In database login replace x with y in column z where username=$usr.
That's what I'm trying to create (at least I hope you understand what I mean).
My code, right now is:
<?php
session_start();
$servernaam = "server";
$susr = "user";
$spswd = "password";
$sdbnaam = "database name";
$usr = $_SESSION['usr'];
$qa = "1";
$conn = mysqli_connect($servernaam, $susr, $spswd, $sdbnaam);
$sql = "UPDATE login SET qa='$qa' WHERE username=$usr";
header("Location: Page_1.php");
?>
Question:
In the database, nothing changes. The cell I want to change stays at it's previous value.
Thanks in advance!
After asking someone who had a lot of knowlage of php and sql I've got the awnser!
This:
$sql = "UPDATE login SET qa='$qa' WHERE username=$usr";
should have been
This:
$sql = "UPDATE `login` SET `qa`='$qa' WHERE `username`='$usr'";
And I didn't add
This:
$result = $conn->query($sql);
wich actually runs the sql script.
Related
I am very new to mysql and am attempting to replace one value in a column with another. Right now I have 2 inputs and can echo the text value of these inputs here as well as the username of the person logged in:
<?php
session_start();
include("../php/Session.class.php");
$sess = new Session();
$sess->Init();
$cookie = isset($_COOKIE["session"]);
if($cookie)
{
$cookie = $_COOKIE["session"];
$account = $sess->Verify($cookie);
}
$pass1=$_POST['passwordText']; //name of input
echo $pass1;
$pass=$_POST['oldPass']; //name of input
echo $pass;
echo $account['username'];
I then connect to my database and am trying to set the previous password to the value of $pass1 where the user's username is located.
$dbh = new mysqli("localhost","username","password","sqlserver");
$checkforpass = "SELECT password FROM accounts WHERE username='".$account['username']."'";
$checkforpass = $dbh->query($checkforpass); //make query
$checkforpass = $checkforpass->fetch_assoc(); //prepare sql
$checkforpass = $checkforpass['password'];
echo $checkforpass;
if($checkforpass==$pass)
{
echo 'they got the password!';
$change = "UPDATE accounts SET password=".$pass1." WHERE username='".$account['username']."'";
//$change = $dbh->query($change);
$dbh->query($change); //make query
$dbh->close();
//change password
}
I get no errors but when checking my local data base the value of password stays the same. What am I doing wrong here?
I think its not getting inserted/updated because you are not using single quotes around varchar in the query.
Your query should be :
$change = "UPDATE accounts SET password='".$pass1."' WHERE username='".$account['username']."'";
OR
$change = "UPDATE accounts SET password='$pass1' WHERE username='".$account['username']."'";
I'm making a luck based website and I want to make sure they have enough spins on their account before they spin.
I did see http://www.w3schools.com/php/php_mysql_select.asp but its not really what I'm looking for.
I have these rows with the names: id username email password spins.
I can deduct amounts from spins but I can't put the exact amount of their spins on a PHP variable to put in a $SESSION for a different page.
Here's how much I have so far.
$numSpin = "SELECT * FROM $tbl_name WHERE spins";
Then put it in a $SESSION
$_SESSION['spinNum'] = $numSpin;
How would I go on to doing this? This does not work as is.
It seems as if you are extremely new to coding so I'll try to help you out.
Here is the code you can use and I'll explain below.
<?php
session_start();
$host = 'localhost'; $db = 'db-name'; $user = 'db-user'; $pw = 'db-pwd';
$conn = new PDO('mysql:host='.$host.';dbname='.$db.';charset=utf8', $user, $pw);
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
try {
$tbl_name = 'table-name-here';
$un = $username;
$sql = "SELECT * FROM $tbl_name WHERE username=:un";
$query = $conn->prepare($sql);
$query->bindValue(':un', $un, PDO::PARAM_STR);
$query->execute();
$row = $query->fetch(PDO::FETCH_ASSOC);
$totalRows = $query->rowCount();
} catch (PDOException $e) {
die("Could not get the data: " . $e->getMessage());
}
$_SESSION['spinNum'] = $row['name-of-your-field-with-spin-numbers'];
?>
Then...
if($_SESSION['spinNum'] >= 1) {
// allow them to do something
} else {
echo "I'm sorry. It looks like you don't have any spins left. Please try again later.";
}
This code is written using pdo_mysql. You might want to read up on it here.
