This code should check if the row col intersection of LikedOne and the row where username is jim equals text "empty".
$stmt1 = $conn->prepare("SELECT likedOne FROM UserData WHERE username = ?");
$stmt1->bind_param('s',$username);
//$username = $_POST["username"];
$username ="jim";
$stmt1->execute();
$stmt1->store_result();
$res = $stmt1->fetch();
if ( $res == "empty"){
echo "debug 3";
$sql = $conn->prepare("UPDATE UserData SET likedOne=? WHERE username=?");
$sql->bind_param('ss',$TUsername,$Username);
// $TUsername = $_POST["TUsername"];
// $Username = $_POST["username"];
$TUsername = "test";
$Username = "jim";
$sql->execute();
}
The first time it does change it to test but then it still prints debug 3 meaning it it still registering the $res as "empty" even though it should be "test".
Edit that is not working!
$stmt1 = $conn->prepare("SELECT likedOne FROM UserData WHERE username = ?");
$stmt1->bind_param('s',$username);
//$username = $_POST["username"];
$username ="jim";
$stmt1->execute();
$stmt1->bind_result($res);
$found_row = $stmt1->store_result();
if ( $found_row && $res == "empty"){
echo "debug 3";
$sql = $conn->prepare("UPDATE UserData SET likedOne=? WHERE username=?");
$sql->bind_param('ss',$TUsername,$Username);
// $TUsername = $_POST["TUsername"];
// $Username = $_POST["username"];
$TUsername = "test";
$Username = "jim";
$sql->execute();
}
$stmt1->fetch() doesn't return the contents of the likedOne column. It returns TRUE if a row was returned, NULL if there are no more rows in the result set, or FALSE if an error occurred.
To retrieve the data returned by a prepared statement, you need to use $stmt1->bind_result().
$stmt1 = $conn->prepare("SELECT likedOne FROM UserData WHERE username = ?");
$stmt1->bind_param('s',$username);
//$username = $_POST["username"];
$username ="jim";
$stmt1->execute();
$stmt1->bind_result($res);
$found_row = $stmt1->store_result();
if ($found_row && $res == "empty") {
...
}
I'm not sure why your code that does this isn't working, but it's not necessary to do two queries, you can do it in one.
$sql = $conn->prepare("UPDATE UserData SET likedOne=? WHERE username=? AND likedOne = 'empty'");
$sql->bind_param('ss',$TUsername,$Username);
//$TUsername = $_POST["TUsername"];
//$Username = $_POST["username"];
$TUsername = "test";
$Username = "jim";
$sql->execute();
Related
Im trying to add data to diferent tables in MySQL, but at the moment of run my code, it shows me a error is it "Fatal error: Uncaught Error: Call to a member function query()", is the firs time that y use the query function so I don't know whats going wrong.
<?php
session_start();
$_SESSION['ID_user'];
$id = $_SESSION['ID_user'];
$name = $_POST['name'];
$company = $_POST['company'];
$password = $_POST['password'];
$password = password_hash($password, PASSWORD_DEFAULT);
if($name == "" && $password == "" && $company == "" ){
return false;
}
else {
require './conectar.php';
$resultset = $conn->prepare("SELECT * FROM user WHERE ID_user = '$id' LIMIT 1");
$resultset->execute();
$resultkey = $resultset->fetch();
if($resultkey !== false) {
$update = "UPDATE user SET Name_user='$name', password='$password' WHERE ID_user = '$id' LIMIT 1";
$up = $conn->prepare($update);
$up->bindParam(':name', $_POST['name'], FILTER_SANITIZE_SPECIAL_CHARS);
$up->execute();
$result = $up->fetch();
$_SESSION['Name_user'] = $result['name'];
$lastid = $conn->query("SELECT last_insert_id()")->fetch();
$insert = "INSERT INTO rel_company_user (ID_user) VALUES ('$id')";
$in = $conn->prepare($insert);
$in->execute();
$insert = "INSERT INTO company (Name_company) VALUES ('$company')";
$in = $conn->prepare($insert);
$in->execute();
$update = "UPDATE rel_company_user SET ID_company='$lastid' WHERE ID_user = '$id' LIMIT 1";
$up = $conn->prepare($update);
$up->execute();
}
}
header('Location: http://seth.com/dashboard?ftime=1');
/* Pedir el id y actualizarlo */
?>
You should use parameters in all your queries. And you can't use bindParam() if you didn't put a placeholder in the query.
