CODEWITHSUNDEEP
phphtmlmysqlmysqli
Soroosh Noorzad
Soroosh Noorzad

Reputation: 468

Update database data with submit button

I want to update a database so that when you put your text in a text box and click the submit button, the data will be sent to the database with a specific id. It is clear what I want to do in the code below. When I write something like this and run it, I receive a 403 error: Access forbidden. How can I fix this?

<?php
   function updater($value,$id){
// Create a connection
   $conn = new mysqli( 'localhost' , 'user_name' , '' , 'data_base_name' );
// Check the connection
   if ($conn->connect_error) {
       die("Connection failed: " . $conn->connect_error);
   }
   $sql = "UPDATE table_name SET name=$value WHERE id=$id";
   if ($conn->query($sql) === TRUE) {
       echo "Record updated successfully";
   } else {
       echo "Error updating record: " . $conn->error;
   }
//$conn->close();
}
?>

<!DOCTYPE html>
<html>
<header>
</header>
<body>
    <form action="<?php updater($_POST['name'],1); ?>" method="post" style="height:50px;width:50px;">
        <input type="text" name="name" /><br><br>
        <input type="submit" /><br/>
    </form>
</body>
</html>

Upvotes: 9

Views: 36449

Answers (2)

Kevin
Kevin

Reputation: 41885

You need to put the URL inside the action attribute that does the form processing, not the function:

action="<?php updater($_POST['name'],1); ?>"  // not this
action="" // empty for the same page

Also, usually the edited value fills the input and the record's id is added to the form in a hidden field. If processing is on the same page, best to leave the action empty. So a basic form could be like this:

<form action="" method="post">
    <input type="text" name="name"  value="<?=htmlspecialchars($row['name']) ?>"/><br>
    <input type="hidden" name="id" value="<?=htmlspecialchars($row['id']) ?>"/>
    <input type="submit" /><br/>
</form>

Above the form, the processing has to be added

if($_SERVER['REQUEST_METHOD'] === 'POST') {
    $conn = new mysqli( 'localhost' , 'user_name' , '' , 'data_base_name' );
    updater($conn, $_POST['name'], $_POST['id']);
}

Besides, you must use safer prepared queries:

function updater($mysqli, $value, $id) {
    $sql = "UPDATE table_name SET name = ? WHERE id= ?";
    $update = $mysqli->prepare($sql);
    $update->bind_param('si', $value, $id);
    $update->execute();
    return $update->affected_rows;
}

Upvotes: 6

Max D
Max D

Reputation: 815

like this:

<?php
function updater($value,$id){
    // Create connection
    $conn = new mysqli( 'localhost' , 'user_name' , 'pass' ,'data_base_name' );
    $value =mysqli_real_escape_string($conn,$value);
    $id =mysqli_real_escape_string($conn,$id);
    // Check connection

    if ($conn->connect_error) {
        die("Connection failed: " . $conn->connect_error);
    }   
    $sql = "UPDATE table_name SET name='{$value}' WHERE id='{$id}'";
    if ($conn->query($sql) === TRUE) {
        echo "Record updated successfully";
    } else {
        echo "Error updating record: " . $conn->error;
    }
    $conn->close();
}   

if(isset($_POST['name'])){
    updater($_POST['name'],$_POST['id'])
}
?>

<!DOCTYPE html>
<html>
<header>
</header>
<body>
<form action="" method="post" style="height:50px;width:50px;">
    <input type="hidden" name="id" value="1" />           
    <input type="text" name="name" /><br><br>
    <input type="submit" /><br/>
</form>
</body>
</html>

Upvotes: 0

Related Questions