Form to update sql data

[jacko_162]

I have the following page:

 

<?php

// INCLUDE DB CONNECTION FILE
include("includes/connect.php");

// GET ID from URL 
$getID = $_GET["charID"];
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Index</title>
<!-- Add Main CSS -->
<link rel="stylesheet" type="text/css" href="css/main.css">
<!-- Add jQuery library -->
<script type="text/javascript" src="http://code.jquery.com/jquery-latest.min.js">
</script>
<!-- Add fancyBox -->
<link rel="stylesheet" href="includes/fancybox/jquery.fancybox.css?v=2.1.4" type="text/css" media="screen" />
<script type="text/javascript" src="includes/fancybox/jquery.fancybox.pack.js?v=2.1.4"></script>

</head>
<body>
Character Info Screen!
<br />
<br />
<?php
// Pull Data for character
$sql = mysql_query("SELECT * FROM `membertracking` WHERE `characterID` ='$getID'");
//check data and assign values
while($row = mysql_fetch_array($sql))
 {
   $characterID = $row['characterID'];
   $name = $row['name'];
   $startDate = $row['startDateTime'];
   $logOff = $row['logoffDateTime'];
   $location = $row['location'];
 }    
?>
<br />
<table width="100%" border="0" cellspacing="0" cellpadding="5">
 <tr>
   <td width="128" rowspan="5"><img src="http://image.eveonline.com/Character/<?php echo "$characterID"; ?>_128.jpg" /></td>
   <td>Pilot Name: <?php echo "$name"; ?></td>
 </tr>
 <tr>
   <td>Corp Since: <?php echo "$startDate"; ?></td>
 </tr>
 <tr>
   <td>Last Active: <?php echo "$logOff"; ?></td>
 </tr>
 <tr>
   <td>Last Location: <?php echo "$location"; ?></td>
 </tr>
</table>
<?
if (isset($submit)) {
 // UPDATE QUERY CODE WHEN SUBMIT IS ENTERED
$insert = "UPDATE `member_info` SET
characterID='$characterID',
role='$role', 
vouchedBy='$vouchedBy', 
position='$position', 
remarks='$remarks',
afk='$afk', 
category='$category' WHERE id='$id'";

if (@mysql_query($insert))
{
?>
                     <script language="Javascript" type="text/javascript">
document.location.replace('news.php');
               </script>
                     <?
}
else {
echo('Error in submission:' . mysql_error() . "<br />" . $sql);
}
}
?>
  <form action="<? $_SERVER['PHP_SELF']; ?>" method="post">  
                       <?php
 if ($getID) {
   $sql = "SELECT * FROM `member_info` WHERE `characterID` = $getID";
   $result = mysql_query($sql);
   $myrow = mysql_fetch_array($result);
   $ID = $myrow["id"];
   $characterID = $myrow["characterID"];
   $role = $myrow["role"];
   $vouchedBy = $myrow["vouchedBy"];
   $position = $myrow["position"];
$remarks = $myrow["remarks"];
$afk = $myrow["afk"];
$category = $myrow["category"];
   ?>




 <fieldset>
<legend>Edit Character Form</legend>
<input name="charcterID" type="hidden" value="<?php echo $characterID ?>" />
<label for="role">Role:</label>
<input type="text" name="role" value="<?php echo $role ?>" size="20" /><br />
<label for="vouchedBy">Vouched By:</label>
<input type="text" name="vouchedBy" value="<?php echo $vouchedBy ?>" size="20" /><br />
<label for="position"><br />Position:</label>
<input type="text" name="position" value="<?php echo $position ?>" size="20" /><br />
       <label for="remarks"><br />Remarks:</label>
<input type="text" name="remarks" value="<?php echo $remarks ?>" size="20" /><br />
<label for="afk"><br />afk?:</label>
<input type="text" name="afk" value="<?php echo $afk ?>" size="20" /><br />
<label for="category"><br />category:</label>
<input type="text" name="category" value="<?php echo $category ?>" size="20" /><br />
<input type="submit" name="submit" value="Update" />
    </p>
 </fieldset>
</form>
<?php } ?>
</body>
</html>

 

The data is being dynamically entered into the boxes, but its not updating the table "member_info" when i click submit?? am i doing something wrong??

 

Appreciate any help.

Edited February 14, 2013 by jacko_162

[NathanDTaylor]

One thing I noticed, correct me if I am wrong, is that you are defining your variables

       $ID = $myrow["id"];
       $characterID = $myrow["characterID"];
       $role = $myrow["role"];
       $vouchedBy = $myrow["vouchedBy"];
       $position = $myrow["position"];

after you are updating the database

// UPDATE QUERY CODE WHEN SUBMIT IS ENTERED
$insert = "UPDATE `member_info` SET
characterID='$characterID',
role='$role', 
vouchedBy='$vouchedBy', 
position='$position', 
remarks='$remarks',
afk='$afk', 
category='$category' WHERE id='$id'";


echo ("<br />$insert<br />");


if (@mysql_query($insert)){

which would just clear out those fields in the row.

[DavidAM]

Actually, you are never retrieving the data from the posted form ($_POST), you are only retrieving it from the database. This is one of the good reasons that you should separate process from presentation. At the beginning of the script, process the data if there is a POST. Then retrieve the data from the database, then present the data (build the HTML). So it looks something like this:

 

# Process the form if POSTed
if (isset $_POST['submit']) {
 $name = $_POST['name']
 ...
 UPDATE table SET ...
}

# Load the data to be shown
SELECT ...
$name = $row['name']
...

# build the form
<HTML> 
...
<?php echo $name; >?
...

 

Also:

1) Forget about the error suppression operator "@". Take it out of your code EVERYWHERE! When errors (or warnings or notices) are displayed, there is a reason. FIX THESE ISSUES, don't hide them.

 

2) You don't really need a while loop if you are only getting one row from the database.

 

3) Make sure you sanitize any data you send to the Database. Use mysql_real_escape_string for strings sent to mySql. Use intval for integers. etc.

 

4) Avoid PHP_SELF as the action of a form. Use an empty string: action="" or hardcode the page name. PHP_SELF is based on data from the client, and could contain hacks to infiltrate your system

[jacko_162]

thank you for the help, have decided to go back to drawing board on this one. but all notes taken. very helpfull as always