FILTER_SANITIZE_SPECIAL_CHARS is not a valid argument to bindParam(). The third argument is an optional data type.
You never set $thelast anywhere, that should be $conn.
If $id is already assigned, you can't use LAST_INSERT_ID() to get ID_user. Just insert that value into the user table.
You don't need to perform a query to get the last insert ID. Just use LAST_INSERT_ID() in the VALUES list of the next INSERT query.
You can't fetch the results of an UPDATE query.
You can't get the last insert ID if you haven't done an insert. The UPDATE user query should be INSERT INTO user.
In several places you assigned the SQL to $insert, but then did $conn->prepare($update).
<?php
session_start();
$id = $_SESSION['ID_user'];
$name = $_POST['name'];
$company = $_POST['company'];
$password = $_POST['password'];
$password = password_hash($password, PASSWORD_DEFAULT);
if($name == "" && $password == "" && $company == "" ){
return false;
}
else {
require './conectar.php';
$resultset = $conn->prepare("SELECT * FROM user WHERE ID_user = :id LIMIT 1");
$resultset->bindParam(':id', $id);
$resultset->execute();
$resultkey = $resultset->fetch();
if($resultkey !== false) {
$update = "INSERT INTO user (ID_user, Name_user, password) VALUES (:id, :name, :password)";
$up = $conn->prepare($update);
$up->bindParam(':id', $id);
$up->bindParam(':name', $name);
$up->bindParam(':password', $password);
$up->execute();
$result = $up->fetch();
$_SESSION['Name_user'] = $name;
$insert = "INSERT INTO rel_company_user (ID_user) VALUES (:id)";
$in = $conn->prepare($insert);
$in->bindParam(':id', $id);
$in->execute();
$insert = "INSERT INTO company (Name_company) VALUES (:company)";
$in = $conn->prepare($insert);
$in->bindParam(':company', $company);
$in->execute();
$update = "INSERT INTO rel_company_user (ID_company, ID_user) VALUES (LAST_INSERT_ID(), :id)";
$up = $conn->prepare($update);
$up->bindParam(':id', $id);
$up->execute();
}
}
header('Location: http://seth.com/dashboard?ftime=1');
/* Pedir el id y actualizarlo */
?>
This question already has answers here:
Checking if mysqli_query returned any values?
(2 answers)
Closed 2 years ago.
Warning: count(): Parameter must be an array or an object that
implements Countable in C:\xampp\htdocs\try\process.php on line 30.
That's what my code says. it seems so fine but when I press edit, this error shows. I don't understand. can someone point me out what happened in line 30?
here is my process.php
<?php
require("1password.php");
$id = 0;
$update = false;
$username='';
$password='';
if (!session_id()) { session_start(); }
$mysqli = new mysqli("localhost","root","","id7508046_isalon") or die(mysqli_error($mysqli));
if(isset($_POST['save'])){
$username = $_POST['username'];
$password = $_POST['password'];
$passwordHash = password_hash($password, PASSWORD_DEFAULT);
$mysqli->query("INSERT INTO isalonusers (username, password) values ('$username', '$passwordHash')") or die($mysqli->error);
$_SESSION['message'] = "New account saved!";
$_SESSION['msg_type'] = "success";
header("location: userlist.php");
}
if(isset($_GET['delete'])){
$id = $_GET['delete'];
$mysqli->query("DELETE FROM isalonusers WHERE user_id=$id") or die($mysqli->error());
$_SESSION['message'] = "User Account Deleted!";
$_SESSION['msg_type'] = "danger";
header("location: userlist.php");
}
if(isset($_GET['edit'])){
$id = $_GET['edit'];
$update = true;
$result = $mysqli->query("SELECT * FROM isalonusers WHERE user_id=$id") or die($mysqli->error());
if(count($result)==1){
$row = $result->fetch_array();
$username = $row['username'];
$password = $row['password'];
}
}
if(isset($_POST['update'])){
$id = $_POST['id'];
$username = $_POST['username'];
$password = $_POST['password'];
$passwordHash = password_hash($password, PASSWORD_DEFAULT);
$mysqli->query("UPDATE isalonusers SET username ='$username', password='$passwordHash' WHERE user_id=$id") or die($mysqli->error());
$_SESSION['message'] = "User Account has been updated!";
$_SESSION['msg_type'] = "warning";
header("location: userlist.php");
}
?>
As a matter of fact, you never need to count anything. This step is just redundant.
