Reputation: 69
If statement ignored in mysql/php script?
My variable sqlConditions is only suppose to append when the user inputs text for that field. I put "if(isset($_POST['example']))" to check for this, however this doesn't appear to stop each variable from appending.
For example: if the user only inserts text in the "lastname" field, the $query variable should return:
UPDATE students SET lastname = whateveruserputin
However, it looks like this:
UPDATE students SET lastname = test , firstname = , major = , gpa =
How can I fix this!? I would really like to get this code working. Thanks in advance.
Code:
//connect to server
if(isset($_POST['submit']))
{
$id=$_POST['id'];
$lastname=$_POST['lastname'];
$firstname=$_POST['firstname'];
$color=$_POST['color'];
$number=$_POST['number'];
//need id to be filled and need at least one other content type to change
if(empty($id) || empty($lastname) and empty($firstname) and empty($color) and empty($number))
{
echo "<font color='red'>Invalid Submission. You did not enter an ID or did not input an additional form element. </font><br/>";
}
else // if all the fields are filled (not empty)
{
$sqlConditions = array();
if(isset($_POST['lastname'])){
$lastName = filter_var($_POST['lastname'], FILTER_SANITIZE_STRING);
$sqlConditions[] = 'lastname = ' . $lastName;
} else {
$lastName = '';
}
if(isset($_POST['firstname'])){
$firstName = filter_var($_POST['firstname'], FILTER_SANITIZE_STRING);
$sqlConditions[] = 'firstname = ' . $firstName;
} else {
$firstName = '';
}
if(isset($_POST['color'])){
$color = filter_var($_POST['color'], FILTER_SANITIZE_STRING);
$sqlConditions[] = 'color = ' . $color;
} else {
$color = '';
}
if(isset($_POST['number'])){
$number = filter_var($_POST['number'], FILTER_SANITIZE_STRING);
$sqlConditions[] = 'number = ' . $number;
} else {
$number= '';
}
print $sqlConditions;
$query = 'UPDATE students SET ' . join (' , ', $sqlConditions);
print $query;
insert data to database
//$query = mysql_query("UPDATE students SET lastname = '$lastname', firstname = '$firstname', color = '$color', number = '$number'
//WHERE id = '$id'");
//if (!query)
//{
//die('Error: ' . mysql_error());
//}
// Close connection to the database
mysql_close($con);
}
}
Upvotes: 1
Views: 396
Answers (3)
Reputation: 10371
isset isn't enough; add a !empty check as well, e.g.:
if(isset($_POST['lastname']) && !empty($_POST['lastname'])
Edit
Also, in order for the comment in your code to be a better reflection of what you want, your if statement should probably be:
//need id to be filled and need at least one other content type to change
if(empty($id) && (empty($lastname) || empty($firstname) || empty($color) || empty($number))
Here's your code with some improvements* and amendments regarding your comment about adding quotes to the strings:
<?php
//connect to server
if(isset($_POST['submit']))
{
$id=$_POST['id'];
$lastname=$_POST['lastname'];
$firstname=$_POST['firstname'];
$color=$_POST['color'];
$number=$_POST['number'];
//need id to be filled and need at least one other content type to change
if(empty($id) && (empty($lastname) || empty($firstname) || empty($color) || empty($number))
{
echo "<font color='red'>Invalid Submission. You did not enter an ID or did not input an additional form element. </font><br/>";
}
else // if all the fields are filled (not empty)
{
$sqlConditions = array();
if(isset($lastname) && !empty($lastname)){
$lastName = filter_var($lastname, FILTER_SANITIZE_STRING);
$sqlConditions[] = "lastname = '" . $lastname . "'";
}
else
{
$lastName = '';
}
if(isset($firstname))
{
$firstName = filter_var($firstname, FILTER_SANITIZE_STRING);
$sqlConditions[] = "firstname = '" . $firstname . "'";
}
else
{
$firstName = '';
}
if(isset($color) && !empty($color))
{
$color = filter_var($color, FILTER_SANITIZE_STRING);
$sqlConditions[] = "color = '" . $color . "'";
}
else
{
$color = '';
}
if(isset($number))
{
$number = filter_var($number, FILTER_SANITIZE_STRING);
$sqlConditions[] = "number = '" . $number . "'";
}
else
{
$number= '';
}
print $sqlConditions;
$query = 'UPDATE students SET ' . join (' , ', $sqlConditions);
print $query;
//insert data to database
//$query = mysql_query("UPDATE students SET lastname = '$lastname', firstname = '$firstname', color = '$color', number = '$number'
//WHERE id = '$id'");
//if (!query)
//{
//die('Error: ' . mysql_error());
//}
// Close connection to the database
mysql_close($con);
}
}
*Since you already define all your $_POST items to variables, there's no need to keep going back into the collection.
Upvotes: 4
Reputation: 10348
I suggest you use this coding practices:
$lastName = mysql_real_escape_string($lastName);
$sqlConditions[] = "lastname = '$lastName'";
Will resolve your problem even if the variables are empty... and make a little more secure your code to SQL injection attacks (very recommendable!!!)
Upvotes: 1
Reputation: 984
In the else fragment you are only checking if the variable is set but the variable is set but maybe is empty.
Isset() checks if a variable has a value including False , 0 , or Empty string but not NULL.
Empty() function checks if the variable has an empty value empty string , 0, NULL ,or False.
Example:
<?php
$var = 0;
if (empty($var)) {
echo 'it is empty since it has value 0 ';
}
if (isset($var)) {
echo '$var is set though it is empty';
}
?>
Upvotes: 0
Related Questions
- Why is my php "if statement" not affecting my mysql query?
- How come this php if statement does not work?
- PHP issue: using if statement
- PHP "if" not working
- PHP- if else statement not working?
- IF statement not behaving as expected
- Why is my PHP if statement not working correctly?
- PHP if / else statements don't seem to work
- PHP Mysql If statement not working
- If statement not working