PHP MySQL - Update with $_POST

Question

Short explain what I want to do.. when I click my button "calc1" my inputs number(quantity1) should be reduced by the inputs number I type in (amount1) Like " Result = quantity1 - amount1 ". In the input "quantity1" is already a value because I loaded it from my database into the input but the calculation doesn't work. I hope you understand me a bit..I better show my code now..

Calculation code:

<?php
 include_once('connect.php');

 if($_POST['calc1']){
 $_POST['quantity1'] = $_POST['quantity1'] - $_POST['amount1'];

 $sql = "UPDATE
        tbl_auction
      SET
        quantity1      = $_POST['quantity1']
      WHERE
        id = :user_id";

 $query = $conn->prepare($sql);
 $query ->execute(array('quantity1' => $_POST['quantity1'] ));
 } else{
 echo 'ups, error!';
 }
?>

HTML Code:

<div id="move_amount">
  <input type="text" class="amount" name="amount1">
</div>

<div id="move_quantity">
<input type="text" class="tend_quantity" name="quantity1" value=" <?=$value_quantity1 ?>"  > 
</div>

<div id="move_btn">
  <input class="btn_sel" name="calc1" type="submit" name="submitted" value="Bidding">
</div>

Here is the part from my database that I want to update

id  AUTO_INCREMENT
quantity1   int(11)

I appreciate every help!

EDIT: My user_id declaration:

if ($result[0]["password"] !==    md5($_POST['password'].'D6tp'.$_POST['email'])) {
 header('Location: /PHP/index.php?page=login');
} else {
   $_SESSION['loged_in'] = true;
   $_SESSION['user_id']  = $result[0]["id"]; 
   header('Location: /PHP');

};

EDIT: The Problem is solved! For those who want to know what the issue was: So first @arkascha had some good corrections you can see her post... and the secound issue was because in my inputs value was a string written and that's why the calculation did not work too. Thanks to @arkascha!

Answer 1

There are some small issues here:

1. you should not specify $_POST['quantity1'] directly in the query, since you want to hand it over as a parameter. So instead put in a placeholder: :quantity1 .
2. you already have a placeholder for the id column, great! But you forgot to supply a value for that in your call to execute()!
3. you should not overwrite $_POST['quantity1'] , though that certainly is possible from a technical point of view. The superglobal $_POST should be considered as a read-only source of data, use a local variable instead. That makes the code easier to follow.

So try this instead:

<?php 
include_once('connect.php');

if($_POST['calc1']) {
    $quantity1 = $_POST['quantity1'] - $_POST['amount1'];

    $sql = 'UPDATE tbl_auction SET quantity1 = :quantity1 WHERE id = :user_id';

    $query = $conn->prepare($sql);
    $query ->execute(array(
        'user_id' => $some_user_id, // this has to be some user id
        'quantity1' => $quantity1
    ));
} else{
    echo 'ups, error!';
}

You obviously still have to adapt a little here, but the general issues should be addressed, I hope.