If you give it a bit of a thought, you can simply fetch your data first and then use it in the condition. What is much more important, you must use a parameterized query. So the code should be
$stmt = $mysqli->prepare("SELECT * FROM isalonusers WHERE user_id=?");
$stmt->bind_param("i", $id);
$stmt->execute();
$result = $stmt->get_result();
// here goes your problem with "count"
$row = $result->fetch_array(MYSQLI_ASSOC)
if($row) {
$username = $row['username'];
$password = $row['password'];
}
Neither should you use that terrible practice with or die
How about this way with $result->num_rows?
if(isset($_GET['edit'])){
$id = $_GET['edit'];
$update = true;
$result = $mysqli->query("SELECT * FROM isalonusers WHERE user_id=$id") or die($mysqli->error);
if(isset($result->num_rows) && $result->num_rows > 0){
$row = $result->fetch_array(MYSQLI_ASSOC);
$username = $row['username'];
$password = $row['password'];
}
}
See ref.: http://php.net/manual/en/mysqli.query.php
I have this code.
$stmt4 = $conn->prepare("SELECT likedFour FROM UserData WHERE username = 'jim'");
Right now, this should find the value of the row LikeFour when username = jim.
I have this if statement.
if ($stmt4 == '') {
}
Shouldn't this check if that value is empty?
It's not working.
This is the full code.
$stmt = $conn->prepare("SELECT * FROM UserData WHERE username = ?");
$stmt->bind_param('s',$username);
//$username = $_POST["username"];
$username ="jim";
$stmt->execute();
$stmt->store_result();
$stmt1 = $conn->prepare("SELECT likedOne FROM UserData WHERE username = ?");
$stmt1->bind_param('s',$username);
//$username = $_POST["username"];
$username ="jim";
echo "debug 2";
if ($stmt->num_rows == 0){ // username not taken
echo "debug 2.5";
die;
}else{
$result = mysqli_num_rows($stmt1);
echo "debug 2.7";
echo var_dump($stmt1);
if ($stmt1 == 00000){
echo "debug 3";
$sql = $conn->prepare("UPDATE UserData SET likedOne=? WHERE username=?");
$sql->bind_param('ss',$TUsername,$Username);
// $TUsername = $_POST["TUsername"];
// $Username = $_POST["username"];
$TUsername = "test";
$Username = "jim";
}
}
I would do this:
$stmt4 = $conn->prepare("SELECT * FROM UserData WHERE username = 'jim'");
//This should grab the entire row where username == jim
Then
if(!$stmt4[likedFour]){
echo "Nothing has been found";
}
If everything else is all good that should work perfectly.
Try placing two equals signs instead of one. The first equals sign indicates that you are setting the condition while the second equals indicates you are checking to see if something is equal to the first variable.
How to get the value of the column 'ProfilePicture' for the current user (which is stored in a session) from a database and save it into a variable?
Here is an example of a possible structure for the query:
if($email="iahmedwael#gmail.com" show 'ProfilePicture' value for that username) //declare a variable to save the value of ProfilePicture
<?php
$posted = true;
if (isset($_REQUEST['attempt'])) {
$link = mysqli_connect("localhost", "root", "", 'new1') or die('cant connect to database');
$email = mysqli_escape_string($link, $_POST['email']);
$password = mysqli_escape_string($link, $_POST['Password']);
$query = mysqli_query($link, " SELECT *
FROM 360tery
WHERE Email='$email'
OR Username= '$email'
AND Password='$password' "
) or die(mysql_error());
$total = mysqli_num_rows($query);
if ($total > 0) {
session_start();
$_SESSION['email'] = $email;
header('location: /html/updatedtimeline.html');
} else {
echo "<script type='text/javascript'>alert('Wrong username or Password!'); window.location.href='../html/mainpage.html';</script>";
}
}
For security purposes, it's my recommendation that you use PDO for all your database connections and queries to prevent SQL Injection.
