I'm making an update page where users can edit their business cards' informations, like phone, address..
The problem is, I'm getting their cards id in this way:
Edit
so they can see their card id in the search bar and if they just simply change the id, they can edit anyone's card informations. I wanted to check if the user's id equals to his card userid - (this is a foreign key in the database) and if not, redirect him to the index page. The problem is, I'm still allowed to edit anyone's card because the userid doesn't change.
my update code:
session_start();
define('DB_SERVER', 'localhost');
define('DB_USERNAME', 'root');
define('DB_PASSWORD', '');
define('DB_NAME', 'reg');
/* Attempt to connect to MySQL database */
$mysqli = mysqli_connect(DB_SERVER, DB_USERNAME, DB_PASSWORD, DB_NAME);
// Check connection
if($mysqli === false){
die("HIBA: Nem sikerült csatlakozni. " . mysqli_connect_error());
}
$id = $_GET['id'];
var_dump($_SESSION);
if (isset($_POST['submit'])) {
$name = $_POST['name'];
$phone = $_POST['phone'];
$phone2 = $_POST['phone2'];
$email = $_POST['email'];
$zipcode = $_POST['zipcode'];
$address = $_POST['address'];
$job = $_POST['job'];
$description = $_POST['description'];
$userid = $_SESSION['id'];
if( $_SESSION['id'] != $userid){
header("Location: index.php");
}
$stmt = $mysqli -> prepare('UPDATE cards SET name=?, phone=?, phone2=?, email=?, zipcode=?, address=?, job=?, description=?, visibility=?, confirmed=? WHERE id = ?');
if (
$stmt &&
$stmt->bind_param('ssssisssii', $name, $phone, $phone2, $email, $zipcode, $address, $job, $description, $visibility, $confirmed) &&
$stmt -> execute()
) {
echo 'Updated';
} else {
echo $mysqli -> error;
}
}
$getstmt = $mysqli->prepare("SELECT * FROM cards WHERE id= ?");
if ($getstmt and
$getstmt->bind_param('i', $id) and
$getstmt->execute() and
$result = $getstmt->get_result() and
$row = $result->fetch_assoc()
) {
$name = $row['name'];
$phone = $row['phone'];
$phone2 = $row['phone2'];
$email = $row['email'];
$zipcode = $row['zipcode'];
$address = $row['address'];
$job = $row['job'];
$description = $row['description'];
my database: (users)
id- username- password- created- admin-
----------------------------------------------
1 John 112 2020-12-23 2435
cards:
id- name- phone- phone2- email- zipcode- address- job- description- visibility- userid-
-----------------------------------------------------------------------------------------------------
1 John 112 233 a#a.com 2435 dfdf 34. test uzlh 0 1
Something Like that
$getstmt = $mysqli->prepare("SELECT * FROM cards WHERE id= ?");
if ($getstmt and
$getstmt->bind_param('i', $id) and
$getstmt->execute() and
$result = $getstmt->get_result() and
$row = $result->fetch_assoc()
) {
if($row['userid'] == $_SESSION['id']){
$name = $row['name'];
$phone = $row['phone'];
$phone2 = $row['phone2'];
$email = $row['email'];
$zipcode = $row['zipcode'];
$address = $row['address'];
$job = $row['job'];
$description = $row['description'];
}else{
header("Location: index.php");
}
}
you are trying to match $userid with $_SESSION['id'] both of these variable pointing to same value use $_GET['id'] instead of $userid
if( $_SESSION['id'] != $_GET['id']){
header("Location: index.php");
exit();
}
Related
I just want to display the username from database in my UserHome.php page. But it's displaying nothing. Here is the code below that I used to display the name.
server.php :
$host = "localhost";
$user = "root";
$password = '';
$db_name = "hawkeye_portfolio";
$db = mysqli_connect($host, $user, $password, $db_name);
$name = "";
if (isset($_POST['edit_user'])) {
$name = mysqli_real_escape_string($db, $_POST['name']);
$email = mysqli_real_escape_string($db, $_POST['email']);
$query = "SELECT * FROM edituser";
$results = mysqli_query($db, $query);
if (count($results) == 1 ) {
$n = mysqli_fetch_array($results);
$name = $n['name'];
}
}
UserHome.php :
ul class="address-text">
<li><b>Name : </b></li>
<li><?php echo $name; ?> </li>
</ul>
So here I want to display the name, But it's not displaying the name imge
Notice :
I have also used this code
if (mysqli_num_rows($results) == 1) {
$_SESSION['name'] = $name;
}
<?php echo $_SESSION['name']; ?>
But these are not working too. Please someone help me.
