PHP and MySQL UPDATE..

As the subject states, i'm trying to do an update of a specific row in mysql.

Code: Select all: $query2 = mysql_query("UPDATE members SET Title = '".$_POST['title']."', Firstname = '".$_POST['firstname']."' WHERE EmailName = '".$_POST['select_term']."' ");

I populate a form first with this:

Code: Select all: $query = mysql_query("SELECT * FROM `members` WHERE EmailName = '".$_POST['select_term']."'"); $row = mysql_fetch_array($query);

and..

Code: Select all: <input type="text" name="title" value="<?php echo $row['Title']; ?>" /> <input type="text" name="firstname" value="<?php echo $row['Firstname']; ?>" />

A very nasty problem occurs with this train of thought though, whenever I populate the form, the whole row in the database empties, and if I don't hit Submit to update the table it stays empty.

Any clues to why this is happening and if/how I can prevent it?

Thanks

A SELECT statement has no side effects, which means, it modifies nothing in the database. So if i'm reading your problem correctly. It appears we simply don't have enough information to help you. Both statements are completely valid (though less then ideal) SQL queries and each should do exactly as written.

So what i'm getting at is that those 2 queries out of context of the relevant code is moot with the current set of information. Post some context code with it or you're going to have to be way more descriptive. Context code is much preferred.

I don't see select_term being POSTed anywhere in your form.

Ok dumping the full code 8-)

Code: Select all: include 'conn.php'; $query = mysql_query("SELECT * FROM `members` WHERE EmailName = '".$_POST['select_term']."'"); /* //@TODO: sanitize input */ $query2 = mysql_query("UPDATE members SET Title = '".$_POST['title']."', Firstname = '".$_POST['firstname']."', Middlename = '".$_POST['middlename']."', Lastname = '".$_POST['lastname']."', Suffix = '".$_POST['lastname']."', Nickname = '".$_POST['nickname']."', DefaultAddress = '".$_POST['defaultaddress']."', WorkAddress = '".$_POST['workaddress']."', WorkCity = '".$_POST['workcity']."', WorkStateOrProvince = '".$_POST['workstateorprovince']."', WorkPostalCode = '".$_POST['workpostalcode']."', WorkCountry = '".$_POST['workcountry']."', WorkPhone = '".$_POST['workphone']."', WorkExtension = '".$_POST['workextension']."', WorkFax = '".$_POST['workfax']."', HomeAddress = '".$_POST['workfax']."', HomeCity = '".$_POST['homecity']."', HomeStateOrProvince = '".$_POST['homestateorprovince']."', HomePostalCode = '".$_POST['homepostalcode']."', HomeCountry = '".$_POST['homecountry']."', HomePhone = '".$_POST['homephone']."', MobilePhone = '".$_POST['mobilephone']."', EmailName = '".$_POST['emailname']."', Birthdate = '".$_POST['birthdate']."', MembershipStatus = '".$_POST['membershipstatus']."', DateJoined = '".$_POST['datejoined']."',Photo = '".$_POST['photo']."' WHERE EmailName = '".$_POST['select_term']."' "); if (mysql_num_rows($query) == 0) { echo "User not found."; } $row = mysql_fetch_array($query); ?> <table width="300" border="0" align="center" cellpadding="0" cellspacing="1" bgcolor="#CCCCCC"> <tr> <form name="search_member" method="post" action="members_update.php"> <td> <table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#FFFFFF"> <tr> <td colspan="3"><center><strong>Enter Member Email</strong></center></td> </tr> <tr> <td width="78">E-Mail</td> <td width="6">:</td> <td width="294"><input name="select_term" type="text" id="select_term"></td> </tr> <td><center><input type="submit" name="Submit" value="Search"></center></td> </tr> </table> </td> </form> </tr> </table> <center> <form name = "member_update" method = "post" action = "members_update.php"> <table border="1"> <tr><td>Title: </td><td><input type="text" name="title" value="<?php echo $row['Title']; ?>" /></td> <td>First name: </td><td><input type="text" name="firstname" value="<?php echo $row['Firstname']; ?>" /></td> <td>Middle name: </td><td><input type="text" name="middlename" value="<?php echo $row['Middlename']; ?>" /></td></tr> <tr><td>Last name: </td><td><input type="text" name="lastname" value="<?php echo $row['Lastname']; ?>" /></td> <td>Suffix: </td><td><input type="text" name="suffix" value="<?php echo $row['Suffix']; ?>" /></td> <td>Nickname: </td><td><input type="text" name="nickname" value="<?php echo $row['Nickname']; ?>" /></td></tr> <tr><td>Default Address: </td><td><input type="text" name="defaultaddress" value="<?php echo $row['DefaultAddress']; ?>" /></td> <td>Work Address: </td><td><input type="text" name="workaddress" value="<?php echo $row['WorkAddress']; ?>" /></td> <td>Work City: </td><td><input type="text" name="workcity" value="<?php echo $row['WorkCity']; ?>" /></td></tr> <tr><td>Work State or Province: </td><td><input type="text" name="workstateorprovince" value="<?php echo $row['WorkStateOrProvince']; ?>" /></td> <td>Work Postal Code: </td><td><input type="text" name="workpostalcode" value="<?php echo $row['WorkPostalCode']; ?>" /></td> <td>Work Country: </td><td><input type="text" name="workcountry" value="<?php echo $row['WorkCountry']; ?>" /></td></tr> <tr><td>Work phone: </td><td><input type="text" name="workphone" value="<?php echo $row['WorkPhone']; ?>" /></td> <td>Work extension: </td><td><input type="text" name="workextension" value="<?php echo $row['WorkExtension']; ?>"/></td> <td>Work fax: </td><td><input type="text" name="workfax" value="<?php echo $row['WorkFax']; ?>" /></td></tr> <tr><td>Home Address: </td><td><input type="text" name="homeaddress" value="<?php echo $row['HomeAddress']; ?>" /></td> <td>Home City: </td><td><input type="text" name="homecity" value="<?php echo $row['HomeCity']; ?>" /></td><br /> <td>Home State or Province: </td><td><input type="text" name="homestateorprovince" value="<?php echo $row['HomeStateOrProvince']; ?>" /></td></tr> <tr><td>Home Postal code: </td><td><input type="text" name="homepostalcode" value="<?php echo $row['HomePostalCode']; ?>" /></td> <td>Home Country: </td><td><input type="text" name="homecountry" value="<?php echo $row['HomeCountry']; ?>" /></td> <td>Home Phone: </td><td><input type="text" name="homephone" value="<?php echo $row['HomePhone']; ?>" /></td></tr> <tr><td>Mobile Phone: </td><td><input type="text" name="mobilephone" value="<?php echo $row['MobilePhone']; ?>" /></td> <td>Email: </td><td><input type="text" name="emailname" value="<?php echo $row['EmailName']; ?>" /></td> <td>Date of Birth: </td><td><input type="text" name="birthdate" value="<?php echo $row['Birthdate']; ?>" /></td> <tr><td>Membership status: </td><td><input type="text" name="membershipstatus" value="<?php echo $row['MembershipStatus']; ?>" /></td> <td>Date Joined: </td><td><input type="text" name="datejoined" value="<?php echo $row['DateJoined']; ?>" /></td> <td>Photo:</td><td><input type="text" name="photo" value="<?php echo $row['Photo']; ?>" /></td></tr> </table> <br /> <td><input type="submit" name="Submit" value="Submit" /></td> </form> </center> </body> </html>

To add a bit more detail to what the problem is, whenever I input for example a valid "test@test.com" on the search_member form the form below it,it gets populated (done with $query) and then using $query2 I try to update anything I'd like. But if for example I pull the data and my browser crashes, or I decide to close up the window, or go for a tea etc. and don't hit the submit button the whole entry concerning the "test@test.com" (and the rest of the values associated except of memberid) will be nullified/erased.

To sum up, whenever I hit the search button and the data is pulled in, if I view the sql table entry for the test@test.com all the values (except the unique key, member id) magically vanish.

The entry itself is still there in the database just with no data in it. A note is that the memberid that I use as a unique key, and I'm not pulling into the form remains the same, I'll try and pull that aswell and see if it affected.

Could it be the $_POST f'ing up or even phpmyadmin not showing up what it's supposed to? still trying to learn but this problem struck me up as highly odd.

One thing I'm not seeing here is any check for non-null post values. Or any sort of conditional need to actually UPDATE. If this is the full PHP, then the second query is always executed, regardless of whether $_POST contains anything non-null. So that could be the cause of your vanishing data. That's just a guess though. I really didn't examine that UPDATE call very closely to see if there were any concatenation errors. But, I think if there were, you would be facing different problems altogether. Still, cleaning that up definitely wouldn't hurt.

