Using single form in crud for inserting and updating

im trying to make page creation like in wordpress. When we add page, form is blank with submit button name = Publish but when we will fill data and submit then form should stay as it is without loosing any data from field and changing Publish button to Update, now we have form fill with data we should be able to update data too. same as in wordpress page creation.


if (isset($_POST['submit'])) {

    $first_name = $_POST['firstname'];

    $last_name = $_POST['lastname'];

    $email = $_POST['email'];

    $password = $_POST['password'];

    $gender = $_POST['gender'];

    $sql = "INSERT INTO `users`(`firstname`, `lastname`, `email`, `password`, `gender`) VALUES ('$first_name','$last_name','$email','$password','$gender')";

    $result = $conn->query($sql);

    if ($result == TRUE) {

      echo "New record created successfully.";


      echo "Error:". $sql . "<br>". $conn->error;




update.php (getting data into form field)

$sql = "SELECT * FROM users";

$result = $conn->query($sql);


            if ($result->num_rows > 0) {

                while ($row = $result->fetch_assoc()) {



                    <td><?php echo $row['id']; ?></td>

                    <td><?php echo $row['firstname']; ?></td>

                    <td><?php echo $row['lastname']; ?></td>

                    <td><?php echo $row['email']; ?></td>

                    <td><?php echo $row['gender']; ?></td>

                    <td><a class="btn btn-info" href="update.php?id=<?php echo $row['id']; ?>">Edit</a>&nbsp;<a class="btn btn-danger" href="delete.php?id=<?php echo $row['id']; ?>">Delete</a></td>


        <?php       }


query for saving update data:

if (isset($_POST['update'])) {

        $firstname = $_POST['firstname'];

        $user_id = $_POST['user_id'];

        $lastname = $_POST['lastname'];

        $email = $_POST['email'];

        $password = $_POST['password'];

        $gender = $_POST['gender']; 

        $sql = "UPDATE `users` SET `firstname`='$firstname',`lastname`='$lastname',`email`='$email',`password`='$password',`gender`='$gender' WHERE `id`='$user_id'"; 

        $result = $conn->query($sql); 

        if ($result == TRUE) {

            echo "Record updated successfully.";


            echo "Error:" . $sql . "<br>" . $conn->error;



Right now i using add-page.php for adding page and update.php for updating. i want to use single form in single page for both page creation and updates. once form is filled and submitted data should to stay as it is so that we can update the data easily, after form is submitted Publish button should change to that we can edit and update the data in form

Page create and update same as wordpress.

Your code is vulnerable to an SQL Injection Attack. NEVER EVER put variables in your query. NEVER EVER trust user supplied data.

Depending on the name of a button to be submitted in order for your code to work will completely fail in certain cases. You need to check the REQUEST METHOD instead.

Do not create variables for nothing.

Do not output internal server errors to the user. That info is only good to hackers.

You do not need to manually close the DB connection. PHP will do it automatically when the script finishes running.

Do not SELECT *. Specify the columns you want by name.

Do not store passwords in plaintext.

Pretty much every bit of this code is no good. I would also suggest you use PDO.


Is not the way to check that a form has been submitted. You should be checking the request method.

You should also be checking the user input supplied and not simply assigning a POST value to a local variable.

far as i know, no database interaction query command will return a boolean true. Most will return an object or false on failure. That said, this should still evaluate correctly, as any object will be truthy.

That feels like a rather large overreach, but perhaps not. At the very least, it’s pulling passwords from the database unnecessarily.

Do not. Store passwords. As plaintext.

7 posts were split to a new topic: Why you should not use SELECT *

what about using

if($result ->affected_rows > 0 ){
echo "database updated correctly"
echo "no changes made";
1 Like

im new, are suggesting me to use prepare statement NEVER EVER put variables

Yes, use prepared statements.

do i need to sanitize input field of form after using prepared statements…

1 Like


Remember FIEO - Filter Input, Escape Output

You make sure the supplied input is valid. Once you’ve deemed it valid you store it as is, without any escaping or sanitizing or whatever.

When you display the data back to the user then you escape it, so that if anything bypassed the input filter it’s still escaped and not harmful.


This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.