I am wanting to keep a table log history of executed MySQLI queries and log the specific user who executed a query and date & time the query was executed - on any (all) of my PHP pages.
What is the best way and simplest way to achieve this?
PHP
session_start();
if(!isset($_SESSION["username"])){
header("Location: login.php");
exit(); }
$connection = mysqli_connect("****", "****", "****", "****");
if (!$connection) {
die("Database connection failed: " . mysqli_connect_error());
}
if(isset($_POST['update'])) {
$accountNo = $_GET['ID'];
$firstname = $_POST['firstname'];
$surname = $_POST['surname'];
$dob = $_POST['dob'];
$email = $_POST['email'];
$phone = $_POST['phone'];
$address = $_POST['address'];
$town = $_POST['town'];
$postcode = $_POST['postcode'];
Recommendation from a SO user:
However, there are errors with this suggestion ...many.
$query = "UPDATE usertable set firstname = '".$firstname."', surname='".$surname."', dob='".$dob."', email='".$email."', phone='".$phone."', address='".$address."', town='".$town."', postcode='".$postcode."' where accountNo='".$accountNo."'";
$log_action = mysqli_query($connection,$query);
$result = mysqli_query($connection,$query);
if($result) {
define("LOG_FILE", "https://www.*******.com/logfile.txt");
function log_action($action, $data) {
$time = date('Y-m-d h:i:s');
$user = isset($_SESSION['username']) ? $_SESSION['username'] : '';
$message = "$time\tuser=$user\taction=$action\tdata=$data\n";
file_put_contents(LOG_FILE, $message, FILE_APPEND);
}
Write a wrapper library that logs all the mysqli calls that you want to record, e.g.
function my_mysqli_query($link, $query, $resultmode = MYSQLI_STORE_RESULT) {
log_action('mysqli_query', $query);
return mysqli_query($link, $query, $resultmode);
}
function my_mysqli_prepare($link, $query) {
log_action('mysqli_prepare', $query);
return mysqli_prepare($link, $query);
}
...
define("LOG_FILE", "/path/to/logfile.txt");
function log_action($action, $data) {
$time = date('Y-m-d h:i:s');
$user = isset($_SESSION['username']) ? $_SESSION['username'] : '';
message = "$time\tuser=$user\taction=$action\tdata=$data\n";
file_put_contents(LOG_FILE, $message, FILE_APPEND);
}
I've written it to log to a file. You could log to a database table instead, it's just more code in log_action().
Then do a global replace in all your other scripts, replacing mysqli_query with my_mysqli_query, mysqli_prepare with my_mysqli_prepare, and so on. So your code would look like:
if(isset($_POST['update'])) {
$accountNo = $_GET['ID'];
$firstname = $_POST['firstname'];
$surname = $_POST['surname'];
$dob = $_POST['dob'];
$email = $_POST['email'];
$phone = $_POST['phone'];
$address = $_POST['address'];
$town = $_POST['town'];
$postcode = $_POST['postcode'];
$query = "UPDATE usertable set firstname = '".$firstname."', surname='".$surname."', dob='".$dob."', email='".$email."', phone='".$phone."', address='".$address."', town='".$town."', postcode='".$postcode."' where accountNo='".$accountNo."'";
$result = my_mysqli_query($connection,$query);
if ($result) {
echo "Update successful";
}
}
Related
I'm using strlen to check my inputs values. I want to forbid to the users to send data to my database if the strlen is too long. I didn't find any way to forbid it, so anyone can send as long values as he wants right now. Here's my code:
if (isset($_POST['sub'])) {
$name = $_POST['name'];
$phone = $_POST['phone'];
$phone2 = $_POST['phone2'];
$email = $_POST['email'];
$zipcode = $_POST['zipcode'];
$address = $_POST['address'];
$job = $_POST['job'];
$description = $_POST['description'];
$userid = $_SESSION['id'];
$stmt = $mysqli -> prepare('UPDATE cards SET name=?, phone=?, phone2=?, email=?, zipcode=?, address=?, job=?, description=?, visibility=?, confirmed=? WHERE id = ?');
if (
$stmt &&
$stmt->bind_param('ssssisssiii', $name, $phone, $phone2, $email, $zipcode, $address, $job, $description, $visibility, $confirmed, $id) &&
$stmt -> execute()
) {
echo "Sikeres módosítás!";
} else {
echo $mysqli -> error;
}
}
$getstmt = $mysqli->prepare("SELECT * FROM cards WHERE id= ?");
if ($getstmt and
$getstmt->bind_param('i', $id) and
$getstmt->execute() and
$result = $getstmt->get_result() and
$row = $result->fetch_assoc()
) {
if($row['userid'] == $_SESSION['id']){
$name = $row['name'];
$phone = $row['phone'];
$phone2 = $row['phone2'];
$email = $row['email'];
$zipcode = $row['zipcode'];
$address = $row['address'];
$job = $row['job'];
$description = $row['description'];
}else{
header("Location: index.php");
}
I check the length of inputs here:
if(strlen($name) > 30)
{
echo "test";
exit();
}
if(strlen($job) > 50)
{
echo "test";
exit();
}
if(strlen($email) > 50)
{
echo "test";
exit();
}
//more of these strlen checks
//and html code under that
How can I modify the echo parts to forbid to send the datas?
Well, if you really have to do it your way, you can throw an exception.
However, more common way is to bind your data to model, validate the model checking any business constraints (using the validator) and then acting accordingly. There is plenty of web frameworks providing such an abstraction in any programming language, for PHP see Laravel for inspiration.
I'm making an update page where users can edit their business cards' informations, like phone, address..
The problem is, I'm getting their cards id in this way:
Edit
so they can see their card id in the search bar and if they just simply change the id, they can edit anyone's card informations. I wanted to check if the user's id equals to his card userid - (this is a foreign key in the database) and if not, redirect him to the index page. The problem is, I'm still allowed to edit anyone's card because the userid doesn't change.
my update code:
session_start();
define('DB_SERVER', 'localhost');
define('DB_USERNAME', 'root');
define('DB_PASSWORD', '');
define('DB_NAME', 'reg');
/* Attempt to connect to MySQL database */
$mysqli = mysqli_connect(DB_SERVER, DB_USERNAME, DB_PASSWORD, DB_NAME);
// Check connection
if($mysqli === false){
die("HIBA: Nem sikerült csatlakozni. " . mysqli_connect_error());
}
$id = $_GET['id'];
var_dump($_SESSION);
if (isset($_POST['submit'])) {
$name = $_POST['name'];
$phone = $_POST['phone'];
$phone2 = $_POST['phone2'];
$email = $_POST['email'];
$zipcode = $_POST['zipcode'];
$address = $_POST['address'];
$job = $_POST['job'];
$description = $_POST['description'];
$userid = $_SESSION['id'];
if( $_SESSION['id'] != $userid){
header("Location: index.php");
}
$stmt = $mysqli -> prepare('UPDATE cards SET name=?, phone=?, phone2=?, email=?, zipcode=?, address=?, job=?, description=?, visibility=?, confirmed=? WHERE id = ?');
if (
$stmt &&
$stmt->bind_param('ssssisssii', $name, $phone, $phone2, $email, $zipcode, $address, $job, $description, $visibility, $confirmed) &&
$stmt -> execute()
) {
echo 'Updated';
} else {
echo $mysqli -> error;
}
}
$getstmt = $mysqli->prepare("SELECT * FROM cards WHERE id= ?");
if ($getstmt and
$getstmt->bind_param('i', $id) and
$getstmt->execute() and
$result = $getstmt->get_result() and
$row = $result->fetch_assoc()
) {
$name = $row['name'];
$phone = $row['phone'];
$phone2 = $row['phone2'];
$email = $row['email'];
$zipcode = $row['zipcode'];
$address = $row['address'];
$job = $row['job'];
$description = $row['description'];
my database: (users)
id- username- password- created- admin-
----------------------------------------------
1 John 112 2020-12-23 2435
cards:
id- name- phone- phone2- email- zipcode- address- job- description- visibility- userid-
-----------------------------------------------------------------------------------------------------
1 John 112 233 a#a.com 2435 dfdf 34. test uzlh 0 1
Something Like that
$getstmt = $mysqli->prepare("SELECT * FROM cards WHERE id= ?");
if ($getstmt and
$getstmt->bind_param('i', $id) and
$getstmt->execute() and
$result = $getstmt->get_result() and
$row = $result->fetch_assoc()
) {
if($row['userid'] == $_SESSION['id']){
$name = $row['name'];
$phone = $row['phone'];
$phone2 = $row['phone2'];
$email = $row['email'];
$zipcode = $row['zipcode'];
$address = $row['address'];
$job = $row['job'];
$description = $row['description'];
}else{
header("Location: index.php");
}
}
you are trying to match $userid with $_SESSION['id'] both of these variable pointing to same value use $_GET['id'] instead of $userid
if( $_SESSION['id'] != $_GET['id']){
header("Location: index.php");
exit();
}
I have the error mentioned in the title. It occurs when I click the submit button on the form. Here is my form handle file (I don't think that its necessary to copy the form codes):
<?php
$servername = "localhost";
$username = "sabashel_sabaadm";
$password = "saba1365%karaj#*";
$dbname = "sabashel_saba";
// Create connection
$conn = new mysqli($servername, $username, $password, $dbname);
// Check connection
if ($conn->connect_error) {
die("Connection failed: " . $conn->connect_error);
}
$fname = $lname = $gender = $birthdate = $organization = $degree = $field = $address = $post_code = $mobile = $email = $check_1 = $check_2 = $check_3 = $check_4 = $check_5 = $check_6 = $check_7 = $check_8 "";
$check_9 = $check_10 = $check_11 = $check_12 = $check_13 = $description = $person_image = "";
if(isset($_POST['fname']) && isset($_POST['lname']) && isset($_POST['gender']) && isset($_POST['birthdate']) && isset($_POST['degree']) && isset($_POST['filed-of-study']) && isset($_POST['address']) && isset($_POST['post-code']) && isset($_POST['mobile']) && isset($_POST['email']) && isset($_POST['check-1']) && isset($_POST['check-2']) && isset($_POST['check-3']) && isset($_POST['check-4']) && isset($_POST['check-5']) && isset($_POST['check-6']) && isset($_POST['check-7']) && isset($_POST['check-8']) && isset($_POST['check-9']) && isset($_POST['check-10']) && isset($_POST['check-11']) && isset($_POST['check-12']) && isset($_POST['check-13']) && isset($_POST['description']) && isset($_POST['person-iamge'])){
$fname = $_POST['fname'];
$lname = $_POST['lname'];
$gender = $_POST['gender'];
$birthdate = $_POST['birdthdate'];
$organization = $_POST['organization'];
$degree = $_POST['degree'];
$field = $_POST['field-of-study'];
$address = $_POST['address'];
$post_code = $_POST['post-code'];
$mobile = $_POST['mobile'];
$email = $_POST['email'];
$check_1 = $_POST['check-1'];
$check_2 = $_POST['check-2'];
$check_3 = $_POST['check-3'];
$check_4 = $_POST['check-4'];
$check_5 = $_POST['check-5'];
$check_6 = $_POST['check-6'];
$check_7 = $_POST['check-7'];
$check_8 = $_POST['check-8'];
$check_9 = $_POST['check-9'];
$check_10 = $_POST['check-10'];
$check_11 = $_POST['check-11'];
$check_12 = $_POST['check-12'];
$check_13 = $_POST['check-13'];
$description = $_POST['description'];
$person_image = $_POST['person-image'];
$iftest = true;
}
if ($iftest == true) {
$query = "INSERT INTO volunteer (fname, lname, gender, organization, degree, field, address, post_code, mobile, email, check_1, check_2, check_3, check_4, check_5, check_6, check_7, check_8, check_9, check_10, check_11, check_12, check_13, description, person_image, birthdate) VALUES ('$fname', '$lname', '$gender', '$organization', '$degree', '$field', '$address', '$post_code', '$mobile', '$email', '$check_1', '$check_2', '$check_3', '$check_4', '$check_5', '$check_6', '$check_7', '$check_8', '$check_9', '$check_10', '$check_11', '$check_12', '$check_13', '$description', '$person_image', '$birthdate')";
}
$result = mysqli_query($conn, $query);
if ($result) {
header('Location: http://sabashelter.com/success');
}
else {
header('Location: http://sabashelter.com/fail');
}
}
$conn->close();
?>
And to mention: I have the same exact problem with another page which does the same thing and tries to add a lot of values into the database using the same code. I'm wondering if the problem in this page solves, the same method can be done to the other page as well.
As #CBroe rightly says, check your log files first. It would appear that you are missing an = on line 14.
$fname = $lname = $gender = $birthdate = $organization = $degree = $field = $address = $post_code = $mobile = $email = $check_1 = $check_2 = $check_3 = $check_4 = $check_5 = $check_6 = $check_7 = $check_8 = "";
Furthermore, you have a stray } on line 60.
