-3

Hi everyone please i need you're help.

What i want is when the input field is updated with this value: Résolu --> update column date with date now.

I have a POST form with input field:this is my code:

            <div class="d-flex col">
            <label class="form-label col-auto">Etat :</label>
            <select class="form-select" name="etat" id="etat">
                    <option value="<?=$row['etat'] ?>"><?=$row['etat'] ?></option>
                    <option value="Résolu">Résolu</option>
                    <option value="Abondonné">Abondonné</option>
            </select>
            </div>

And this is the query:

if(isset($_POST['save_suivi'])){     


$etat = $_POST['etat'];

$sql = "UPDATE tbl_ss_appareil_rec SET etat='$etat' WHERE id_rec='$id_rec'";

if (mysqli_query($con, $sql)) {
header('Location: ../ss_ficherec.php');
} else {
echo "Error: " . $sql . " " . mysqli_error($con);
}
mysqli_close($con);
ADyson
  • 51,527
  • 13
  • 48
  • 61
walid
  • 27
  • 4
  • 2
    **Warning:** Your code is vulnerable to SQL Injection attacks. You should use parameterised queries and prepared statements to help prevent attackers from compromising your database by using malicious input values. http://bobby-tables.com gives an explanation of the risks, as well as some examples of how to write your queries safely using PHP / mysqli. **Never** insert unsanitised data directly into your SQL. The way your code is written now, someone could easily steal, incorrectly change, or even delete your data. – ADyson May 13 '22 at 14:48
  • 2
    https://phpdelusions.net/mysqli also contains good examples of writing safe SQL using mysqli. See also the [mysqli documentation](https://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php) and this: [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) . Parameterising your queries will also greatly reduce the risk of accidental syntax errors as a result of un-escaped or incorrectly quoted input values. If you learnt your current technique from a tutorial or book, please don't use it again. – ADyson May 13 '22 at 14:48
  • 2
    Also, you should improve your mysqli error handling - see [mysqli or die, does it have to die?](https://stackoverflow.com/questions/15318368/mysqli-or-die-does-it-have-to-die) – ADyson May 13 '22 at 14:48
  • Anyway, you should explain what exact problem you're having with this code? "I want" isn't a question and doesn't describe a problem. See [ask]. The main thing I can see which might be wrong currently is that `$id_rec` doesn't seem to be defined anywhere. Where are you expecting that variable to be given a value? And also where is your code to check the etat value and set the date? Have you actually _tried_ anything? Where are you stuck? – ADyson May 13 '22 at 14:49
  • thank you so much i always work with this method of SQL injection it is very important to use prepared statements or just optional ? @ADyson – walid May 13 '22 at 14:52
  • 1
    It is definitely _not_ optional to use prepared statements, it is a vital security measure. As I mentioned above, it can also improve the general reliability of your SQL code too. – ADyson May 13 '22 at 15:02

0 Answers0