My php form works only partially and I dont know why

Question

I have two froms on my page. With one I update or edit the data in first sql table. With second I can ad and delete the data in second sql table. Certain action is taken regarding the "ID" value.

This is my form:

And this is my php code:

$db_name = 'DATABASE_NAME';
$db_host = 'localhost';
$db_user = 'DATABASE_USER';
$db_pass = 'PASSWORD';


$conn = mysql_connect($db_host,$db_user,$db_pass);
mysql_select_db($db_name);

mysql_query("SET CHARSET utf8");
mysql_query("SET NAMES `utf8` COLLATE `utf8_polish_ci`");   

if(isset($_POST['form1submit']))
{
    $raport_id = $_POST['input_id'];
    $raport_date = $_POST['input_date'];
    $raport_poczatkowy = $_POST['input_poczatkowy'];
    $raport_gotowka = $_POST['input_gotowka'];
    $raport_karta = $_POST['input_karta'];
    $raport_pobrano = $_POST['input_pobrano'];
    $raport_kto = $_POST['input_kto'];


   if($raport_id=='null'){
       $sql = "INSERT INTO `raporty`(`id`, `data`, `stan_poczatkowy`, `platnosci_gotowka`, `platnosci_karta`, `pobrano`,`kto_pobral`, `komentarz`)
           VALUES('".NULL."','".$raport_date."','".$raport_poczatkowy."','".$raport_gotowka."','".$raport_karta."','".$raport_pobrano."','".$raport_kto."','".NULL."')";
    }else{
        $sql = "UPDATE `raporty` SET  
            `data`='".$raport_date."', 
            `stan_poczatkowy`='".$raport_poczatkowy."', 
            `platnosci_gotowka`='".$raport_karta."', 
            `platnosci_karta`='".$raport_gotowka."', 
            `pobrano`='".$raport_pobrano."',
            `kto_pobral`='".$raport_kto."',
            `komentarz`='".NULL."'
             WHERE `raporty`.`id`='".$raport_id."'";
    }
    $retval = mysql_query($conn,$sql);
    header("Location: http:page");
    exit;               
}

if(isset($_POST['form2submit']))
{
    $wydatek_id = $_POST['wydatek_id'];
    $wydatek_date = $_POST['wydatek_date'];
    $wydatek_kwota = $_POST['wydatek_kwota'];
    $wydatek_rodzaj = $_POST['wydatek_rodzaj'];
    $wydatek_opis = $_POST['wydatek_opis'];

    if($wydatek_id=='null'){
        $sql = "INSERT INTO `wydatki` (`id` ,`data` ,rodzaj` ,`kwota` ,`kategoria` ,`opis`) VALUES ('".NULL."','".$wydatek_date."','wydatek','".$wydatek_kwota."','".$wydatek_rodzaj."','".$wydatek_opis."')";      
    }else{
        $sql = "DELETE FROM `wydatki` WHERE `wydatki`.`id` = '".$wydatek_id."'";
    }
    $retval = mysql_query( $sql, $conn );
    header("Location: http:page");
    exit;        
}

The fun fact is that only thing that work is the DELETE FROM enquiry for wydatki table. The rest just dont work, and I have no idea why. And, they worked BEFORE I added the second form.

Thank you for all the help.

Bad Wolf · Accepted Answer

Your parameters are backwards in the first call to mysql_query().

mysql_query($conn,$sql);

Should be:

mysql_query($sql,$conn);

That being said, the mysql_* family of functions has been deprecated and should not be used in new code. Instead they have been replaced with mysqli_* and PDO with prepared statements.

It is also worth noting that your form is completely vulnerable to MySQL injection exploits from your lack of any escaping of your database inputs. This is the precise reason why prepared statements exist in mysqli and PDO and why you should be using them. As it stands now anybody could erase your entire database by running their own SQL code through your form.

My php form works only partially and I dont know why

Answers (1)

Related Questions