I am creating a website when users can purchase products. I have created an admin side of this website and am trying to create a page where an admin, once logged in, can update the stock levels of a certain product on myphpadmin database. I have so far managed to get the code to a stage where it updates in my database but not to the selected product. Instead it creates a new record with the stock level and the price. I have carried the product ID from the previous page using the command below:
echo "<input type=hidden name=h_prodid value=".$stockid.">";
Therefore when the admin clicks on the update link they arrive at a page with the current details of that particular product. They then enter one or two values to update this particular product but currently a new record is inserted into the database, as opposed to updating the existing on. Please see the code below.
<?php
session_start();
include("db.php");
//create a variable called $pagename which contains the actual name of the page
$pagename="Product Update Confirmation";
//call in the style sheet called ystylesheet.css to format the page as defined in the style sheet
echo "<link rel=stylesheet type=text/css href=mystylesheet.css>";
//display window title
echo "<title>".$pagename."</title>";
//include head layout
include("adminheadlayout.html");
//display the name of the site and the date dynamically. See uk.php.net
echo date ('l d F Y H:i:s');
echo "<p></p>";
include ("detectlogin.php");
//display name of the page
echo "<h2>".$pagename."</h2>";
//Capture the details entered in the form using the $_POST superglobal variable
//Store these details into a set of new variables
$newprice=$_POST['p_priceupdate'];
$newquantity=$_POST['p_quantityupdate'];
$prodid=$_POST['h_prodid'];
//If any of the variables is empty
if (!$newprice and !$newquantity)
{
echo "<br>Please enter a value for price and/or quantity ";
echo "<br>Go back to <a href=editstock.php>Edit Stock details</a>";
}
else
{
if (!$newprice or !$newquantity)
{
//insert a new record in the order table to generate a new order number.
//store the id of the user who is placing the order as well as the current date and time
$productupdateSQL="insert into Products (prodPrice, proQuantity, prodId)
values ('".$newprice."', '".$newquantity."', '".$prodid."')";
$exeproductupdateSQL=mysql_query($productupdateSQL);
echo "<p strong>Stock level updated successfully!";
}
//if a database error is returned, display an order error message
else
{
echo "<p>Sorry there has been an error with your product update";
echo "Go back to <a href=editstock.php>Edit Stock Details</a>";
}
}
//include head layout
include("footlayout.html");
?>
Any ideas will be gratefully appreciated. I am nearly there however cannot find anything relating to this particular type of issue.
Your script only contains an INSERT query, no UPDATE query, so it will never update existing records
warning Your code is very insecure, uses outdated mysql_ functions and does not escape values at all. The code is therefore vulnerable for SQL Injection. SQL Injection may lead to exposing private data and data loss! Read about it here: http://www.unixwiz.net/techtips/sql-injection.html