Home/ Questions/Q 586277
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-13T15:05:27+00:00

I’m trying to make an update form. The update part is already working, but

  • 0

I’m trying to make an update form. The update part is already working, but it would be better if I’m going to put a view button so that the users will not input the data all over again just to update it.

I’m working on this code, there’s a button in the html form with the following code as its form action. Its job is to populate the textboxes with the appropriate data depending on the telephone number entered.

<?php
    $con = mysql_connect("localhost","root","");
    if (!$con)
    {
        die('Could not connect: ' . mysql_error());
    }
    mysql_select_db("hospital", $con);

    $result = mysql_query("SELECT * FROM t2 WHERE TELNUM='{$_POST["telnum"]}'");

    while ($row = mysql_fetch_array($result))
    {

    <form>
        <input  name="lname" type="text"<?php echo $result["lname"];">
    </form>
?>

What’s wrong with my code? I’m still a beginner in PHP.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Your HTML doesn’t look correct; the value for a text input field is specified with the value attribute, e.g.

    <input name="lname" type="text" value="<?php echo( htmlspecialchars( $row['lname'] ) ); ?>" />

    The row data will be present in the $row hash; $result is just a pointer to the MySQL result buffer. In addition, you’re missing a ?> tag after the echo statement, and the final ?> is misplaced. There also appears to be no closing brace for the while loop

    Note the use of htmlspecialchars() to escape HTML entities in the text. This will prevent the text in the database from inadvertently closing the tag and spewing rubbish all over your HTML (and prevent against malicious input from users having any effect).

    Overall, the correct solution might look something like:

    <?php
$con = mysql_connect( 'localhost', 'root', '' );
if( !$con ) {
    die( 'Could not connect: ' . mysql_error() );
} else {
    mysql_select_db( 'hospital', $con );
    $result = mysql_query( "SELECT * FROM t2 WHERE TELNUM='{$_POST["telnum"]}'" );
    while( $row = mysql_fetch_array( $result ) ) {
        ?>
        <form>
            <input name="lname" type="text" value="<?php echo( htmlspecialchars( $row['lname'] ) ); ?>" />
        </form>
        <?php
    }
}
?>

    Finally, not to second-guess you, but be careful about inserting arbitrary values from user-supplied data (like $_GET and $_POST) into SQL queries – a malicious user could use this to intentionally construct queries you don’t want performed, or a non-malicious user could quite reasonably provide data that unintentionally breaks the SQL, causing an unexpected error (or again, some form of unknown broken behaviour). Take a look at the SQL injection page on the PHP web site as a good starting point to learn more about this.

    • 0