html - PHP not Reading <select> name for MySQL Update

Question

I'm working on a fantasy football database just for fun and I have made some progress with a PHP page but am stuck with an issue in getting data from my html data to be read by my php update script (update.php)

Here's my code for the form:

  $servername = "localhost";
  $username = "root";
  $password = "nottelling";
  $dbname = "Football";

  // Create connection

  $conn = new mysqli($servername, $username, $password, $dbname);

  // Check connection

  if ($conn->connect_error){
    die("Connection failed: " . $conn->connect_error);
  } 

  $sqlqb = "SELECT Name_Team_Position FROM Football.2016_Players_QB;";
  $resultqb = $conn->query($sqlqb);
  echo " <form method="post" action="update.php"> <br> Enter Passcode:";
  echo " <input name = "Passcode" type = "text"> </input> <br><br> ";
  echo " Pick your QB: <select name='QB'> </option> "; // list box select command
  foreach ($conn->query($sqlqb) as $row){         
    // Array or records stored in $row
    echo " <option value=$row[id]>$row[Name_Team_Position]</option> "; 
    /* Option values are added by looping through the array */ 
  }  
  echo " </select> ";// Closing of list box
  echo " <br><br> <input type="submit" value="Submit"> </input> ";
  echo " </form> ";
  $conn->close();
 ?>

And here's update.php

  $servername = "localhost";
  $username = "root";
  $password = "nottelling";
  $dbname = "Football";

  // Create connection

  $conn = new mysqli($servername, $username, $password, $dbname);

  // Check connection

  if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
  } 

  $value1 = $_POST['Passcode'];
  $value2 = $_POST['QB'];

  $sql = "UPDATE Football.PlayerTeams SET QB = '$value2' WHERE Password = '$value1';";

   if ($conn->query($sql) === TRUE) {
     echo "New record created successfully";
   } else {
     echo "Error: " . $sql . "<br>" . $conn->error;
   }

  $conn->close();

?>

My problem as concisely as I can put it:

This script is definitely connecting properly to the DB and executing the update query successfully. The problem is that $value1 is not receiving any value from the html form. If I insert the string "test" into the row corresponding with the passcode, and then I use the form this code producing, it runs successfully but then when I check the db "test" is gone and instead its just blank - "". Can someone help me figure out what I'm doing wrong in trying to get the drop-down value to my action script?

Answer 1

This is wrong:

echo " Pick your QB: <select name='QB'> </option> ";

The </option> are wrong placed

Replace: echo " Pick your QB: <select name='QB'>";

Replace: echo " <br><br> <input type="submit" value="Submit">";

The $row['id'] is the value that you become in your QB if your POST.

echo " <option value='TheValueYouNeededHere'>Display Name</option> "; 

And for POST use filter_input — Gets a specific external variable by name and optionally filters it:

filter_input(INPUT_POST, QB, filter);

The filters you find here: http://php.net/manual/de/filter.filters.php

Copy from User:

$sql = "UPDATE Football.PlayerTeams SET QB = '".$value2."' WHERE Password = '".$value1."'";

Is more beautiful for the eyes, you must not use ".$Value." In php works without i mean, correct me when i'm wrong

Security:

Your MySQL query can easy injected. And your passwort is Visible. It gives multiple choices to avoid this.

MySQL injecton: You can replace some char's. (Char are single character) The most dangerous things you can replace with other characters. Filter Input have nice filters like htmlspecialchars. I Think you find much things if you search little :)

Password: First make <input type='password'>. Then Hash your password or pick MD5 or something to make it "unreadeble". You can set it on MySQL. With PHP u build the "secure" value. MD5 is not the best option. Its only easy to implement for beginning.

Hope this helps :)