OnlyHuman wrote:One thing I'm not seeing here is any check for non-null post values. Or any sort of conditional need to actually UPDATE. If this is the full PHP, then the second query is always executed, regardless of whether $_POST contains anything non-null. So that could be the cause of your vanishing data. That's just a guess though. I really didn't examine that UPDATE call very closely to see if there were any concatenation errors. But, I think if there were, you would be facing different problems altogether. Still, cleaning that up definitely wouldn't hurt.

I use the WHERE EmailName = '".$_POST['select_term']."' as my condition to updating the table. Since I only allow unique e-mail addresses to be added in the registration form that I have created.

You could be right that $_POST is always executing and I'll add non-null rules just to check if it works, but I'm at the same time thinking that the emptying of the entry happens before I even hit submit (on the update form) which as I understand, $_POST isn't sent by then.

I was thinking of adding something along these lines

Code: Select all: while($query) { $query2 = mysql_query("UPDATE ....etc") }

to prevent any $_POST from being sent prematurely by the update form. Basically i'm thinking that the problem lies within the search and that when I press search, all $_POST are submitted, and since the update form is empty at that time,it sents the empty values causing the entry in the db to be "erased" until I resubmit the new data.

You're right. It's not actually sent. But the variable will exist on the server whether or not there's currently any data in it. In other words, it wouldn't have to be sent. I'm not entirely sure that's the problem though, but I think it very likely. This is what I see happening with the logic:

test@test.mail

But again, I didn't fully examine the update for anything else that could be causing any other problems. Given what you mentioned however, this scenario could very well be what's taking place here. Worth a shot anyway.

-- Sat Apr 02, 2011 6:58 am --

First, if my last post seemed as if I wasn't giving this my full attention, that's simply because I wasn't. I have to admit that. I'm working on a few things at once here, so I apologize, and hope you didn't take it personally. I've got two editors open at all times, and a third whenever it's needed. So, like I said, it wasn't anything personal. With that said, here we go...

I took a shot at reworking this. And, after some playing around with it, I managed to get it all to function from the same file without the two queries interfering with one another. Stay with me here, this IS NOT a solution. Instead, it's a better place to begin debugging. Before I get to it though...

FunctionCreep wrote:
Code: Select all
while($query) { $query2 = mysql_query("UPDATE ....etc") }

to prevent any $_POST from being sent prematurely by the update form. Basically i'm thinking that the problem lies within the search and that when I press search, all $_POST are submitted, and since the update form is empty at that time,it sents the empty values causing the entry in the db to be "erased" until I resubmit the new data.

I don't think I understand what you're going for there. But, if it's cleaner than what I'm about to post, or you, or somebody else, knows of a better method, then by all means use it. Also, I'm thinking the majority of the issue was where the search and UPDATE overlap within the file. So, you may very well be on the right track by assuming the search is responsible.

I guess I promised a rewrite here, so without further ado. My "fix" here, is really just me trying to track down any problems I could, while ensuring the given queries wouldn't be executed unless they actually needed to be. It really serves no other purpose than to be a rewrite fit for debugging. But, I commented the shit out of it, so it's easier for you to see what I'm doing.

Code: Select all: <?php // ------------------------------------------------------------------------ // // name: sanitize($str) // // desc: Returns an "SQL-safe" version of the input $str. // // note: This isn't full or proper sanitization. Just something to get // by until then. You should definitely flesh it out, before you // actually use it. // // ------------------------------------------------------------------------ function sanitize($str) { return mysql_real_escape_string($str); } /////////////////////////////////////////////////////////////////////////// // === SEARCH SECTION ===================================================== /////////////////////////////////////////////////////////////////////////// // ------------------------------------------------------------------------ // // Get search parameters and results. If there are any that is. // // ------------------------------------------------------------------------ if( isset($_POST['select_term']) && ($_POST['select_term'] != null) ) { $query_string = "SELECT * FROM members WHERE EmailName = '" . sanitize($_POST['select_term']) . "'"; $result = mysql_query($query_string); if( !$result ) { die( mysql_error() ); } $row = mysql_fetch_array($result); } /////////////////////////////////////////////////////////////////////////// // === UPDATE SECTION ===================================================== /////////////////////////////////////////////////////////////////////////// // ------------------------------------------------------------------------ // // Handle user updates. // // ------------------------------------------------------------------------ $postData = array(); // rip data only from any set post variables foreach($_POST as $key => $value) { $postData[$key] = sanitize($value); } // ensure that there's something that needs updating if( $postData && !isset($_POST['select_term']) ) { // first remove $postData['Submit'] ... it's no longer needed unset( $postData['Submit'] ); // perform each update independently foreach($postData as $key => $value) { $query_string = "UPDATE members SET $key='" . $value . "' WHERE emailname='" . $postData['emailname'] . "'"; $result = mysql_query($query_string); // die on failure with some type of error if( !$result ) { die( "Received: " . mysql_error() . " while issuing $query_string" ); } // just echoing for demo purposes here echo $result . "<br />"; } } ?>

