CODEWITHSUNDEEP
phphtmlsqlformspost
Radek Anuszewski
Radek Anuszewski

Reputation: 1910

Cannot send hidden input in $_POST PHP

I have a table with users, when I click icon it redirects me to '/edit.php' where I have form:

<form action="form.php" class="form-horizontal col-xs-3" method="post">
        <p>Imię <input type="text" name="name" value='<?php echo $user["name"];?>' class="form-control input-sm"/></p>
        <p> Nazwisko <input type="text" name="surname" value='<?php echo $user["surname"];?>' class="form-control input-sm"/></p>
        <p> Wiek <input type="number" name="age" value='<?php echo $user["age"];?>' class="form-control input-sm"/></p>
        <input type="hidden" name="update" value="true"/>
        <input type="hidden" name="userId" value='<?php echo $user["id"]; }?>'/>
...

Hidden input called "update" is used in 'form.php' file to detect if request came from new or edit page:

if (isset($_POST["update"])){
...

And that is ok, it works. But I have function update which builds updateQuery string:

function update($tableName, $name, $surname, $age, $departmentId, $userId){
        $updateQuery =  "UPDATE "
        .$tableName
        ." SET "
        ."name=".$name.", "."surname=".$surname.", "."age=".$age.","."department_id=".$departmentId.")"
        ." WHERE id=".$userId;
        echo $updateQuery;
        return $updateQuery;
    }

And I got error:

Warning: Missing argument 6 for update(), called in C:\Users\Abc\Documents\NetBeansProjects\PhpProject1\form.php on line 107 and defined in C:\Users\Abc\Documents\NetBeansProjects\PhpProject1\form.php on line 48

And it seems to be like I can't get "userId" variable in this way: (int)htmlspecialchars($_POST["userId"])

But very interesting thing is, when I use it in 'echo' it works, for example:

echo (int)htmlspecialchars($_POST["userId"])." is ID";

This is how I call update() method:

if (isset($_POST["update"])){
                echo (int)htmlspecialchars($_POST["userId"])." is ID";
                $pdo->query(update("users", $pdo->quote(htmlspecialchars($_POST["name"])), 
                    $pdo->quote(htmlspecialchars($_POST["surname"])),
                    (int)htmlspecialchars($_POST["age"]), (int)htmlspecialchars($departmentRealId)),
                    (int)htmlspecialchars($_POST["userId"]));

            }

And this is update() method code, which should build update query:

function update($tableName, $name, $surname, $age, $departmentId, $userId){
        $updateQuery =  "UPDATE "
        .$tableName
        ." SET "
        ."name=".$name.", "."surname=".$surname.", "."age=".$age.","."department_id=".$departmentId.")"
        ." WHERE id=".$userId;
        echo $updateQuery;
        return $updateQuery;
    }

And this is sample updateQuery which is created by update() method: UPDATE users SET name='matt', surname='damon', age=56,department_id=2) WHERE id=

Unfortunately, I don't know why, $userId parameter is not present. As you can see in code above: in line: echo (int)htmlspecialchars($_POST["userId"])." is ID"; and in update() call: (int)htmlspecialchars($_POST["age"]), (int)htmlspecialchars($departmentRealId)), (int)htmlspecialchars($_POST["userId"])); I do it in the same way - at least I don't see any difference, which could cause that parameter is not present. I will be very happy if anybody helps me - thank you in advance.

Upvotes: 0

Views: 1544

Answers (2)

Felipe M
Felipe M

Reputation: 459

friend!

There are some problems about the code.
First:

<input type="hidden" name="userId" value='<?php echo $user["id"]; }?>'/>

You should remove the "}" from that!

So it will be: 

<input type="hidden" name="userId" value="<?php echo $user["id"]; ?>"/>


Second, your function doesn't have quotes. Change to:

function update($tableName, $name, $surname, $age, $departmentId, $userId){
        $updateQuery =  "UPDATE "
        .$tableName
        ." SET "
        ."name='".$name."', "."surname='".$surname."', "."age=".$age.","."department_id=".$departmentId.")"
        ." WHERE id=".$userId;
        echo $updateQuery;
        return $updateQuery;
    }

I mean:

"name='".$name."'

Every column text should have quotes, instead of:

Update (...) Set Name=Felipe

You should do:

Update (...) Set Name='Felipe'

Upvotes: 1

Dave Chen
Dave Chen

Reputation: 10975

This is where bracket highlighting will come in handy, check out the line where you call update:

Notice how the update function does not include your (int)htmlspecialchars($_POST['userId']).

Instead, you should use:

$pdo->query(update("users",
    $pdo->quote(htmlspecialchars($_POST["name"])), 
    $pdo->quote(htmlspecialchars($_POST["surname"])),
    (int)htmlspecialchars($_POST["age"]),
    (int)htmlspecialchars($departmentRealId),
    (int)htmlspecialchars($_POST["userId"])
));

Upvotes: 1

Related Questions