Check this
$name = mysqli_real_escape_string($db, $_POST['name']);
$email = mysqli_real_escape_string($db, $_POST['email']);
$query = "SELECT * FROM edituser WHERE name='$name' AND email='$email'";
$results = mysqli_query($db, $query);
if (mysqli_num_rows($results) === 1) {
while ($row = mysqli_fetch_assoc($results))
{
$_SESSION['name'] = $row['name'];
echo $_SESSION['name'];
}
} else {
// Show an error message
// multiple results found
}
I'm using strlen to check my inputs values. I want to forbid to the users to send data to my database if the strlen is too long. I didn't find any way to forbid it, so anyone can send as long values as he wants right now. Here's my code:
if (isset($_POST['sub'])) {
$name = $_POST['name'];
$phone = $_POST['phone'];
$phone2 = $_POST['phone2'];
$email = $_POST['email'];
$zipcode = $_POST['zipcode'];
$address = $_POST['address'];
$job = $_POST['job'];
$description = $_POST['description'];
$userid = $_SESSION['id'];
$stmt = $mysqli -> prepare('UPDATE cards SET name=?, phone=?, phone2=?, email=?, zipcode=?, address=?, job=?, description=?, visibility=?, confirmed=? WHERE id = ?');
if (
$stmt &&
$stmt->bind_param('ssssisssiii', $name, $phone, $phone2, $email, $zipcode, $address, $job, $description, $visibility, $confirmed, $id) &&
$stmt -> execute()
) {
echo "Sikeres módosítás!";
} else {
echo $mysqli -> error;
}
}
$getstmt = $mysqli->prepare("SELECT * FROM cards WHERE id= ?");
if ($getstmt and
$getstmt->bind_param('i', $id) and
$getstmt->execute() and
$result = $getstmt->get_result() and
$row = $result->fetch_assoc()
) {
if($row['userid'] == $_SESSION['id']){
$name = $row['name'];
$phone = $row['phone'];
$phone2 = $row['phone2'];
$email = $row['email'];
$zipcode = $row['zipcode'];
$address = $row['address'];
$job = $row['job'];
$description = $row['description'];
}else{
header("Location: index.php");
}
I check the length of inputs here:
if(strlen($name) > 30)
{
echo "test";
exit();
}
if(strlen($job) > 50)
{
echo "test";
exit();
}
if(strlen($email) > 50)
{
echo "test";
exit();
}
//more of these strlen checks
//and html code under that
How can I modify the echo parts to forbid to send the datas?
Well, if you really have to do it your way, you can throw an exception.
However, more common way is to bind your data to model, validate the model checking any business constraints (using the validator) and then acting accordingly. There is plenty of web frameworks providing such an abstraction in any programming language, for PHP see Laravel for inspiration.
This question already has an answer here:
What to do with mysqli problems? Errors like mysqli_fetch_array(): Argument #1 must be of type mysqli_result and such
(1 answer)
Closed 2 years ago.
I've created an update page, where users can update their cards. It's working fine on localhost, but I just uploaded it to 000webhostapp and my database doesn't update. I don't get any errors, or anything, it just doesn't update it. I'm using Xampp for the localhost.
