Why this code is wrong and do I want to create dasabase

Question

1.00/5 (1 vote)

See more:

PHP

<?php
include_once("../../functions/db_conn.php");

// Get the employee ID from the query parameter
$emp_id = isset($_GET['emp_id']) ? $_GET['emp_id'] : null;

if ($emp_id !== null) {
    // Retrieve employee details from the database
    $db_conn = connection();
    $query = "SELECT * FROM emp_tbl WHERE emp_id = $emp_id";
    $stmt = mysqli_prepare($db_conn, $query);

    if (!$stmt) {
        die("Error in SQL query: " . mysqli_error($db_conn));
    }

    mysqli_stmt_execute($stmt);
    $result = mysqli_stmt_get_result($stmt);

    if (!$result) {
        die("Error in fetching data: " . mysqli_error($db_conn));
    }

    $row = mysqli_fetch_array($result);
} else {
    echo "Employee ID not provided in the URL.";
}
?>

<!DOCTYPE html>
<html lang="en">
<head>
    <!-- ... (head section with CSS and JS imports) ... -->
</head>
<body>
    <div class="container">
        <div class="card mt-3">
            <div class="card-header">
                <h3>Edit Employee Details</h3>
            </div>
            <div class="card-body">
                <div class="row">
                    <div class="col-md-2"></div>
                    <div class="col-md-8">
                        <form id="empEditForm" 
                        action="editUser.php" method="post">
                            <!-- Populate form fields with employee data -->
                            <input type="hidden" 
                            name="empId" value="<?php echo 
                                  $row['emp_id']; ?>">
                            <div class="form-group">
                                <label for="empName">EMP Name</label>
                                <input type="text" name="empName" 
                                id="empName" class="form-control" 
                                value="<?php echo $row['emp_name']; ?>">
                            </div>
                            <div class="form-group mt-2">
                                <label for="empEmail">
                                EMP Email</label>
                                <input type="email" 
                                name="empEmail" id="empEmail" 
                                class="form-control" 
                                value="<?php 
                                echo $row['emp_email']; ?>">
                            </div>
                            <div class="form-group mt-2">
                                <label for="empNic">
                                EMP NIC</label>
                                <input type="text" name="empNic" 
                                id="empNic" class="form-control" 
                                value="<?php echo $row['emp_nic']; ?>">
                            </div>
                            <div class="form-group mt-2">
                                <label for="empTel">
                                EMP Phone</label>
                                <input type="text" name="empTel" 
                                id="empTel" class="form-control" 
                                value="<?php echo $row['emp_tel']; ?>">
                            </div>
                            <div class="form-group mt-2">
                                <label for="empDob">
                                EMP DOB</label>
                                <input type="date" name="empDob" 
                                id="empDob" class="form-control" 
                                value="<?php echo $row['emp_dob']; ?>">
                            </div>
                            <!-- Add other fields here -->

                            <!-- Add a submit button -->
                            <div class="form-group mt-2">
                                <input type="submit" name="btnSave" id="btnSave" class="btn btn-success" value="Save">
                            </div>
                        </form>
                    </div>
                    <div class="col-md-2"></div>
                </div>
            </div>
        </div>
    </div>
</body>
</html>

<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.6.4/jquery.min.js"></script>
<script>
    $('#btnSave').click(function(e){
        e.preventDefault(); // Prevent the form from submitting normally
        $.ajax({
            url: "../../route/emp/editUser.php",
            type: "post",
            data: $('#empEditForm').serialize() + 
            "&emp_id=<?php echo $emp_id; ?>",
            success: function(data){
                console.log('Response:', data);
                if(data == '1'){
                    alert('Employee details updated successfully');
                    location.reload(); // Reload the page to 
                                       // see the updated data
                }else{
                    alert('Error');
                }
            }
        });
    });
</script>

What I have tried:

Employee ID not provided in the URL.
Edit Employee Details
EMP Name

Warning: Undefined variable $row in C:\xampp\htdocs\ITproject\lib\views\emp\edituser.php on line 50
Warning: Trying to access array offset on value of type null in C:\xampp\htdocs\ITproject\lib\views\emp\edituser.php on line 50

EMP Email

Warning: Undefined variable $row in C:\xampp\htdocs\ITproject\lib\views\emp\edituser.php on line 54
Warning: Trying to access array offset on value of type null in C:\xampp\htdocs\ITproject\lib\views\emp\edituser.php on line 54

EMP NIC

Warning: Undefined variable $row in C:\xampp\htdocs\ITproject\lib\views\emp\edituser.php on line 58
Warning: Trying to access array offset on value of type null in C:\xampp\htdocs\ITproject\lib\views\emp\edituser.php on line 58

EMP Phone

Warning: Undefined variable $row in C:\xampp\htdocs\ITproject\lib\views\emp\edituser.php on line 62
Warning: Trying to access array offset on value of type null in C:\xampp\htdocs\ITproject\lib\views\emp\edituser.php on line 62

EMP DOB 
mm/dd/yyyy

Posted 5-Sep-23 0:36am

Pasan Weerasinghe

Updated 7-Sep-23 8:07am

Deeksha Shenoy

v2

Add a Solution

Comments

Richard Deeming 5-Sep-23 8:17am

Your code is vulnerable to SQL Injection[^]. NEVER use string concatenation/interpolation to build a SQL query. ALWAYS use a parameterized query.

PHP: SQL Injection - Manual[^]

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Richard MacCutchan · Answer 1 · 2023-09-05T01:16:00

Solution 1

The variable $row only exists within the scope of the if statement at line 7. Change the code so it is declared at global scope:

PHP

$emp_id = isset($_GET['emp_id']) ? $_GET['emp_id'] : null;

$row = null; // make $row globally visible
if ($emp_id !== null) {

See PHP Variables Scope[^].

Posted 5-Sep-23 1:16am

Richard MacCutchan

Updated 5-Sep-23 1:18am

v2