PHP, question about searching and updating a record

I have a question, I am new to PHP and I have been working on some exercises. The one I am currently working on is to create a simple form that will search a database (first name, last name). The returned results should then be populated into another form. This way, if I want to update the record, all I have to do is change the value of the populated form and hit Update. I have create the database no problem.

The following is the code. (Please don't laugh, I'm very new...I am sure there are much more efficient ways of doing this, but I'm just playing around right now)

Here is the form:

<form action="" method="post">
<strong>Search for name</strong><br>
<label for="fname">First Name</label>
<input type="text" name="fname">

<label for="lname">Last Name</label>
<input type="text" name="lname">

<input type="submit" name="submit" value="Search">

</form>

And here is the PHP:

if( isset( $_POST['submit'] ) ){

    $first_name = $_POST['fname'];
    $last_name = $_POST['lname'];

    if ( $first_name == NULL || $last_name == NULL ) {
        echo "please enter search record";
    }
    else {
        $query = "SELECT first_name, last_name FROM formdata WHERE first_name LIKE '%$first_name%' OR last_name LIKE '%$last_name%'";

        $result = mysqli_query( $conn, $query );

        $result_array = mysqli_fetch_row( $result );

        $fname_value = $result_array[0];
        $lname_value = $result_array[1];

        echo "
        <form action='' method='post'>\n
            <label for='fname_u'>First Name</label>\n
            <input type='text' name='fname_u' value='$fname_value'>\n

            <label for='lname_u'>Last Name</label>\n
            <input type='text' name='lname_u' value='$lname_value'>\n

            <input type='submit' name='update' value='Update'>\n
        </form>";

    }

}


if( isset( $_POST['update'] ) ) {

    $first_name_u = ( $_POST['fname_u'] );
    $last_name_u = ( $_POST['lname_u'] );

    $query_update = "UPDATE formdata SET first_name = '$first_name_u', last_name = '$last_name_u' WHERE first_name = '$fname_value';";

    echo $query_update; // this is just for testing

}

This code seems to work and do what I want, all the way up to when I submit the updated information. I can't figure out how to carry over the value of the $fname_value variable to the if( isset( $_POST['update'] ) ) conditional. I am thinking I can't because they are two different POSTS? I really don't know...I just need to find a way to get value of the retrieved form data and use for the WHERE clause.

Again, I'm very new and just getting my feet w开发者_高级运维et with this kind of stuff ... Any help would be great

Thanks

I think you have a typo in your code. Your POST data is saved to the variable $first_name, but when you query SQL you are using $first_name_r instead of $first_name.

I'm thinking the typo is the answer, but I have to point out one deadly mistake you've made, and that is that you're piping user-supplied input directly into an SQL query. This opens your code to a slew of malicious attacks called SQL injection attacks. I'm not trying to be preachy, but it's very important that you read and understand that article, especially the part about Mitigation at the bottom.

I would suggest you use something like this instead:

$query = 'SELECT first_name, last_name '.
  'FROM formdata WHERE first_name LIKE ? OR last_name LIKE ?;';
$sth = mysqli_prepare($dbh, $query);
mysqli_stmt_bind_param($sth, "s", '%'.$first_name.'%');
mysqli_stmt_bind_param($sth, "s", '%'.$last_name.'%');
$result = mysqli_execute($sth);

I know it's a bit longer and more complicated, but trust me, it will save you a world of headache. The sooner you learn about this and get it deeply ingrained in your psyche that you can never, ever, ever write a query that passes unsanitized input straight to the database, the happier we all will be (and the longer you will get to keep your job eventually. ;).

Sorry if I'm coming on strong, but in my opinion, the single most important lesson you need to pick up early in developing database-driven web sites is that you really need to be proficient at spotting injection vulnerabilities to the point where it's automatic and when you see it, you think, "Ooh! Noooo! Don't do that!!!"

Above answer found your isssue, but on a sidenote:

 $first_name = $_POST['fname'];
 $last_name  = $_POST['lname'];

Do not do this. That my friend is the most common security vulnerability for php applications.

The most 2 most important things to remember when scripting is

1. Filter input, and 2: Escape output.

See this write-up for more details ..

In your case, the input values are not filtered, or checked for malicious/improper values.

Here is another primer on this page to see a few tips and how to address filtering.

Keep it up, those exercises are a fine way of picking up chops.

Happy coding friend.

Okay, re-reading your post, I think I see what you're trying to do and where you're having difficulty. Normally, you won't have two separate pages for one identical form like this. Typically, you'll code it more along these lines, and please keep in mind that I'm winging this off the top of my head, not actually testing it, so minor corrections and/or tweakage may be required:

<?php
  $fname_value = '';
  $lname_value = '';
  if (isset($_POST['submit']) && $_POST['submit'] === 'Search') {
    if (isset($_POST['fname']) && isset($_POST['lname'])) {
      // We are processing a submitted form, not displaying a brand new one
      // from scratch.  Code any post-validation steps.

      // Fetch the user information from the database. You'll need to define
      // the $host, $user, $password, and $dbname variables above, or
      // substitute literal strings with real information in here.
      $dbh = new mysqli($host, $user, $password, $dbname);
      $sql = 'SELECT first_name, last_name'.
        'FROM formdata WHERE first_name LIKE ? OR last_name LIKE ?;';
      $sth = $dbh->prepare($sql);  // Use parameters to avoid injection!
      $sth->bind_param('s', $_POST['fname']);
      $sth->bind_param('s', $_POST['lname']);
      if ($sth->execute()) {
        $result = $sth->get_result();
        if (($row = $result->fetch_assoc()) != NULL) {
          // Set the default values displayed in the text edit fields.
          $fname_value = $row['first_name'];
          $lname_value = $row['last_name'];
        }
      }

      // Whatever other processing you want to do if this is a submitted
      // form instead of displaying the page from scratch.
    }
  }
?>
<html>
  <body>
    <form action="<?= $_SERVER['PHP_SELF'] ?>" method="POST">
      <strong>Search for name</strong><br />
      <label for="fname">First Name</label>
      <input type="text" name="fname" value="<?= htmlentities($fname_value) ?>">
      <label for="lname">Last Name</label>
      <input type="text" name="lname" value="<?= htmlentities($lname_value) ?>">
      <input type="submit" name="submit" value="Search">
    </form>
  </body>
</html>