My update code:
<?php
session_start();
define('DB_SERVER', 'localhost');
define('DB_USERNAME', '1');
define('DB_PASSWORD', '2');
define('DB_NAME', '3');
if(!isset($_SESSION["loggedin"]) || $_SESSION["loggedin"] === false){
header("Location: login.php");
} else {
$mysqli = mysqli_connect(DB_SERVER, DB_USERNAME, DB_PASSWORD, DB_NAME);
mysqli_set_charset($mysqli, "utf8");
if($mysqli === false){
die("failed to connect. " . mysqli_connect_error());
}
$id = $_GET['id'];
if (isset($_POST['sub'])) {
$name = $_POST['name'];
$phone = $_POST['phone'];
$phone2 = $_POST['phone2'];
$email = $_POST['email'];
$zipcode = $_POST['zipcode'];
$address = $_POST['address'];
$company = $_POST['company'];
$job = $_POST['job'];
$description = $_POST['description'];
$userid = $_SESSION['id'];
if (
strlen($name) < 31 &&
strlen($job) < 51 &&
strlen($zipcode) < 5 &&
strlen($email) < 51 &&
strlen($phone) < 21 &&
strlen($phone2) < 21 &&
strlen($address) < 51 &&
strlen($company) < 51 &&
strlen($description) < 501) {
$stmt = $mysqli -> prepare('UPDATE cards SET name=?, phone=?, phone2=?, email=?, zipcode=?, address=?, company=?, job=?, description=?, visibility=?, confirmed=? WHERE id = ?');
$stmt->bind_param('ssssissssiii', $name, $phone, $phone2, $email, $zipcode, $address, $company, $job, $description, $visibility, $confirmed, $id);
$success = $stmt -> execute();
if ($success) {
echo "Sikeres módosítás!";
}
} else {
echo $mysqli -> error;
}
}
$getstmt = $mysqli->prepare("SELECT * FROM cards WHERE id= ?");
if ($getstmt and
$getstmt->bind_param('i', $id) and
$getstmt->execute() and
$result = $getstmt->get_result() and
$row = $result->fetch_assoc()
) {
if($row['userid'] == $_SESSION['id']){
$name = $row['name'];
$phone = $row['phone'];
$phone2 = $row['phone2'];
$email = $row['email'];
$zipcode = $row['zipcode'];
$address = $row['address'];
$company = $row['company'];
$job = $row['job'];
$description = $row['description'];
}else{
header("Location: index.php");
}
?>
It is so frustrating because I have absolutely no idea why it doesn't work there if it's working on localhost...
The problem was that in my mysli->prepare, I wanted to use the 'visbility' and the 'confirmed' columns, but I don't change them here. Thanks #Dharman for helping me with exceptions. It helped a lot.
I am wanting to keep a table log history of executed MySQLI queries and log the specific user who executed a query and date & time the query was executed - on any (all) of my PHP pages.
What is the best way and simplest way to achieve this?
PHP
session_start();
if(!isset($_SESSION["username"])){
header("Location: login.php");
exit(); }
$connection = mysqli_connect("****", "****", "****", "****");
if (!$connection) {
die("Database connection failed: " . mysqli_connect_error());
}
if(isset($_POST['update'])) {
$accountNo = $_GET['ID'];
$firstname = $_POST['firstname'];
$surname = $_POST['surname'];
$dob = $_POST['dob'];
$email = $_POST['email'];
$phone = $_POST['phone'];
$address = $_POST['address'];
$town = $_POST['town'];
$postcode = $_POST['postcode'];
Recommendation from a SO user:
However, there are errors with this suggestion ...many.
$query = "UPDATE usertable set firstname = '".$firstname."', surname='".$surname."', dob='".$dob."', email='".$email."', phone='".$phone."', address='".$address."', town='".$town."', postcode='".$postcode."' where accountNo='".$accountNo."'";
$log_action = mysqli_query($connection,$query);
$result = mysqli_query($connection,$query);
if($result) {
define("LOG_FILE", "https://www.*******.com/logfile.txt");
function log_action($action, $data) {
$time = date('Y-m-d h:i:s');
$user = isset($_SESSION['username']) ? $_SESSION['username'] : '';
$message = "$time\tuser=$user\taction=$action\tdata=$data\n";
file_put_contents(LOG_FILE, $message, FILE_APPEND);
}
Write a wrapper library that logs all the mysqli calls that you want to record, e.g.
function my_mysqli_query($link, $query, $resultmode = MYSQLI_STORE_RESULT) {
log_action('mysqli_query', $query);
return mysqli_query($link, $query, $resultmode);
}
function my_mysqli_prepare($link, $query) {
log_action('mysqli_prepare', $query);
return mysqli_prepare($link, $query);
}
...
define("LOG_FILE", "/path/to/logfile.txt");
function log_action($action, $data) {
$time = date('Y-m-d h:i:s');
$user = isset($_SESSION['username']) ? $_SESSION['username'] : '';
message = "$time\tuser=$user\taction=$action\tdata=$data\n";
file_put_contents(LOG_FILE, $message, FILE_APPEND);
}
I've written it to log to a file. You could log to a database table instead, it's just more code in log_action().
