The submit(update) button return an empty value, causing the update function not working

Question

Currently doing the address part in e-commerce website application. The address needs to be edited. I have included the SQL query and PHP code well, but still can't run. There is no error message prompt. Below is my part of the code:

As there are multiple addresses, each address has an edit and delete button. The edit button will do the editing work based on the address-id passed inside.

<?php
                    while($row = mysqli_fetch_array($address_result_query)) {
                        $address_id=$row['address_id'];
                        $_SESSION['address_id'] = $address_id;
                        echo "<td>
                              <a class='editbutton' href='editaddress.php?
                              address_id=".$address_id."'>Edit</a>
                              </td>";
?>

On the edit page, it will show the address data currently, and allow the user to modify it inside the text box. Below is the code to get the user data.

    <form  name="update_" method="post" action="editaddress.php" >
            <?php
            $address_id = $_SESSION['address_id'];
            $result2 = mysqli_query($mysqli, "SELECT * FROM user_address WHERE address_id='$address_id'");
            $row2=mysqli_fetch_assoc($result2);
            if(isset($row2['address'])!=null){
                $address = $row2['address'];
                $state = $row2['state'];
                $city = $row2['city'];
                $postcode = $row2['postcode'];
                $address_name = $row2['address_name'];
                $address_phone = $row2['address_phone'];
            }
            ?>

Code to show the data:

<div class="container_header">
                    <p>Edit Address</p>
                    <br>
                </div> 
                <label>Recipient Name:</label>
                <br>
                <input type="text" size="50" class="address_name"name="address_name" value="<?php echo $address_name;?>">           
                <br><br>

                <label>Recipient Phone:</label>
                <br>
                <input type="text" size="50" class="address_phone"name="address_phone" value="<?php echo $address_phone;?>">
                <br><br>

                <label>Recipient address:</label>
                <br>
                <input type="text" size="50" class="address"name="address" value="<?php echo $address;?>">
                <br><br>

                <input type="text" size="50" class="state"name="state" value="<?php echo $state;?>">
                <br><br>

                <input type="text" size="50" class="city"name="city" value="<?php echo $city;?>">
                <br><br>

                <input type="text" size="50" class="postcode"name="postcode" value="<?php echo $postcode;?>">           
                <br><br>

                <input type="button" onclick="location.href='index.php';" name="add_address" value="Cancel" class="cancel">
                <input type="submit" name="update_address" value="Update">
            
    </form>

When user click on the update address, below PHP will run, but it's not. The code are inside the edit page, same location with above

if(isset($_POST['update_address']))
{   
    if(isset($_POST['address'])){
        $address = $_POST['address'];
    }else echo"address not get";
    $address_id = $_POST['address_id'];
    $state = $_POST['state'];
    $city = $_POST['city'];
    $postcode = $_POST['postcode'];
    $address_name = $_POST['address_name'];
    $address_phone = $_POST['address_phone'];

    $myquery = "UPDATE user_address SET 
                address='$address',
                state='$state',
                city='$city',
                postcode='$postcode',
                address_name='$address_name',
                address_phone='$address_phone'
                WHERE address_id='$address_id'";    
    $result = mysqli_query($mysqli,$myquery)or die(mysqli_error($mysqli));
    
    header("Location: ../profile/index.php");
}    
?>

**Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/32391315) — Dharman, Apr 02 '22 at 10:34
It is a very bad idea to use `die(mysqli_error($$conn));` in your code, because it could potentially leak sensitive information. See this post for more explanation: [mysqli or die, does it have to die?](https://stackoverflow.com/a/15320411/1839439) — Dharman, Apr 02 '22 at 10:34
Thanks for the warning! Using `die(mysqli_error($$conn));` is only for testing purposes as sometimes I need to know which part is not functioning. A beginner to web applications and much appreciate the suggestions given! — summer 67, Apr 03 '22 at 14:22
You don't need to use `die` at all. Just enable mysqli error reporting and PHP will tell you automatically [How to get the error message in MySQLi?](https://stackoverflow.com/a/22662582/1839439) — Dharman, Apr 03 '22 at 14:23

RyDog · Answer 1 · 2022-04-02T10:48:03.990

The issue is that you are trying to set the address_id with a Post variable that is not submitted with the form. So when the query is being constructed the id is not being specified and it fails.

eg.

UPDATE user_address 
SET address='123 Test Road', 
state='Test', 
city='Test City', 
postcode='1234', 
address_name='John', 
address_phone='123456789' 
WHERE address_id='' -- See no ID

It's best practice to use prepared statements. You can read more about them here: https://www.w3schools.com/php/php_mysql_prepared_statements.asp

I'll help you out by showing you how you would do this in your code. Below is code that shows how to fix the problem and resolve sql injection issues:

First update your select statement to use a prepared statement like this:

<?php
        $address_id = $_SESSION['address_id'];
        
        //Prepare the query
        $stmt = $mysqli->prepare("SELECT * FROM user_address WHERE address_id = ?");
        //bind the parameters
        $stmt->bind_param("i",$address_id); //the i is for integer
        //execute the query
        $stmt->execute();
        $result = $stmt->get_result();
       
        while($row2 = $result->fetch_assoc()) {
            $address = $row2['address'];
            $state = $row2['state'];
            $city = $row2['city'];
            $postcode = $row2['postcode'];
            $address_name = $row2['address_name'];
            $address_phone = $row2['address_phone'];
        }
        $stmt->close();
        
?>

Then fix the initial problem by using the $_SESSION['address_id'] instead of $_POST['address_id'] and convert your update statement toa prepared statement:

<?php
    if(isset($_POST['update_address']))
    {   
        if(isset($_POST['address'])){
            $address = $_POST['address'];
        }else echo"address not get";
            
            //$address_id = $_POST['address_id']; // <----- This is the problem line
            
            //update your code so the above line is like this:
            $address_id = $_SESSION['address_id'];
            
            $state = $_POST['state'];
            $city = $_POST['city'];
            $postcode = $_POST['postcode'];
            $address_name = $_POST['address_name'];
            $address_phone = $_POST['address_phone'];
        
            $myquery = "UPDATE user_address SET 
                        address= ?,
                        state= ?,
                        city= ?,
                        postcode=?,
                        address_name=?,
                        address_phone=?
                        WHERE address_id=?";
               
            //Prepare the query
            $stmt = $mysqli->prepare( $myquery );    
            
            //bind the parameters
            $stmt->bind_param("ssssssi", $address, $state, $city,$postcode, $address_name,$address_phone, $address_id); // s means string & i means int
            //execute the query
            $stmt->execute();
            $stmt->close();  
        
            header("Location: ../profile/index.php");
    }    
?>

Another good read is this website here:

https://websitebeaver.com/prepared-statements-in-php-mysqli-to-prevent-sql-injection

The submit(update) button return an empty value, causing the update function not working

1 Answers1