Line 2 starts your session
Lines 3-5 creates a connection to your database. Make sure to replace "db-name", "db-user" & "db-pwd" with your information.
On line 8 replace "table-name-here" with your database table name
On line 9 you can set "10" to whatever minimum number you want to make sure the account holder has.
On line 19 change "name-of-your-field-with-spin-numbers" to the actual name of the field in your database table that stores the account users available spins.
Now you can use $_SESSION['spinNum'] on your other pages.
Don't forget to use session_start(); at the top of any page where you want to use session variables.
i am a newbie in here and i have a problem that me myself cannot find the exact solution... here it is... i need to build a system that will update all the staff information. through this system, a staff in human resource department will enter all the staffs information. i have been create this code to update the staffs information but it seems not function with what i really want.... i just want to update by rows however, it turns to update all rows in the database...
<?php
session_start();
include ("includes/database.php");
include ("includes/security.php");
include ("includes/config.php");
$nama=$_SESSION["nama"];
$pwd=$_SESSION["status"];
$nama=$_POST["st_nama"];
$siri1=$_POST["st_siri"];
$siri2=$_POST["st_siri2"];
$siri3=$_POST["st_siri3"];
$jawatan=$_POST["st_jawatan"];
$gred=$_POST["st_gred"];
$gredh=$_POST["st_gredh"];
$gelaran=$_POST["st_gelaran"];
$elaun=$_POST["st_elaun"];
$id=$_GET["id"];
$dataPengguna2= mysql_query("SELECT * FROM tbl_rekod where id='$id'");
mysql_query("UPDATE tbl_rekod set st_nama='$nama', st_siri='$siri1', st_siri2='$siri2', st_siri3='$siri3', st_jawatan='$jawatan', st_gred='$gred', st_gredh='$gredh', st_gelaran='$gelaran', st_elaun='$elaun' WHERE id='$id'") or die (mysql_error());
$status = "REKOD BERJAYA DIKEMASKINI!<br/><a href = 'stafflogin.php'><strong>KEMBALI KE LAMAN UTAMA</strong></a>";
?>
This will help fix your sql injection issue, and may also fix update 1 vs multiple rows issue. This method uses the PDO library in PHP. You can see more info on using PDO on the PHP site. It replaces the mysql_ set of commands which are no longer included in the PHP releases.
// Below replaces the mysql_connect() so it requires db credentials filled in
try {
$host = 'hostname';
$db = 'databasename';
$user = 'username';
$pass = 'password';
$con = new PDO("mysql:host=$host;dbname=$db",$user,$pass, array(PDO::ATTR_ERRMODE => PDO::ERRMODE_WARNING));
}
// This replaces the die("error message") potion of a mysql_connect() set-up
catch (Exception $e) {
$_errors['connect']['message'] = $e->getMessage();
$_errors['connect']['error_code'] = $e->getCode();
}
$nama = $_SESSION["nama"];
$pwd = $_SESSION["status"];
$nama = $_POST["st_nama"];
$siri1 = $_POST["st_siri"];
$siri2 = $_POST["st_siri2"];
$siri3 = $_POST["st_siri3"];
$jawatan = $_POST["st_jawatan"];
$gred = $_POST["st_gred"];
$gredh = $_POST["st_gredh"];
$gelaran = $_POST["st_gelaran"];
$elaun = $_POST["st_elaun"];
$id = $_GET["id"];
// You should do just a preliminary check that the id is a numeric value
// No sense in continuing if someone tries to foil the natural
// order of your code
if(is_numeric($id)) {
// The next 3 lines would be equivalent to the mysql_query("statement here")
// as well as a more robust version of mysql_real_escape_string(). It does more,
// but for sake of explanation it does that and more.