Your error log file will help you resolve these issues.
I am trying to get information to update in my table. I have spent hours and keep going in circles. I think the problem is in my query section toward the end of the code. Any help would be appreciated. Thanks.
<?php require "connect.php"; ?>
<?php
session_start();
if(isset($_SESSION["ID"])){
}else{
header('Location:login.php');
}
?>
<?php
$User = $_SESSION["ID"];
$result = $con->query("select * from BD where ID='$User'");
$row = $result->fetch_array(MYSQLI_BOTH);
$_SESSION["FirstName"] = $row['FirstName'];
$_SESSION["LastName"] = $row['LastName'];
$_SESSION["Email"] = $row['Email'];
$_SESSION["UserName"] = $row['UserName'];
$_SESSION["Password"] = $row['Password'];
?>
<?php
if(isset($_Post['Update'])){
$UpdateFName = $_Post['FirstName'];
$UpdateLName = $_Post['LastName'];
$UpdateEmail = $_Post['Email'];
$UpdateUName = $_Post['UserName'];
$UpdatePassword = $_Post['Password'];
$sql = $con->query("UPDATE BD SET FirstName = '{$UpdateFName}', LastName = '{$UpdateLName}', Email = '{$UpdateEmail}', UserName = '{$UpdateUName}', Password = '{$UpdatePassword}' where ID= $User");
header('Location: update.php');
}
?>
You have used the post method wrongly. You should use post method like $_POST[''] not $_Post[''].
if(isset($_POST['Update'])){
$UpdateFName = $_POST['FirstName'];
$UpdateLName = $_POST['LastName'];
$UpdateEmail = $_POST['Email'];
$UpdateUName = $_POST['UserName'];
$UpdatePassword = $_POST['Password'];
$sql = $con->query("
UPDATE BD SET
FirstName = '$UpdateFName',
LastName = '$UpdateLName',
Email = '$UpdateEmail',
UserName = '$UpdateUName',
Password = '$UpdatePassword'
WHERE
ID= '$User'"
);
header('Location: update.php');
}
<?php
if (isset($_POST['Update'])) {
$UpdateFName = isset($_POST['FirstName']) ? $_POST['FirstName'] : '';
$UpdateLName = isset($_POST['LastName']) ? $_POST['LastName'] : '';
$UpdateEmail = isset($_POST['Email']) ? $_POST['Email'] : '';
$UpdateUName = isset($_POST['UserName']) ? $_POST['UserName'] : '';
$UpdatePassword = isset($_POST['Password']) ? $_POST['Password'] : '';
$sql = $con->query("UPDATE BD SET
`FirstName` = '$UpdateFName',
`LastName` = '$UpdateLName',
`Email` = '$UpdateEmail',
`UserName` = '$UpdateUName',
`Password` = '$UpdatePassword'
WHERE
`ID` = $User"
);
header('Location: update.php');
}
First of all you should include your error, and second, you don't have to use curly braces for the query try it without them.
Here is the code
<?php
$username = $_POST['username'];
$email = $_POST['email'];
$password = $_POST['password'];
$phone = $_POST['phone'];
$referral = $_POST['refer'];
$referred = false;
mysql_connect("localhost","username","password") or die (mysql_error());
mysql_select_db("database") or die ("Cannot connect to database");
$query = mysql_query("Select * from member");
while($row = mysql_fetch_array($query))
{
$table_users = $row['username'];
$table_email = $row['email'];
$table_phone = $row['phone'];
if($referral == $table_users)
{
$referred = true;
}
if($username == $table_users || $email == $table_email || $phone == $table_phone)
{
$bool = false;
}
}
if(($bool))
{
$username = mysql_real_escape_string($username);
mysql_query("INSERT INTO member (username, password, email, phone, refer) VALUES ('$username', '$password', '$email', '$phone', '$referral')");
if($referred)
{
$from="Sent from test";
$subject="New user referred.";
$message="A new user " . $username . " has been referred by " . $referral . "Please stay updated. ";
mail("mymail", $subject, $message, $from);
}
$_SESSION['login'] = true;
echo "Thank you for registering with us.You can login now to start earning.";
}
If the referral code field is left empty or it does not match any value in database it still sends
the mail. So, what is going on here? I have added some more code. I left a part of it earlier.
This statement if($referral == $table_users) doesn't look right. You have not set the $referral variable anywhere in your code.