I have 2 problems with the code you have presented; and that is not even looking into the
troubleshooting aspect of trying to figure out why it doesn't work.
The first problem is that your style of creating an SQL query is ripe for
SQL Injection! You should
NEVER EVER
create a query by concatenating commands with string values.
I will acknowledge that there is some rudimentary protections in place, it is not something that will always be available and it should not be relied upon.
The preferred method for PHP/MySql is to use what are known as
Prepared Statements. Your query is written with placeholders and then you can bind your variables to the placeholders.
There is plenty of documentation on how to implement this, such as this
w3schools article[
^]
The second thing I do not care for is the excess queries you are running; it is excess overhead in the application and extra network traffic to/from the database server. You have 4 separate queries, but it could be pared down to just the 2 update queries.
What many people don't know is that you can use JOINs within an update.
Roughly translated from your two SELECT queries, I think you could implement something based on this for your update statement.
Please note that this is written for SQL Server, which uses @Variable
naming; and that PHP uses indexed question marks. I left this for you to change as this way you can see which of your PHP variables belong where in the query
UPDATE p
SET p.ProductQty = p.ProductQty - o.Quantity
FROM Products p
INNER JOIN Orders o ON p.id = o.product_id
WHERE o.id = @oid
AND o.user_id = @uid
AND o.product_id = @pid