error in the process

Lyka md
Lyka md used Ask the Experts™
on
I got error when running this code. The code is to process the renewal application.
process.php
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Ares KurkluSoftware Engineer

Commented:
what is the error message? seems like you retrieve the variable validation_period but you don't set in in mysql statement
whatever the name is in the database if "validation_period " then you need to do validation_period  = $validation_period first one being be the db column name the 2nd one is the variable

validation_period =".$validation_period ."
$query="UPDATE applications SET status='3', validation_period WHERE application_no='$app_no'";

validation_period is undefined / incomplete. Try changing the line to:

$query="UPDATE applications SET status='3', validation_period = '$validation_period' WHERE application_no='$app_no'";

Open in new window

- This assumes "validation_period" is a valid field in your table
or
$query="UPDATE applications SET status='3' WHERE application_no='$app_no'";

Open in new window

- removed validation_period

            
$sql = mysqli_query($con,$query);

Try changing this to:

$sql=mysqsli_query($query,$con);

Open in new window


Ken
Most Valuable Expert 2018
Distinguished Expert 2018

Commented:
It's already been pointed out that your SQL statemet is wrong with regard to the validation_period. What is also wrong is the WHERE clause is using a variable called $app_no which doesn't exist. What does exist is a variable called $applicant_no which is probably what you meant.

Aside from those errors, your approach to the process is not considered safe or best-practice. You're inserting data straight from a user ($_POST) into your database with no validation or sanitization, so you are opening yourself up to SQL Injection.

Whenever you use data from a user, you should be using a prepared query. This will santize the data and prevent SQL Injection. There's also no need to assign the POST variables to other variables. It serves no purpose.

Have a look at this:

<?php
if ( isset($_POST['submit']) && !empty($_POST['importer_id']) && !empty($_POST['product_id']) ):

    require_once('connectDB.php');

    $stmt = mysqli_prepare($con, "UPDATE applications SET status='3', validation_period  = ? WHERE application_no= ?");

    mysqli_stmt_bind_param($stmt, "ss", $_POST['validation_period'], $_POST['applicant_no']);
    mysqli_stmt_execute($stmt);

endif;

Open in new window

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial