Currently doing the address part in e-commerce website application. The address needs to be edited. I have included the SQL query and PHP code well, but still can't run. There is no error message prompt. Below is my part of the code:
As there are multiple addresses, each address has an edit and delete button. The edit button will do the editing work based on the address-id passed inside.
<?php
while($row = mysqli_fetch_array($address_result_query)) {
$address_id=$row['address_id'];
$_SESSION['address_id'] = $address_id;
echo "<td>
<a class='editbutton' href='editaddress.php?
address_id=".$address_id."'>Edit</a>
</td>";
?>
On the edit page, it will show the address data currently, and allow the user to modify it inside the text box. Below is the code to get the user data.
<form name="update_" method="post" action="editaddress.php" >
<?php
$address_id = $_SESSION['address_id'];
$result2 = mysqli_query($mysqli, "SELECT * FROM user_address WHERE address_id='$address_id'");
$row2=mysqli_fetch_assoc($result2);
if(isset($row2['address'])!=null){
$address = $row2['address'];
$state = $row2['state'];
$city = $row2['city'];
$postcode = $row2['postcode'];
$address_name = $row2['address_name'];
$address_phone = $row2['address_phone'];
}
?>
Code to show the data:
<div >
<p>Edit Address</p>
<br>
</div>
<label>Recipient Name:</label>
<br>
<input type="text" size="50" name="address_name" value="<?php echo $address_name;?>">
<br><br>
<label>Recipient Phone:</label>
<br>
<input type="text" size="50" name="address_phone" value="<?php echo $address_phone;?>">
<br><br>
<label>Recipient address:</label>
<br>
<input type="text" size="50" name="address" value="<?php echo $address;?>">
<br><br>
<input type="text" size="50" name="state" value="<?php echo $state;?>">
<br><br>
<input type="text" size="50" name="city" value="<?php echo $city;?>">
<br><br>
<input type="text" size="50" name="postcode" value="<?php echo $postcode;?>">
<br><br>
<input type="button" onclick="location.href='index.php';" name="add_address" value="Cancel" >
<input type="submit" name="update_address" value="Update">
</form>
When user click on the update address, below PHP will run, but it's not. The code are inside the edit page, same location with above
if(isset($_POST['update_address']))
{
if(isset($_POST['address'])){
$address = $_POST['address'];
}else echo"address not get";
$address_id = $_POST['address_id'];
$state = $_POST['state'];
$city = $_POST['city'];
$postcode = $_POST['postcode'];
$address_name = $_POST['address_name'];
$address_phone = $_POST['address_phone'];
$myquery = "UPDATE user_address SET
address='$address',
state='$state',
city='$city',
postcode='$postcode',
address_name='$address_name',
address_phone='$address_phone'
WHERE address_id='$address_id'";
$result = mysqli_query($mysqli,$myquery)or die(mysqli_error($mysqli));
header("Location: ../profile/index.php");
}
?>
CodePudding user response:
The issue is that you are trying to set the address_id with a Post variable that is not submitted with the form. So when the query is being constructed the id is not being specified and it fails.
eg.
UPDATE user_address
SET address='123 Test Road',
state='Test',
city='Test City',
postcode='1234',
address_name='John',
address_phone='123456789'
WHERE address_id='' -- See no ID
It's best practice to use prepared statements. You can read more about them here: https://www.w3schools.com/php/php_mysql_prepared_statements.asp
I'll help you out by showing you how you would do this in your code. Below is code that shows how to fix the problem and resolve sql injection issues:
First update your select statement to use a prepared statement like this:
<?php
$address_id = $_SESSION['address_id'];
//Prepare the query
$stmt = $mysqli->prepare("SELECT * FROM user_address WHERE address_id = ?");
//bind the parameters
$stmt->bind_param("i",$address_id); //the i is for integer
//execute the query
$stmt->execute();
$result = $stmt->get_result();
while($row2 = $result->fetch_assoc()) {
$address = $row2['address'];
$state = $row2['state'];
$city = $row2['city'];
$postcode = $row2['postcode'];
$address_name = $row2['address_name'];
$address_phone = $row2['address_phone'];
}
$stmt->close();
?>
Then fix the initial problem by using the $_SESSION['address_id'] instead of $_POST['address_id'] and convert your update statement toa prepared statement:
<?php
if(isset($_POST['update_address']))
{
if(isset($_POST['address'])){
$address = $_POST['address'];
}else echo"address not get";
//$address_id = $_POST['address_id']; // <----- This is the problem line
//update your code so the above line is like this:
$address_id = $_SESSION['address_id'];
$state = $_POST['state'];
$city = $_POST['city'];
$postcode = $_POST['postcode'];
$address_name = $_POST['address_name'];
$address_phone = $_POST['address_phone'];
$myquery = "UPDATE user_address SET
address= ?,
state= ?,
city= ?,
postcode=?,
address_name=?,
address_phone=?
WHERE address_id=?";
//Prepare the query
$stmt = $mysqli->prepare( $myquery );
//bind the parameters
$stmt->bind_param("ssssssi", $address, $state, $city,$postcode, $address_name,$address_phone, $address_id); // s means string & i means int
//execute the query
$stmt->execute();
$stmt->close();
header("Location: ../profile/index.php");
}
?>
Another good read is this website here:
https://websitebeaver.com/prepared-statements-in-php-mysqli-to-prevent-sql-injection
CodePudding user response:
Looks like your missing sending the $address_id back with the form, $address_id = $_POST['address_id'];
you make ref to $_SESSION['address_id']?
if(isset($_POST['update_address']))
{
if(isset($_POST['address'])){
$address = $_POST['address'];
}else echo"address not get";
$address_id = $_POST['address_id'] ?? $_SESSION['address_id'];
$state = $_POST['state'];
$city = $_POST['city'];
$postcode = $_POST['postcode'];
$address_name = $_POST['address_name'];
$address_phone = $_POST['address_phone'];
$myquery = "UPDATE user_address SET
address='$address',
state='$state',
city='$city',
postcode='$postcode',
address_name='$address_name',
address_phone='$address_phone'
WHERE address_id='$address_id'";
$result = mysqli_query($mysqli,$myquery)or die(mysqli_error($mysqli));
header("Location: ../profile/index.php");
}
?>