Update single item page

im working on my school project, im php beginner so some obvious things might not be so obvious for me…
so i have my single item page which im getting from sql by get method
item page displays fine, but once i try to update some columns, does not work

i used update code before (not with get method) and worked fine
i am sure im missing something there but spent few days and still nothing
any suggestion appreciated

attached the code

and also new.php (1.6 KB)
there is the code

<?php include 'connection.php';


$UpdateQuery = "UPDATE Training SET name='$_POST[name]', price='$_POST[price]', days='$_POST[days]', units='$_POST[units]', info='$_POST[info]', outcome='$_POST[outcome]'
WHERE name ='$_POST[hidden]'";
mysqli_query($con, $UpdateQuery);
print "The training has been updated<br>Visit <a href=''>website</a>";
$result= mysqli_query($con, "SELECT * FROM Training WHERE id='$id'");

												   $sql="SELECT * FROM Training WHERE id='$id'";

													echo "<form action=item.php?id=".$row['id']." method=post>";
												echo "Name: <br>";
echo "<textarea name='name' cols='100' rows='1' >".$row['name']."</textarea> <br><br>";
echo "<input type=hidden name=hidden value= '". $row['name']."'> ";
echo "Price: <br>";
echo " <input type=text name='price' value= '".$row['price']."'> <br><br>";
echo "Days: <br>";
echo "<textarea name='days' cols='100' rows='3' >".$row['days']."</textarea> <br><br>";
echo "Units: <br>";
echo "<textarea name='units' cols='100' rows='3' >".$row['units']."</textarea> <br><br>";
echo "Course info:<br> ";
echo "<textarea name='info' cols='100' rows='10' >".$row['info']."</textarea> <br><br>";
echo "Outcome: <br>";
echo "<textarea name='outcome' cols='100' rows='4' >".$row['outcome']."</textarea> <br><br>";
echo  "<input type=submit name=save value= 'save'" ;
												echo '</form>';


new.php (1.6 KB)

That’s a lie as long as you do not verify the database answer with mysqli_error(). Use prepared statements or your database will be wiped.

One or two things to look at, which are not strictly “wrong”, but (IMO) not good practice:

Where you display the form at the bottom of your code, you are inconsistent in whether you surround your HTML parameters with quotes or not. As none of them contain spaces it doesn’t matter, but IMO they should be quoted, always:

echo "<textarea name='name' cols='100' rows='1' >".$row['name']."</textarea> <br><br>";

has everything quoted, but the next line

echo "<input type=hidden name=hidden value= '". $row['name']."'> ";

does not. Both will work (until you add a value that contains a space) but it’s good practice to be consistent.

@chorn makes a good point about prepared statements. The relevance here is when you build your update query you’re not considering any problems caused by having “problem” characters inside any of the text you enter in the form, such as someone called “Fred O’Smith” for example. Using a prepared statement would take care of that, among other things. You need to check all the data that your user types into the form to make sure they haven’t done something that will throw out the query (see https://xkcd.com/327/) - as it stands, if any of those fields contain a ' character, the query will now have imbalanced quotes and will fail with a syntax error. You won’t know that, because you don’t check whether it executed or not:

mysqli_query($con, $UpdateQuery);
print "The training has been updated<br>Visit <a href=''>website</a>";

Here, you run the query in the first line, then say that it worked and offer a link to another site. But you don’t know it worked, because you didn’t check. I don’t use mysqli myself so am not that familiar with it, but you could do something like:

if (!(mysqli_query($con, $UpdateQuery))) { 
  echo "Heck, there was a problem running the query";
else {
  print "The training has been updated<br>Visit <a href=''>website</a>";

which would at least trap the fact it didn’t work.

I’m also not sure it’s a good idea to have a database table where the unique identifier is the name field, unless that has a different meaning that I guess it does. If it’s the name of a person, it’s a bad choice because it won’t be long before you have a second person with the same name. Look at adding a unique ID column if you don’t already have one.

So, on to find out why it doesn’t update - inside your if() clause where you check if the save button has been pressed, add


and see what’s in the array that you get from the form. If it doesn’t throw any light, post the result here.

ETA - another few things:

After your update query, you run a SELECT query:

$result= mysqli_query($con, "SELECT * FROM Training WHERE id='$id'");

but I don’t see where you get the value of $id from. I am also confused at the form action tag - that points to item.php, is that the code you showed, or is that called new.php as in your link?

1 Like

new.php is actualy item.php

and here is traininglist.php which links to item.phptraininglist.php (977 Bytes)

OK, well I don’t see where you get the value of $id from in that case. The other file you posted is very similar in structure, and in things like inconsistency on quoting parameters, and executing queries without checking if they worked or not.

So in terms of getting the update to work, what was the result of the var_dump($_POST) and did it offer any clues as to the problem?

id is another column in table Training…there will not be the same trainings

if (!(mysqli_query($con, $UpdateQuery))) { 
  echo "Heck, there was a problem running the query";
else {
  print "The training has been updated<br>Visit <a href=''>website</a>";

var_dump($_POST) BROUGHT   array(0) { }

resolved thanks

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.