Then do a global replace in all your other scripts, replacing mysqli_query with my_mysqli_query, mysqli_prepare with my_mysqli_prepare, and so on. So your code would look like:
if(isset($_POST['update'])) {
$accountNo = $_GET['ID'];
$firstname = $_POST['firstname'];
$surname = $_POST['surname'];
$dob = $_POST['dob'];
$email = $_POST['email'];
$phone = $_POST['phone'];
$address = $_POST['address'];
$town = $_POST['town'];
$postcode = $_POST['postcode'];
$query = "UPDATE usertable set firstname = '".$firstname."', surname='".$surname."', dob='".$dob."', email='".$email."', phone='".$phone."', address='".$address."', town='".$town."', postcode='".$postcode."' where accountNo='".$accountNo."'";
$result = my_mysqli_query($connection,$query);
if ($result) {
echo "Update successful";
}
}
I am trying to get information to update in my table. I have spent hours and keep going in circles. I think the problem is in my query section toward the end of the code. Any help would be appreciated. Thanks.
<?php require "connect.php"; ?>
<?php
session_start();
if(isset($_SESSION["ID"])){
}else{
header('Location:login.php');
}
?>
<?php
$User = $_SESSION["ID"];
$result = $con->query("select * from BD where ID='$User'");
$row = $result->fetch_array(MYSQLI_BOTH);
$_SESSION["FirstName"] = $row['FirstName'];
$_SESSION["LastName"] = $row['LastName'];
$_SESSION["Email"] = $row['Email'];
$_SESSION["UserName"] = $row['UserName'];
$_SESSION["Password"] = $row['Password'];
?>
<?php
if(isset($_Post['Update'])){
$UpdateFName = $_Post['FirstName'];
$UpdateLName = $_Post['LastName'];
$UpdateEmail = $_Post['Email'];
$UpdateUName = $_Post['UserName'];
$UpdatePassword = $_Post['Password'];
$sql = $con->query("UPDATE BD SET FirstName = '{$UpdateFName}', LastName = '{$UpdateLName}', Email = '{$UpdateEmail}', UserName = '{$UpdateUName}', Password = '{$UpdatePassword}' where ID= $User");
header('Location: update.php');
}
?>
You have used the post method wrongly. You should use post method like $_POST[''] not $_Post[''].
if(isset($_POST['Update'])){
$UpdateFName = $_POST['FirstName'];
$UpdateLName = $_POST['LastName'];
$UpdateEmail = $_POST['Email'];
$UpdateUName = $_POST['UserName'];
$UpdatePassword = $_POST['Password'];
$sql = $con->query("
UPDATE BD SET
FirstName = '$UpdateFName',
LastName = '$UpdateLName',
Email = '$UpdateEmail',
UserName = '$UpdateUName',
Password = '$UpdatePassword'
WHERE
ID= '$User'"
);
header('Location: update.php');
}
<?php
if (isset($_POST['Update'])) {
$UpdateFName = isset($_POST['FirstName']) ? $_POST['FirstName'] : '';
$UpdateLName = isset($_POST['LastName']) ? $_POST['LastName'] : '';
$UpdateEmail = isset($_POST['Email']) ? $_POST['Email'] : '';
$UpdateUName = isset($_POST['UserName']) ? $_POST['UserName'] : '';
$UpdatePassword = isset($_POST['Password']) ? $_POST['Password'] : '';
$sql = $con->query("UPDATE BD SET
`FirstName` = '$UpdateFName',
`LastName` = '$UpdateLName',
`Email` = '$UpdateEmail',
`UserName` = '$UpdateUName',
`Password` = '$UpdatePassword'
WHERE
`ID` = $User"
);
header('Location: update.php');
}
First of all you should include your error, and second, you don't have to use curly braces for the query try it without them.