0

I can't figure out why my values aren't being passed from the form. I can't spot an error.

The Form Code:

$table = $_POST['table'];
$id = $_POST['id'];
$count = 0;    
$query = "SELECT * FROM `" . $table . "` WHERE id = " . $id;
        $result1 = mysqli_query($link, $query);     
        echo '<center><table style="text-align:center">';
        echo '<form action="edit-process.php" method="post">';
        while($row = mysqli_fetch_assoc($result1)){
            foreach($row as $key => $val){
                if ($count > 0){
                    echo "<tr>";
                    echo "<td>" . $key . "</td>";
                        echo '<td><input type="text" name="' . $key . '" value="' . $val . '"></td>';
                    echo "</tr>";
                    $count++;
                }
                else $count++;
            }
        }
        echo '<input type="hidden" name="table" value="' . $table . '" />';
        echo '<input type="hidden" name="id" value="' . $id . '" />';
        echo '<tr><td><input type="submit" value="Save Changes" /></td></tr>';
        echo "</form>";
        echo "</table>";

The php file: 

$table = $_POST['table'];
$id = $_POST['id'];
$count1 = 0;
$count2 = 0;

$result = mysqli_query($link, "SHOW COLUMNS FROM `" . $table . "`");
    if (mysqli_num_rows($result) > 0) {
        while ($row = mysqli_fetch_assoc($result)) {
            $keyNames[$count2] = $row['Field'];
        $count2++;
        }
    }

while ($count1 < $count2){
    if ($count1 > 0) {
    $value = mysqli_real_escape_string($_POST[$keyNames[$count1]]);
    $query2 = "UPDATE `" . $table . "` SET `" . $keyNames[$count1] . "` = '" . $value . "' WHERE id = " . $id;
    echo $query2 . "<br>";
    $result2 = mysqli_query($link, $query2);
    $count1++;
}
else $count1++;

}

I am avoiding displaying the id column with all the counts. The output of the echo-ed queries are:

Any ideas?

EDIT I'll take care of changing everything over to procedural style once I figure out this issue. If I get rid of the mysqli_real_escape_string, it passes all the data except those columns with spaces in them. I thought that's what backticks were for? Is there something else I can do to make the columns with two words pass data like those with one word?

PBwebD
  • 768
  • 10
  • 33
  • Where do you expect $value to come from? Maybe $_POST['value']? And please read about escaping data before placing it into database queries – johannes Mar 09 '13 at 00:23
  • Do a var_dump($_POST); then perhaps you can debug what is being sent to the page – craig1231 Mar 09 '13 at 00:27
  • I thought escaping the data was what I was doing. The value is coming from the escaped, posted data from the form. – PBwebD Mar 09 '13 at 00:31
  • On a side note, this code is extremely unsecure: the user has access to the `table` & `id` via your `input`s and could make your code update pretty much anything in your database. – 1ace Mar 09 '13 at 00:34

1 Answers1

4

You need to switch these rows -

echo '<center><table style="text-align:center">';
echo '<form action="edit-process.php" method="post">';
....
echo "</form>";
echo "</table>";

to

echo '<form action="edit-process.php" method="post">';
echo '<center><table style="text-align:center">';
....
echo "</table>";
echo "</form>";

Having the <form> inside the <table> is invalid code. It either needs to wrap the <table> or be inside <td></td>.

see also -
form inside table
Form inside a table

Update #1-
On your Edit
Spaces in <input name=""> will be replaced with _ so your $_POST[] name will not match your <input name="">. from the manual - http://www.php.net/manual/en/language.variables.external.php

Note:
Dots and spaces in variable names are converted to underscores. For example <input name="a.b" /> becomes $_REQUEST["a_b"].

see also -
Can <input> elements have capital letters and spaces in PHP

Community
  • 1
  • 1
Sean
  • 12,379
  • 3
  • 26
  • 44
  • that doesn't seem to have any effect on it. – PBwebD Mar 09 '13 at 00:30
  • see my update about spaces in `` names. PHP will add an underscore `_` in place of the space, so `` will become `$_POST['first_name']` in php. – Sean Mar 09 '13 at 01:01
  • It would be easier to change your mysql columns to have underscores in place of spaces. – Sean Mar 09 '13 at 01:16