$dataPengguna2 = $con->prepare("SELECT * FROM tbl_rekod where id=:id");
// Binding paramaters basically sanitizes the value being inserted into your query
$dataPengguna2->bindParam(':id',$id);
$dataPengguna2->execute();
// There is no indication of what you are doing with the select above
// Set up the update statement
$query = $con->prepare("UPDATE tbl_rekod set st_nama=:st_nama, st_siri=:st_siri, st_siri2=:st_siri2, st_siri3=:st_siri3, st_jawatan=:st_jawatan, st_gred=:st_gred, st_gredh=:st_gredh, st_gelaran=:st_gelaran, st_elaun=:st_elaun WHERE id=:id");
// Bind all the values to sanitize against injection
// You could do a function that loops through an array of values,
// but this is one way to do it manually
$query->bindParam(':st_nama',$nama);
$query->bindParam(':st_siri',$siri1);
$query->bindParam(':st_siri2',$siri2);
$query->bindParam(':st_siri3',$siri3);
$query->bindParam(':st_jawatan',$jawatan);
$query->bindParam(':st_gred',$gred);
$query->bindParam(':st_gredh',$gredh);
$query->bindParam(':st_gelaran',$gelaran);
$query->bindParam(':st_elaun',$elaun);
$query->bindParam(':id',$id);
$query->execute();
// Print out error info. There may be something of value here
// that may help you figure out why it's trying to update all your rows
// instead of just the one.
print_r($query->errorInfo());
$status = "REKOD BERJAYA DIKEMASKINI!<br/><a href = 'stafflogin.php'><strong>KEMBALI KE LAMAN UTAMA</strong></a>";
} ?>
I'm probably not using the best method to create a user system, but it doesn't need to be fancy. I also know that I'm not the most organized
The logins and everything are alright, but I'm having a problem updating the credentials.
For example, I'm allowing users to change their username. I have the "Change Username" (Not that name) form to submit to update-username.php.
I already have mysql_real_escape_string, in the function "cleanString" in another page. My textarea submitting already has the old text in it, so you can change and view it before hand.
$user_id = "";
if(isset($_POST['id']))
{
$user_id = $_POST['id'];
}
$query = "SELECT username,email,display_name,access,password FROM users WHERE user_id='$user_id'";
$results = mysql_query($query);
if(!$results) { //Check to see if query failed
die(mysql_error());
}
$resultsfetch=mysql_fetch_array($results);
$username = $resultsfetch['username'];
$usernamenew = $_POST['usernameinput'];
if(isset($_POST['usernameinput'])) {
$usernamenew = cleanString($_POST['usernameinput']);
}
if($usernamenew !=$username){
$submit = "UPDATE users SET username = '$usernamenew' WHERE user_id = '$user_id'";
mysql_query($submit);
if(!$submit) { //Check to see if query failed
die(mysql_error());
}
}
It's probably something stupid or simple that I missed, or something really huge. Mainly because I am absent minded.
$submit = sprintf("UPDATE users SET username = '%s' WHERE user_id = %d",mysql_real_escape_string($usernamenew),mysql_real_escape_string($user_id));
If the page is loaded, $user_id will be NULL so noting will be updated! Make sure that this page loads, by sending $_POST['id'] . if these things are correct, check this.