In the above, there's a matter of case sensitivity between the name used for your forms inputs, and the ones you used when making queries to the database. You can set configuration options for MySQL that will ignore case sensitivity within tables and columns names, but from a security standpoint, it's actually a smart move to have them be different here. So this can be remedied in a few ways. I like to assign the names to a hash table, and then index into it using the names from the form inputs. Like this:

Code: Select all: // example using your database names. $post_aliases = array( 'title' => 'Title', 'firstname' => 'FirstName', ... etc );

Now, to get that to function, you would change this line:

Code: Select all: $query_string = "UPDATE members SET $key='" . $value . "' WHERE emailname='" . $postData['emailname'] . "'";

To this:

Code: Select all: $query_string = "UPDATE members SET " . $post_aliases[$key] . "='" . $value . "' WHERE EmailName='" . $postData['emailname'] "'";

You'll have to ignore the word wrapping going on in that code. I ran a little long with the MySQL queries so that they would all fit on a single line. The code tags here don't seem to like it much. I feel like I'm forgetting to mention something here, but I'm drawing a blank so... Hopefully I caught the bulk of it for you with that.

OnlyHuman wrote:You're right. It's not actually sent. But the variable will exist on the server whether or not there's currently any data in it. In other words, it wouldn't have to be sent. I'm not entirely sure that's the problem though, but I think it very likely. This is what I see happening with the logic:<br><br>
<br>STEP 1 Pull all records from the table WHERE...<br><br>STEP 2 Overwrite that data with the current value of $_POST (null if nothing has been sent).<br><br>STEP 3 User (or you in this case) issues a call to UPDATE test@test.mail. Oops! Step 2 already took place, now test@test.mail is NULL too.<br>
<br>But again, I didn't fully examine the update for anything else that could be causing any other problems. Given what you mentioned however, this scenario could very well be what's taking place here. Worth a shot anyway.<br><br>-- Sat Apr 02, 2011 6:58 am --<br><br>First, if my last post seemed as if I wasn't giving this my full attention, that's simply because I wasn't. I have to admit that. I'm working on a few things at once here, so I apologize, and hope you didn't take it personally. I've got two editors open at all times, and a third whenever it's needed. So, like I said, it wasn't anything personal. With that said, here we go...<br><br>I took a shot at reworking this. And, after some playing around with it, I managed to get it all to function from the same file without the two queries interfering with one another. Stay with me here, this IS NOT a solution. Instead, it's a better place to begin debugging. Before I get to it though...<br><br>
FunctionCreep wrote:<br>
Code: Select all
<br>while($query) {<br><br>$query2 = mysql_query("UPDATE ....etc")<br><br>}<br>
<br>to prevent any $_POST from being sent prematurely by the update form. Basically i'm thinking that the problem lies within the search and that when I press search, all $_POST are submitted, and since the update form is empty at that time,it sents the empty values causing the entry in the db to be "erased" until I resubmit the new data.<br>
<br><br>I don't think I understand what you're going for there. But, if it's cleaner than what I'm about to post, or you, or somebody else, knows of a better method, then by all means use it. Also, I'm thinking the majority of the issue was where the search and UPDATE overlap within the file. So, you may very well be on the right track by assuming the search is responsible.<br><br>I guess I promised a rewrite here, so without further ado. My "fix" here, is really just me trying to track down any problems I could, while ensuring the given queries wouldn't be executed unless they actually needed to be. It really serves no other purpose than to be a rewrite fit for debugging. But, I commented the shit out of it, so it's easier for you to see what I'm doing.<br><br>
Code: Select all