I have changed your code into PDO. It should also get the value from the column ProfilePicture for the current user and save it to the variable $picture
Note: you will need to enter your database, name and password for the database connection.
Login Page
<?php
session_start();
$posted = true;
if(isset($_POST['attempt'])) {
$con = new PDO('mysql:host=localhost;dbname=dbname', 'user', 'pass');
$email = $_POST['email'];
$password = $_POST['Password'];
$stmt = $con->prepare("SELECT * FROM 360tery WHERE Email=:email OR Username=:email");
$stmt->bindParam(':email', $email);
$stmt->execute();
if($stmt->rowCount() > 0) {
$row = $stmt->fetch();
if(password_verify($password, $row['Password'])) {
$_SESSION['email'] = $email;
header('location: /html/updatedtimeline.html');
}else{
echo "<script type='text/javascript'>alert('Wrong username or Password!'); window.location.href='../html/mainpage.html';</script>";
}
}
}
?>
User Page
<?php
session_start();
$con = new PDO('mysql:host=localhost;dbname=dbname', 'user', 'pass');
$stmt = $con->prepare("SELECT ProfilePicture FROM 360tery WHERE username=:email OR Email=:email");
$stmt->bindParam(':email', $_SESSION['email']);
$stmt->execute();
if($stmt->rowCount() > 0) {
$row = $stmt->fetch();
$picture = $row['ProfilePicture'];
}
?>
Please let me know if you find any errors in the code or it doesn't work as planned.
I'm working on my school project and I need a simple login functionality. It was working 20 minutes ago but then I perhaps made some mistake. It doesn't show any error message. The database seems to be alright.
'jmeno' = name, 'heslo' = password
<?php $mysqli = new mysqli("localhost","admin","admin","uzivatele");
if(isset( $_POST['heslo']) && isset($_POST['jmeno'])){
$username = $_POST['heslo'];
$password = $_POST['jmeno'];
/* defends SQL injection */
// $username = stripslashes($username);
//$password = stripslashes($password);
//$password = mysqli_real_escape_string($mysqli, ($_POST['heslo']));
//$username = mysqli_real_escape_string($mysqli, $_POST['jmeno']);
$sqllogin = "SELECT * FROM prihlaseni WHERE jmeno = '".$username."' AND heslo = '".$password."' LIMIT 1";
$result = mysqli_query($mysqli, $sqllogin);
if (!$result) {
die(mysqli_error($mysqli));
}
$count = mysqli_num_rows($result);
if ($count == 1) {
session_start();
$_SESSION['loggedin'] = true;
header('Location: home.php');
}else {
echo "<script language='javascript'>alert('Wrong password!');</script>";
}
}
?>
I think you mixed post values. Try :
$username = $_POST['jmeno'];
$password = $_POST['heslo'];
I suggest debugging as follows:
<?php $mysqli = new mysqli("localhost","admin","admin","uzivatele");
if(isset( $_POST['heslo']) && isset($_POST['jmeno'])){
$username = $_POST['heslo'];
$password = $_POST['jmeno'];
/* defends SQL injection */
// $username = stripslashes($username);
//$password = stripslashes($password);
//$password = mysqli_real_escape_string($mysqli, ($_POST['heslo']));
//$username = mysqli_real_escape_string($mysqli, $_POST['jmeno']);
$sqllogin = "SELECT * FROM prihlaseni WHERE jmeno = '".$username."' AND heslo = '".$password."' LIMIT 1";
echo $sqllogin; //check the sql query string
$result = mysqli_query($mysqli, $sqllogin);
print_r($result);
if (!$result) {
die(mysqli_error($mysqli));
}
$count = mysqli_num_rows($result);
if ($count == 1) {
session_start();
$_SESSION['loggedin'] = true;
header('Location: home.php');
}else {
echo "<script language='javascript'>alert('Wrong password!');</script>";
}
}
?>
If sql string seems correct try querying the database directly and check output.
Probably there its not getting the $_POST vars, and not returning a valid $result.
Also I suggest you to not handle and save passwords like that but using hash functions like md5(string).