0

I have looked online for many hours but still can’t figure out what’s wrong with my code. Code works okay when I have $SALES=30; $ID=10; etc. Now I want to post those values using html form, but can't make it to work.

 <?php
$http_origin = $_SERVER['HTTP_ORIGIN'];
if ($http_origin == "http://......")
   {
   header('Access-Control-Allow-Origin: *');
   }
  $SALES = $_POST['SALES'];//Supplied by html form
$ID = $_POST['ID'];//Supplied by html form
$con = mysqli_connect("xxx","TABLE","xxx");
if (mysqli_connect_errno())
  {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
  }
mysqli_select_db($con,"xxxxxx") or die ("no database"); 
    $sql="update TABLE
    set 
    id = @newer := $ID,
    tray_1 = case when tray_1 is null then @newer:=$SALES else tray_1 end,
    tray_2 = case when @newer = $ID and tray_2 is null then @newer:=$SALES else tray_2 end,
    tray_3 = case when @newer = $ID and tray_3 is null then @newer:=$SALES else tray_3 end

WHERE id = $ID";This updates table values where field is null
if (!mysqli_query($con,$sql))
  {
  die('Error: ' . mysqli_error($con));
  }
mysqli_close($con);
 ?>

What is wrong with my code? Thank you.

Improve this question
2
  • 2
    There's a clear syntax error here: $SALES = '$_POST['SALES']'; But mainly, you're not issuing the query, just writing it as a string Commented Dec 22, 2013 at 17:52
  • Thanks for your answer. Can you please expound about the string thing? Commented Dec 22, 2013 at 18:09

1 Answer 1

Reset to default
0

There is probably some typo in first line:

$SALES = '$_POST['SALES']';//Supplied by html form

Should be:

$SALES = $_POST['SALES'];//Supplied by html form

Maybe this will help you?

BTW you should check something about mysql injection, for example here: PHP MySQL injection example?

Handling forms this way is ultra dangerous, because anyone can delete whole your database in one second.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

The problem is OP's not even making the query, just creating a string. On a sidenote, sanitizing SQL is not only to avoid database deletion, but also something way less troublesome as someone whose name is O'Really tha tries to enter his surname. That's why query should be sanitized in the first place, to avoid being broken
Edited my question. It was $SALES = $_POST['SALES']; already.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.