Update query seems as if it runs correctly however the records do not update.

[Mweigle2]

I am very new to PHP so go easy on me as my code might be really messy. Also the extent this code will reach is local and only two users will probably use it so I am not too worried about SQL injection as I know the code is open to it.

 

With that being said here is the code to my update page , it seems relatively simple and every time I try to update a record it echos the message "Successfully Updated" however the record is the way it was to begin with when I search it.

<!DOCTYPE html>
<html>

<head>
  <title>Engineering  Data</title>
  <link href="style.css" rel="stylesheet">
  <style>
  img {
  width:100%;
  }
  
  </style>

</head>
<body>
<img src="coxanddinkinslogo.png" alt=" Cox and Dinkins" style="width:600px;height:128px;">

<nav id="nav01"></nav>

  <div id="main">
  <h1>Cox and Dinkins Engineering Database</h1>
  
  </div>
  
  



<h2> Update </h2>
<form action="" method="post">
<table>
<tr>
<td>Project Number</td>
<td>Date Ordered</td>
<td>Project Name</td>
</tr>
<tr>
<td><input type="TEXT" name="search" /></td>
<td><input type="TEXT" name="search1" /></td>
<td><input type="TEXT" name="search2" /></td>
</tr>
<tr>
<td>Project Address</td>
<td>County</td>
<td>Client</td>
</tr>
<tr>
<td><input type="TEXT" name="search3" /></td>
<td><input type="TEXT" name="search4" /></td>
<td><input type="TEXT" name="search5" /></td>
</tr>
<tr>
<td>Client Contact</td>
<td>Contact Title</td>
<td>Billing Address</td>
</tr>
<tr>
<td><input type="TEXT" name="search6" /></td>
<td><input type="TEXT" name="search7" /></td>
<td><input type="TEXT" name="search8" /></td>
</tr>
<tr>
<td>Business Phone</td>
<td>Cell Phone</td>
<td>Email</td>
</tr>
<tr>
<td><input type="TEXT" name="search9" /></td>
<td><input type="TEXT" name="search10" /></td>
<td><input type="TEXT" name="search11" /></td>
</tr>
<tr>
<td>Open Status</td>
<td>Close Status</td>
<td>Cabinet</td>
</tr>
<tr>
<td><input type="TEXT" name="search12" /></td>
<td><input type="TEXT" name="search13" /></td>
<td><input type="TEXT" name="search14" /></td>
</tr>
<tr>
<td>Roll</td>
<td>Drawer</td>
<td>Construction Drawings</td>
</tr>
<tr>
<td><input type="TEXT" name="search15" /></td>
<td><input type="TEXT" name="search16" /></td>
<td><input type="TEXT" name="search17" /></td>
</tr>
<tr>
<td>Construction Cost</td>
<td>Fee</td>
<td>Project Description</td>
</tr>
<tr>
<td><input type="TEXT" name="search18" /></td>
<td><input type="TEXT" name="search19" /></</td>
<td><textarea name="search20" rows="10"></textarea></td>
</tr>
</table>

<input type="SUBMIT" name="submit" value="Update"/>
</form>

<?php
if(isset($_POST["submit"])){
$servername = "localhost";
$username = "root";
$password = "m0veFRqa-16";
$dbname = "e1";

// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
$sql ="(UPDATE engineering SET DateOrdered='".$_POST['search1']."', Title='".$_POST['search2']."', Client='".$_POST['search5']."', Contact='".$_POST['search6']."', ContactTitle='".$_POST['search7']."',  MailingAddressComplete='".$_POST['search8']."',  PhysicalAddressComplete='".$_POST['search3']."',  BusinessPhone='".$_POST['search9']."',  ProjectDescription='".$_POST['search20']."',  CloseStatus='".$_POST['search13']."',  OpenStatus='".$_POST['search12']."',  Drawer='".$_POST['search16']."',  Cabinet='".$_POST['search14']."',  Roll='".$_POST['search15']."',  County'".$_POST['search4']."',  Email='".$_POST['search11']."',  CellPhone='".$_POST['search10']."',  Fee='".$_POST['search19']."',  ConstructionCost='".$_POST['search18']."' WHERE JobNumber='".$_POST['search']."')";


$result=($sql)or 
die ("Not Working Correctly");
if($result){
echo "Successfully Updated";
}
else {
echo "ERROR";
}

$conn->close();
}
?>

  <footer id="foot01">
  
  </footer>
  

<script src="scripteng.js"></script>
</body>
</html>

any help as to why it is not updating would be greatly appreciated.

[Jacques1]

Instead of prefixing your post with a long excuse for the code and all kinds of assumptions about how the database problems aren't really problems, how about you fix the code? Contrary to what you seem to think, injection vulnerabilities aren't "just" security problems. They can blow up your queries even if you're running the application in a completely isolated environment. Try entering the name "O'Reilly", for example.

 

Then I don't see any actual query execution in your code. You build the SQL string, and that's it. Obviously it won't execute itself.

[cyberRobot]

As Jacques1 mentioned, you need to run the query. Since it looks like you are using MySQLi, the following page should help:

http://php.net/manual/en/mysqli.query.php

 

As for the injection attacks, you'll want to use prepared statements at some point. If that seems daunting, you could use "real_escape_string" in the meantime to prevent issues like what Jacques1 mentioned. More information can be found here:

http://php.net/manual/en/mysqli.real-escape-string.php

[ginerjm]

Besides all of the very good points that have already been posted, for your own future endeavors you should learn to use meaningful names for your form fields and later on for your php variables.  It will make things that much easier to write, to debug and to follow along with when coming back to any script you write.  Using form fields all named   "searchX" is kinda weak. No doubt once it finally gets to be working you will find at least one data item in the wrong column of your table.

 

Be sure to turn on php error checking while you are developing this script to help you see what errors you have until you get it all perfected.  See my signature.