"Did the database user have any permission to update the table? "
I have re-arranged your code. added comments where i changed. Try this
if (isset($_POST['id'], $_POST['usernameinput'])) { // Check if both POST id and usernameinput is available
$user_id = (int)$_POST['id']; //assuming this is an integer
$query = "SELECT username,email,display_name,access,password FROM users WHERE user_id='$user_id'";
$results = mysql_query($query);
if (!$results) {//Check to see if query failed
die(mysql_error());
}
if (mysql_num_rows($result) > 0) { //verify if there is really a user with such id
$resultsfetch = mysql_fetch_array($results);
$username = $resultsfetch['username'];
$usernamenew = cleanString($_POST['usernameinput']);
if ($usernamenew != $username) {
$submit = "UPDATE users SET username = '$usernamenew' WHERE user_id = '$user_id'";
if (!mysql_query($submit)) {//Check to see if query failed
die(mysql_error());
}
}
}else{
die("no such user with userid=$user_id");
}
}
Warning: mysql_ function is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQL extension should be used.
So, I guess I figured it out. It's an issue with my code carrying over to the next page.
The code I had been shown only broke the page, whether it be missing an integer, or something else. I'm not 100% sure.
Thanks for all the help guys, but now I know the issue.
EDIT:
I had forgotten to echo the $user_id in my hidden field.
I'm editing part of a user login system and I'm very confused on one issue. I'm trying to allow the user to change their username using their email as a reference for the lookup. For some reason I can't get the $email variable to set properly. When I change the variable $email to an address that I know is in my database (meaning I remove $email and change it to an address that exists) the username is properly changed. When I swap it back to $email, nothing happens.
The strange part is when I echo $email, the correct email address is displayed. I can't figure out why it won't let me do this despite it being echoed properly. Is it possible to not be a string despite an email address being displayed?
I understand about sql injections. I'm just trying to keep the code as simple as possible for now so I can get the functionality working first.
<?
if (isset($_POST['submit'])) {
$email = $user->get_email($username);
$newuser = $_POST['newusername'];
$server = 'localhost';
$usern = 'root';
$pass = '';
$connection = mysql_connect($server, $usern, $pass) or die(mysql_error());
mysql_select_db(testdb, $connection) or die(mysql_error());
if(isset($username)) {
mysql_query("UPDATE users SET username='$newuser' WHERE email = '$email'") or die(mysql_error());
}
}
?>
Also, when I change the query statement so that the reference value is the userid, the username is correctly inserted. From this I know that $email isn't being set properly.
mysql_query("UPDATE users SET username='$newuser' WHERE userid = '$userid'") or die(mysql_error());
if(isset($username)) {
mysql_query("UPDATE users SET username='$newuser' WHERE email = '$email'") or die(mysql_error());
}
Where in your code are you setting the $username variable? If it's not set, your update won't run. You should probably go back and review your variable names and make sure they're consistent (and set) throughout the rest of the page.
Sounds like your get_email() function is returning a bad address.
Are you sure your authentication system is working fine in all other ways?
What happens when you do this:
echo "UPDATE users SET username='$newuser' WHERE email = '$email'";
Also, you will want to sanitize your input for $newuser to avoid SQL injection. Like one of the comments said, you should be using the user id instead of email. I am not sure what authentication class you are using, but you should be able to find something like $user->returnID() and update using that.
Anyway it's recommend to add
$email = mysql_real_escape_string($email);
Maybe that's the problem
I should use the following:
<?
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
$email = $user->get_email($username); // where does $username come from anyway? and where are you initiating the $user object?
$newuser = $_POST['newusername'];
$server = 'localhost';
$usern = 'root';
$pass = '';
$connection = mysql_connect($server, $usern, $pass) or die(mysql_error());
mysql_select_db(testdb, $connection) or die(mysql_error());
if(isset($newuser)) {
$newuser = mysql_real_escape_string($newuser);
$email = mysql_real_escape_string($email);
mysql_query("UPDATE users SET username='" . $newuser . "' WHERE email = '". $email ."'") or die(mysql_error());
}
}
?>
The mysql_real_escape_string() creates a new string. It will escape characters which probably can damage your database when they are putted in. (Called: SQL Injection)
For examples of SQL Injection to give you an idea what it is, and how it can be used and protected:
http://www.unixwiz.net/techtips/sql-injection.html