Trying to update the logged in users details using a form. The details are already in the form when the page loads so if the user wants to change thier mobile number for example they delete the current number, insert the new number and click update.
I get this message when I click update " Unknown column 'Adrian93' in 'where clause' " Adrian93 is the username
<?php
require('dbConnection.php');
require('checklogin.php');
if(isset($_POST['update']))
{
$firstName = $_POST['firstName'];
$lastName = $_POST['lastName'];
$DOB = $_POST['dob'];
$natInsNo = $_POST['natInsNo'];
$address = $_POST['address'];
$email = $_POST['email'];
$mobile = $_POST['mobile'];
$password = $_POST['password'];
$query = "UPDATE users SET firstName='$firstName', lastName='$lastName', DOB='$DOB', natInsNo='$natInsNo', address='$address', email='$email', mobile='$mobile', password='$password' WHERE username = {$_SESSION['username']}";
$results = mysqli_query($conn, $query) or die (mysqli_error($conn));
}
?>
Ralphs comment "Probably has to do with your squirly brackets. I'd set $username = $_SESSION['username'] before your query then just do WHERE username='$username' Also be careful for SQL injections, I'd use prepared statements in you're case as you're taking form inputs and directly placing them in your query" solved the query. Runs now without any errors.
<?php
require('checklogin.php');
if(isset($_POST['update']))
{
$firstName = $_POST['firstName'];
$lastName = $_POST['lastName'];
$DOB = $_POST['dob'];
$natInsNo = $_POST['natInsNo'];
$address = $_POST['address'];
$email = $_POST['email'];
$mobile = $_POST['mobile'];
$password = $_POST['password'];
$username = $_SESSION['username'];
$query = "UPDATE users SET firstName='$firstName', lastName='$lastName', DOB='$DOB', natInsNo='$natInsNo', address='$address', email='$email', mobile='$mobile', password='$password' WHERE username = '$username'";
$results = mysqli_query($conn, $query) or die (mysqli_error($conn));
}
?>
Related
I am wanting to keep a table log history of executed MySQLI queries and log the specific user who executed a query and date & time the query was executed - on any (all) of my PHP pages.
What is the best way and simplest way to achieve this?
PHP
session_start();
if(!isset($_SESSION["username"])){
header("Location: login.php");
exit(); }
$connection = mysqli_connect("****", "****", "****", "****");
if (!$connection) {
die("Database connection failed: " . mysqli_connect_error());
}
if(isset($_POST['update'])) {
$accountNo = $_GET['ID'];
$firstname = $_POST['firstname'];
$surname = $_POST['surname'];
$dob = $_POST['dob'];
$email = $_POST['email'];
$phone = $_POST['phone'];
$address = $_POST['address'];
$town = $_POST['town'];
$postcode = $_POST['postcode'];
Recommendation from a SO user:
However, there are errors with this suggestion ...many.
$query = "UPDATE usertable set firstname = '".$firstname."', surname='".$surname."', dob='".$dob."', email='".$email."', phone='".$phone."', address='".$address."', town='".$town."', postcode='".$postcode."' where accountNo='".$accountNo."'";
$log_action = mysqli_query($connection,$query);
$result = mysqli_query($connection,$query);
if($result) {
define("LOG_FILE", "https://www.*******.com/logfile.txt");
function log_action($action, $data) {
$time = date('Y-m-d h:i:s');
$user = isset($_SESSION['username']) ? $_SESSION['username'] : '';
$message = "$time\tuser=$user\taction=$action\tdata=$data\n";
file_put_contents(LOG_FILE, $message, FILE_APPEND);
}
Write a wrapper library that logs all the mysqli calls that you want to record, e.g.
function my_mysqli_query($link, $query, $resultmode = MYSQLI_STORE_RESULT) {
log_action('mysqli_query', $query);
return mysqli_query($link, $query, $resultmode);
}
function my_mysqli_prepare($link, $query) {
log_action('mysqli_prepare', $query);
return mysqli_prepare($link, $query);
}
...
define("LOG_FILE", "/path/to/logfile.txt");
function log_action($action, $data) {
$time = date('Y-m-d h:i:s');
$user = isset($_SESSION['username']) ? $_SESSION['username'] : '';
message = "$time\tuser=$user\taction=$action\tdata=$data\n";
file_put_contents(LOG_FILE, $message, FILE_APPEND);
}
I've written it to log to a file. You could log to a database table instead, it's just more code in log_action().
