Setting value in mysql table using html button

Question

I got a table with dynamic data with 5 td-s. First one is for the ID, second one for date, third for the name of the author, fourth for some properties and in the last one i got two buttons. I want them to change the value of the $status in applications table. For that I made 2 php files in which I added the mysql update function for each of the buttons. But I don't know why when I press the buttons it does everything in the php except it doesn't change the value of $status. Please let me know where I am wrong and how can I make it work. Thanks in advance.

The html code of the buttons (the last td):

<form action="status1.php">
<input type="submit" name="approve" value=" + ">
</form>
<form action="status2.php">
<input type="submit" name="refuse" value=" - ">
</form>

The PHP code for the buttons - status1.php (status2.php is the same but it changes the $status value to 2 instead of 1)

<?php
    require_once('config.php');
    $link = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD);
    mysql_query('set names windows-1251', $link);
    if(!$link) {
        die('Failed to connect to server: ' . mysql_error());
    }
    $db = mysql_select_db(DB_DATABASE);
    if(!$db) {
        die("Unable to select database");
    }
    $id=$_GET['id'];
    $qry="UPDATE applications SET status=1 WHERE id='$id'";
    $result = mysql_query($qry);
        if($result) {
            header("location: applications.php");
            exit();
        }
        else {
            die("Query failed");
        }
?>

Answer 1

Well, are you getting any errors? Comment out the header("location: applications.php"); line so you will see if it throws any. Also try adding something like echo $qry so you can visually verify that the query is correct.

Also, you should read up on SQL injection and how to protect against it. Directly sticking user input into the query like that can open the door to nastiness. Also, you aren't checking user input for apostrophes which can break your query. I personally use PDO, which makes it a lot easier and a bit safer.

Another suggestion, rather than having to maintain two separate submission PHP files, just put your two submit buttons like this:

<input type="submit" name="status" value=" + ">
<input type="submit" name="status" value=" - ">

Then change the form action to the name of the consolidated php file and in that file, just evaluate the value of the status like:

$status = 0;
if ($_GET["status" == " + ") $status = 1;

If you install PDO, you'd do the meat of the DB update like this:

$pdo = new PDO("mysql:host=" . DB_HOST . ";dbname=" . DB_DATABASE, DB_USER, DB_PASSWORD);
$sql = $pdo->prepare("UPDATE applications SET status=? WHERE id=?");
$sql->execute(array($status, $_GET["id"]));

..which would be a little safer than what you're doing now.

Disclaimer: I'm just a hobbyist PHP programmer, so there may be better ways than I've mentioned :)

Answer 2

use this instead of ur form tag for form 1

<from method="get" action="status1.php">

<input type="hidden" name="id" value="1"/>

<input type="submit" name="approve" value=" + "/>

</form>

for form2

<from method="get" action="status2.php">

<input type="hidden" name="id" value="2"/>

<input type="submit" name="refuse" value=" - "/>

</form>

Answer 3

You are using $_GET['id'] as identifier, but as far as I can see in the code, you are not actually sending any GET information apart from the submit button itself. So your query is currently actually updating the row WHERE id=''. That's why you don't get errors, but you don't get your desired result either.

Change the action parameter of your form to status1.php?id=$id, or add something like <input type="hidden" name="id" value="$id"/> inside the form.