Option select isnt inserting into mysql DB

Question

When you click submit, the selection made goes to the database to the row of the user logged in. Having trouble, the selection doesn't update in DB, I'm not getting any errors so I'm having trouble figuring out what the problem is.

 <?php include('connect.php');?>
 <?php include('functions.php');?>
 <?php include('titlebar.php');?>

 <form action="login_success.php" method="POST">
 <?php
 // Inserts pick selection into DB in row of session user
if(isset($_POST['submitbtn'])) {
$selection = $_POST['selection']; 
$pick = $mysqli->query("INSERT INTO users selection VALUE $selection WHERE id='$my_id'");
echo '<p>You have made a selection!</p>';

}   
?>


    <select id="tm1" name="selection"> 
<?php

    $tt = date("h"); // hours 1-12
    $current = date("l jS \of F Y h:i:s A"); // Current date/time
    $sundayaftr = strtotime("3:00pm Sunday"); //  Sunday MID-afternoon game time 
    $sundaymorn = strtotime("12:00pm Sunday"); // Sunday afternoon game time
    $thurs = strtotime("7:00pm Thursday"); // Thursday night game time
    $mon = strtotime("7:00pm Monday"); // Monday night game time
    $start = strtotime("6:00am Wednesday"); // Wednesday morning Picks open
    $close = strtotime("8:00pm Sunday"); // Sunday night game time

if($current > $thurs){$dis = ' disabled';}else{$dis = '';}echo '<option value="wr"'.$dis.'>Washington Redskins</option>';
if(($current >= $thurs) && ($current < $start)){$dis = ' disabled';}else{$dis = '';}echo '<option value="nyg"'.$dis.'>New York Giants</option>';

?>
    </select>
    <br>
    <input type="submit" value="submit" name="submitbtn" id = "submitbtn">
</form>

Here is the functions.php page to create session of logged in user.

 <?php

 session_start();
 function loggedin(){
if(isset($_SESSION['user_id']) && !empty($_SESSION['user_id'])){
    return true;
} else {
    return false;
}
}

if(loggedin()) {
$my_id = $_SESSION['user_id'];
$user_query = $mysqli->query("SELECT username, Fname, password, user_level, type FROM users WHERE id='$my_id'");
$run_user = mysqli_fetch_array($user_query);
$username = $run_user['username'];
$Fname = $run_user['Fname'];
$password = $run_user['password'];
$user_level = $run_user['user_level'];
$user_type = $run_user['type'];
$query_level = $mysqli->query("SELECT name FROM user_level WHERE id='$user_level'");
$run_level = mysqli_fetch_array($query_level);
$level_name = $run_level['name'];
}

 ?>

[Your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) — Jay Blanchard, Jul 15 '15 at 18:09
Is `$my_id` global? if not `` past this before you insert into the database — Vinc199789, Jul 15 '15 at 18:18

Vinc199789 · Accepted Answer · 2015-07-15T19:32:35.977

You should use UPDATE instead of INSERT because you are changing a value WHERE id='$my_id' and you are not adding something to the database for the first time like registering a new user.

1) UPDATE works like:

"UPDATE `users` SET `selection` = '$selection' WHERE `id` = '$my_id'"

IMPORTANT: like you can read in the first commend, Your script is at risk for SQL Injection Attacks. You are updating the database with the original selection value. You should first throw this value into a mysqli_real_escape_string(string).

mysqli_real_escape_string php manual. You should also take a look at the link in the commend for more information and how to prevend a sql injection

Option select isnt inserting into mysql DB

1 Answers1