Then do a global replace in all your other scripts, replacing mysqli_query with my_mysqli_query, mysqli_prepare with my_mysqli_prepare, and so on. So your code would look like:
if(isset($_POST['update'])) {
$accountNo = $_GET['ID'];
$firstname = $_POST['firstname'];
$surname = $_POST['surname'];
$dob = $_POST['dob'];
$email = $_POST['email'];
$phone = $_POST['phone'];
$address = $_POST['address'];
$town = $_POST['town'];
$postcode = $_POST['postcode'];
$query = "UPDATE usertable set firstname = '".$firstname."', surname='".$surname."', dob='".$dob."', email='".$email."', phone='".$phone."', address='".$address."', town='".$town."', postcode='".$postcode."' where accountNo='".$accountNo."'";
$result = my_mysqli_query($connection,$query);
if ($result) {
echo "Update successful";
}
}
Signup code:
$first_name = $_POST['first_name'];
$last_name = $_POST['last_name'];
$email = $_POST['email'];
$password = $_POST['password'];
$hashed_password = password_hash($password, PASSWORD_DEFAULT);
$contact = $_POST['contact'];
$address = $_POST['address'];
$query = "INSERT INTO `tbl_user`(`first_name`, `last_name` , `email` , `password`,`contact`, `address`) VALUES
('$first_name','$last_name','$email','$hashed_password','$contact','$address')";
$sql = mysqli_query($con,$query);
Login code :
$email = $_POST['email'];
$password = $_POST['password'];
$query = "SELECT * FROM `tbl_user` WHERE `email` = '$email'";
$sql = mysqli_query($con,$query);
$row = mysqli_fetch_array($sql);
if (password_verify('$password', $row['hashed_password'])) {
echo 'Password is valid!';
} else {
echo 'Invalid password.';
}
But everytime it is showing Invalid Password even if i enter the correct credentials.
Error: '$password' instead use it as just $password.
Change this to:
if (password_verify('$password', $row['hashed_password'])) {
This:
if (password_verify($password, $row['hashed_password'])) {
Updated code, after information is typed in and the submit button clicked to run this code, it goes back to the account page but doesnt update the database:
<font face="ClearSans-Thin">
<font color="lightgray">
<?php
include 'editaccount.php';
include 'connection.php';
?>
<center>
<?php
if (isset($_POST['uregsubmit'])) {
$firstname = $_POST['ufirstname'];
$lastname = $_POST['ulastname'];
$email = $_POST['uemail'];
$dob = $_POST['udob'];
$user = $_POST['uregisterusername'];
$pass = $_POST['uregisterpassword'];
}
//the query
$query = "UPDATE Users SET FirstName='$firstname', LastName='$lastname' WHERE Username='$user'";
//execute the query
$result = mysqli_query($connection, $query)
or die("Error: ".mysqli_error($connection));
//check and see if any data returned
?>
</center>
Write sql query inside if statement
<?php
if (isset($_POST['uregsubmit'])) {
$firstname = $_POST['ufirstname'];
$lastname = $_POST['ulastname'];
$email = $_POST['uemail'];
$dob = $_POST['udob'];
$user = $_POST['uregisterusername'];
$pass = $_POST['uregisterpassword'];
//the query
$query = "UPDATE Users SET FirstName='$firstname', LastName='$lastname' WHERE Username='$user'";
//execute the query
$result = mysqli_query($connection, $query)
or die("Error: ".mysqli_error($connection));
//check and see if any data returned
}
?>
you have an extra comma before WHERE
I am trying to sign up a new user to my website, but I am having trouble with the actual signup_process.php page. I currently have sign up form within signup.php and the form action within the signup_process.php. My signup page lists the sports as follows;
<label for="Archery"> Archery</label> <input type="checkbox" id="Archery" name="sport[]"value="1">"
My database shows the following;
User table:
user_id
user_email
user_username
user_password
user_firstname
user_surname
user_dob
user_gender
user_city
user_active
User sport table
usersport_id
usersport_user_id
usersport_sport_id
Here is the code on my signup_process.php
<?php
session_start();
$_SESSION['loggedin'];
$_SESSION['id'];
include "includes/connect.php";
include "includes/lists.php";
include "includes/functions.php";
?>
<?php
