "SELECT * FROM phone WHERE id='$id'";
$res = $conn->query($sql);
$row = $res->fetch_assoc();
echo $n = isset($row['name']) ? $row['name'] : '';
echo $phone = isset($row['contacts']) ? $row['contacts'] : '';

if (isset($_POST['edit_user'])) {
    $name = $_POST['fname'];
    $number = $_POST['num'];
    //var_dump($name);
    $sql = "UPDATE phone SET name='$name', contacts='$number' WHERE id='$id'";
    //var_dump($sql);

    //var_dump($res);
    if ($conn->query($sql) == TRUE) {
        echo "<script>alert('You have successfuly updated user') </script>";
        header("location:index.php");
    } else {
        echo "<script>alert('Failed to edit user') </script>";
    }
    $conn->close();
}

?>

<!DOCTYPE html>
<html>

<head>
    <meta charset="utf-8">
    <title>EDIT USER</title>
    <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.4.1/css/bootstrap.min.css">
    <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.5.1/jquery.min.js"></script>
    <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.4.1/js/bootstrap.min.js"></script>
</head>

<body>
    <div class="container">
        <div class="col-md-12">
            <div class="row">
                <div class="col-md-4"></div>
                <div class="col-md-4" jumbotron my-5>
                    <h4 class="text-center my-2">Edit User</h4>
                    <form action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]); ?>" method="post">
                        <label>Name</label>
                        <input type="text" name="fname" class="form-control" autocomplete="off" required value="<?php echo $n ?>">
                        <label>Number</label>
                        <input type="text" name="num" class="form-control" autocomplete="off" required value="<?php echo $phone ?>">
                        <input type="submit" name="edit_user" value="Edit User" class="edituser">
                    </form>
                </div>

            </div>
        </div>
    </div>

</body>

</html>
halfer
  • 19,824
  • 17
  • 99
  • 186
Danyal
  • 11
  • Please be warned that your `SELECT` and `UPDATE` queries are widely open for SQL injection. Have a look at prepared statements to avoid getting hacked – Nico Haase Mar 03 '22 at 08:25
  • **Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/32391315) – Dharman Mar 03 '22 at 10:22

3 Answers3

0

Because when you submit its reloading page so you are missing id in the query string, You just need to pass query string to get data from an URL using $_GET. on your given code you can do this by replacing the action link

$_SERVER["PHP_SELF"]

with

"http://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]";

tausif Ahmad
  • 1
  • 1
  • 4
0

You can us both $_GET and $_POST at the same time but you have to define the

$_GET parameter in the URI like:

<form action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]); ?>?id=21">

or use

$_POST with an hidden input type like:

<input type="hidden" id="id" name="id" value="21">

and you got one more error in the code i ansered here

Remember that header() must be called before any actual output is sent, either by normal HTML tags, blank lines in a file, or from PHP. How to redirect to page with the location?

This will not work:

echo "<script>alert('You have successfuly updated user') </script>";
header("location:index.php");

If you want to alert a message you have to do the alert after location|load the next side something like:

<?php
   if ($conn->query($sql) == TRUE) {
    $ok = 1;
    } 
    else{
    $ok = 2;
   }
   header("location:index.php?ok=$ok");
?>

on the new side do:

<?php
$ok = ($_GET['ok'] ?? '');
if($ok === 1){
echo "<script>alert('You have successfuly updated user')";
}
elseif($ok === 2){
echo "<script>alert('Failed to edit user') </script>";
}
?>

Dont forget your code like this is open for injection malicious code Fix this

Z0OM
  • 1
  • 4
  • 18
  • 29
0

since you want to update by using the $_GET['id'], you need to ensure ?id=69 (69 is a dummy id) is present your url when the code runs.

replace your opening form with this:

<form action="./update.php?id=<?=$id?>" method="post">

or:

<form action='<?php echo "http://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]";?>' method='post'>
tenshi
  • 508
  • 4
  • 12