1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

updating names not values

Discussion in 'PHP' started by pshaw, Apr 11, 2021.

0
  1. #1
    I'm updating a database table with an HTML form. The update occurs but with the field names
    not the values?
    --------------------------------------
    the form code:

    <!DOCTYPE html><html lang="en">
    <head>
    </head>
    <body bgcolor="#ccffff"><center>
    <font size=+2><b> update 515 Certification Expiration database</font><br>
    <form action="cert-update.php" method="post">
    <label for="unit">Unit:</label>
    <input type="text" name="unit" id="unit">
    <label for="tenant">Tenant:</label>
    <input type="text" name="tenant" id="tenant">
    <label for="effdate">Effective date:</label>
    <input type="text" name="effdate" id="effdate">
    <label for="expdate ">Expiration date :</label>
    <input type="text" name="expdate " id="expdate "><br>

    <label for="moveindate">Move-in date:</label>
    <input type="text" name="moveindate" id="moveindate">
    <label for="daysleft">Days left:</label>
    <input type="text" name="daysleft" id="daysleft">
    <label for="date90">date90:</label>
    <input type="text" name="date90" id="date90">
    <label for="date60">date60:</label>
    <input type="text" name="date60" id="date60">
    <label for="date30">date30:</label>
    <input type="text" name="date30" id="date30"><br>

    <input type="submit" name="submit" value="Submit">
    </form></body></html>
    ------------------------------------
    the update code:

    <html><body>
    <center><b><font size=+2> 515 Certification Expiration Update</font><br>06/22/2020 - 06/22/2021<p>

    <?php
    $servername = "localhost";
    $username = "root";
    $password = "";
    $dbname = "prerentdb";

    // Create connection
    $conn = new mysqli($servername, $username, $password, $dbname);
    // Check connection
    if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
    }

    $unit=$_POST['unit'];
    $tenant=$_POST['tenant'];
    $effectdate='effectdate';
    $expdate='expdate';
    $moveindate=$_POST['moveindate'];
    $daysleft=$_POST['daysleft'];
    $date90=$_POST['date90'];
    $date60=$_POST['date60'];
    $date30=$_POST['date30'];
    $sql = "UPDATE certtbl SET
    unit = '$unit',
    tenant = '$tenant',
    effectdate = '$effectdate',
    expdate = '$expdate',
    moveindate = '$moveindate',
    daysleft = '$daysleft',
    date90 = '$date90',
    date60 = '$date60',
    date30 = '$date30'
    WHERE unit='$unit'";
    if ($conn->query($sql) === TRUE) { echo "Record updated successfully"; }
    else { echo "Error updating record: " . $conn->error; }
    $conn->close();
    ?>
    </center></body></html>
     
    pshaw, Apr 11, 2021 IP
  2. sarahk

    sarahk iTamer Staff

    Messages:
    28,500
    Likes Received:
    4,460
    Best Answers:
    123
    Trophy Points:
    665
    #2
    You really have to stop accessing $_POST directly. Use filter_input.

    There is a world of difference between single quotes ' and double quotes "

    Single quotes give the text value of the string
    unit = '$unit',
tenant = '$tenant',
effectdate = '$effectdate',
expdate = '$expdate',
moveindate = '$moveindate',
    PHP:
    while double quotes insert a variable into the string
    unit = "$unit",
tenant = "$tenant",
effectdate = "$effectdate",
expdate = "$expdate",
moveindate = "$moveindate",
    PHP:
    This should have been super easy to debug.
     
    sarahk, Apr 11, 2021 IP
  3. deathshadow

    deathshadow Acclaimed Member

    Messages:
    9,732
    Likes Received:
    1,998
    Best Answers:
    253
    Trophy Points:
    515
    #3
    NO! Oh for F*** sake NO!

    They need to extract their code's cranium from 2003's rectum and STOP slopping variables into the query string! Filter_input isn't the flipping answer, prepare/execute is!

    Just like how 1997 called and it wants its markup back. The mere presence of FONT and CENTER should be a giant warning sign that the ENTIRE codebase has to be pitched in the trash and started over with practices from this century.

    
<?php

$conn = new mysqli(
	"localhost",
	"root",
	"",
	"prerentdb"
);
if ($conn->connect_error) {
	die("Connection failed: " . $conn->connect_error);
}

$stmt = $conn->prepare('
	UPDATE certtbl
	SET
		unit = ?,
		tenant = ?,
		effectdate = ?,
		expdate = ?,
		moveindata = ?,
		daysleft = ?,
		date90 = ?,
		date60 = ?,
		date30 = ?
	WHERE
		unit = ?
');

$stmt->bind_param(
	'ssssssssss',
	$_POST['unit'],
	$_POST['tenant'],
	'effectdate', // if these are tyoe DATETIME, these are invalid
	'expdate',
	$_POST['moveindate'],
	$_POST['daysleft'],
	$_POST['date90'],
	$_POST['date60'],
	$_POST['date30']
);

if ($stmt->execute()) {
	if ($stmt->affected_rows > 0) echo 'Record updated successfully';
	else echo 'No records updated, but no error?!?';
} else echo 'Error updating record: ', $conn->error;

$conn->close();
    Code (markup):
    Variables for nothing and garbage filter_input nonsense so they can be slopped into the query string is NOT the answer!
     
    deathshadow, May 6, 2021 IP