$_SESSION['username'] = $_POST['username'];
$_SESSION['fname'] = $_POST['fname'];
$_SESSION['surname'] = $_POST['surname'];
$_SESSION['dob'] = $_POST['dob'];
$_SESSION['emailaddress'] = $_POST['emailaddress'];
$_SESSION['password'] = $_POST['password'];
$_SESSION['gender'] = $_POST['gender'];
$_SESSION['city'] = $_POST['city'];
$_SESSION['sports'] = $_POST['sports'];
$username = $_POST['username'];
$fname = $_POST['fname'];
$surname = $_POST['surname'];
$dob = $_POST['dob'];
$emailaddress = $_POST['emailaddress'];
$password = $_POST['password'];
$gender = $_POST['gender'];
$city = $_POST['city'];
$query = "INSERT INTO user (
user_username,
user_firstname,
user_surname,
user_dob,
user_email,
user_password,
user_gender,
user_city,
user_active
)
VALUES(
'".$_POST['username']."',
'".$_POST['firstname']."',
'".$_POST['surname']."',
'".$_POST['dob']."',
'".$_POST['email']."',
'".$_POST['password']."',
'".$_POST['gender']."',
'".$_POST['city']."',
'1' ) ";
mysql_query($query) or die (mysql_error());
$lastid = mysql_insert_id();
$sports = $_POST['sports'];
foreach ($sports as $key => $value){
$query2 = " INSERT INTO usersport
(
usersport_user_id, usersport_sport_id
)
VALUES(
'".$lastid."',
'".$value."'
) ";
mysql_query($query2) or die (mysql_error());
}
My signup process seemed to work before I added this which is for the allocation of sports to the new user;
$lastid = mysql_insert_id();
$sports = $_POST['sports'];
foreach ($sports as $key => $value){
$query2 = " INSERT INTO usersport
(
usersport_user_id, usersport_sport_id
)
VALUES(
'".$lastid."',
'".$value."'
) ";
mysql_query($query2) or die (mysql_error());
}
?>
Could anyone please tell me where I've gone wrong?
So I am creating a forum and currently working on the sign up script. I have the sign up form in the signup.php page and the processing part in the signup_process.php
I have an issue where only a current user is able to sign up a new user when they are signed in, any suggestions on how to fix this. I am not able to sign up a new user when I am not logged in as a current one.
Below is my signup_process.php page:
<?php
include "includes/pagetop.php";
include "includes/header.php";
include "includes/nav.php";
?>
<?php
$_SESSION['username'] = $_POST['username'];
$_SESSION['fname'] = $_POST['fname'];
$_SESSION['surname'] = $_POST['surname'];
$_SESSION['dob'] = $_POST['dob'];
$_SESSION['emailaddress'] = $_POST['emailaddress'];
$_SESSION['password'] = $_POST['password'];
$_SESSION['gender'] = $_POST['gender'];
$_SESSION['city'] = $_POST['city'];
$_SESSION['sports'] = $_POST['sports'];
$username = $_POST['username'];
$fname = $_POST['fname'];
$surname = $_POST['surname'];
$dob = $_POST['dob'];
$emailaddress = $_POST['emailaddress'];
$password = $_POST['password'];
$gender = $_POST['gender'];
$city = $_POST['city'];
$query = "INSERT INTO user
(
user_username,
user_firstname,
user_surname,
user_dob,
user_email,
user_password,
user_gender,
user_city,
user_active
)
VALUES(
'".$_POST['username']."',
'".$_POST['firstname']."',
'".$_POST['surname']."',
'".$_POST['dob']."',
'".$_POST['email']."',
'".$_POST['password']."',
'".$_POST['gender']."',
'".$_POST['city']."',
'1'
) ";
mysql_query($query) or die (mysql_error());
$lastid = mysql_insert_id();
$sports = $_POST['sports'];
foreach ($sports as $key => $value){
$query2 = " INSERT INTO usersport
(
usersport_user_id,
usersport_sport_id
)
VALUES(
'".$lastid."',
'".$value."'
)";
mysql_query($query2) or die (mysql_error());
}
?>
If you are talking about inserting duplicate users, you could solve this making on the database a primary key on username and an unique index on emailaddress.
If you are talking about the sign up page being served while a user is currently authenticated, you could create a session variable that is set to true when the current user authenticates into the system. Them you could check if this variable is false to serve the sign up page, or give a error otherwise.
And you have a sql injection vulnerability in your code, you should consider using prepared statements instead of plain text.