<br><?php<br><br> // ------------------------------------------------------------------------<br> //<br> // name: sanitize($str)<br> //<br> // desc: Returns an "SQL-safe" version of the input $str.<br> //<br> // note: This isn't full or proper sanitization. Just something to get<br> // by until then. You should definitely flesh it out, before you<br> // actually use it.<br> //<br> // ------------------------------------------------------------------------<br><br> function sanitize($str)<br> {<br> return mysql_real_escape_string($str);<br> }<br><br> ///////////////////////////////////////////////////////////////////////////<br> // === SEARCH SECTION =====================================================<br> ///////////////////////////////////////////////////////////////////////////<br><br> // ------------------------------------------------------------------------<br> //<br> // Get search parameters and results. If there are any that is.<br> //<br> // ------------------------------------------------------------------------<br> if( isset($_POST['select_term']) && ($_POST['select_term'] != null) )<br> {<br> $query_string = "SELECT * FROM members WHERE EmailName = '" . sanitize($_POST['select_term']) . "'";<br><br> $result = mysql_query($query_string);<br><br> if( !$result )<br> {<br> die( mysql_error() );<br> }<br><br> $row = mysql_fetch_array($result);<br> }<br><br> ///////////////////////////////////////////////////////////////////////////<br> // === UPDATE SECTION =====================================================<br> ///////////////////////////////////////////////////////////////////////////<br><br> // ------------------------------------------------------------------------<br> //<br> // Handle user updates.<br> //<br> // ------------------------------------------------------------------------<br> $postData = array();<br><br> // rip data only from any set post variables<br> foreach($_POST as $key => $value)<br> {<br> $postData[$key] = sanitize($value);<br> }<br><br> // ensure that there's something that needs updating<br> if( $postData && !isset($_POST['select_term']) )<br> {<br> // first remove $postData['Submit'] ... it's no longer needed<br> unset( $postData['Submit'] );<br><br> // perform each update independently<br> foreach($postData as $key => $value)<br> {<br> $query_string = "UPDATE members SET $key='" . $value . "' WHERE emailname='" . $postData['emailname'] . "'";<br><br> $result = mysql_query($query_string);<br><br> // die on failure with some type of error<br> if( !$result )<br> {<br> die( "Received: " . mysql_error() . " while issuing $query_string" );<br> }<br><br> // just echoing for demo purposes here<br> echo $result . "<br />";<br> }<br> }<br><br>?><br>
<br>In the above, there's a matter of case sensitivity between the name used for your forms inputs, and the ones you used when making queries to the database. You can set configuration options for MySQL that will ignore case sensitivity within tables and columns names, but from a security standpoint, it's actually a smart move to have them be different here. So this can be remedied in a few ways. I like to assign the names to a hash table, and then index into it using the names from the form inputs. Like this:<br><br>
Code: Select all
<br> // example using your database names.<br> $post_aliases = array( 'title' => 'Title', 'firstname' => 'FirstName', ... etc );<br>
<br>Now, to get that to function, you would change this line:<br><br>
Code: Select all
<br> $query_string = "UPDATE members SET $key='" . $value . "' WHERE emailname='" . $postData['emailname'] . "'";<br>
<br>To this:<br><br>
Code: Select all
<br> $query_string = "UPDATE members SET " . $post_aliases[$key] . "='" . $value . "' WHERE EmailName='" . $postData['emailname'] "'";<br>
<br><br>You'll have to ignore the word wrapping going on in that code. I ran a little long with the MySQL queries so that they would all fit on a single line. The code tags here don't seem to like it much. I feel like I'm forgetting to mention something here, but I'm drawing a blank so... Hopefully I caught the bulk of it for you with that.

Wow! Well you've provided more help than anyone could ask for! Thanks alot!

what I meant with

while($query) {

$query2 = mysql_query("UPDATE ....etc")

}

is that I should be checking if $query has done it's job before $query2 performs the UPDATE, pretty much what you have extensively described and even coded up!

Your hints & tips are most valuable and certainly help so much with keeping code clean and readable.

I will be implementing the things suggested (since I believe it is the correct approach) and will make sure to let you know if it works etc as well as provided more feedback when I study up everything mentioned here.

PHP and MySQL UPDATE..

PHP and MySQL UPDATE..

Re: PHP and MySQL UPDATE..

Re: PHP and MySQL UPDATE..

Re: PHP and MySQL UPDATE..

Re: PHP and MySQL UPDATE..

Re: PHP and MySQL UPDATE..

Re: PHP and MySQL UPDATE..

Re: PHP and MySQL UPDATE..

Who is online