I'm attempting to update a table in a database using PDO. At present I'm submitting the form and getting nothing but a white screen, I've enabled all error reporting options and still nothing but a white screen.. I've been staring at the code for what feels like a lifetime and still can't resolve the issue. A push in the right direction would be much appreciated...Thanks
require('includes/config.php');
//if not logged in redirect to login page
if(!$user->is_logged_in()){ header('Location: login.php'); }
$signedin = $_SESSION['username'];
$sql = "UPDATE member SET firstname = :firstname,
lastname = :lastname,
username = :username,
email = :email,
age = :age,
country = :country
where username = $signedin";
$stmt = $db->prepare($sql);
$stmt->bindParam(':firstname', $_POST['firstname'], PDO::PARAM_STR);
$stmt->bindParam(':lastname', $_POST['$lastname'], PDO::PARAM_STR);
$stmt->bindParam(':username', $_POST['username'], PDO::PARAM_STR);
// use PARAM_STR although a number
$stmt->bindParam(':email', $_POST['email'], PDO::PARAM_STR);
$stmt->bindParam(':age', $_POST['age'], PDO::PARAM_STR);
$stmt->bindParam(':country', $_POST['country'], PDO::PARAM_INT);
$stmt= $db->execute($sql);
?>
The execute() function doesn't need the $sql (you provided that in prepare())
$stmt->execute();
Next, you should pass all your data into your prepared statement, otherwise you're defeating the purpose (which is maximum security). So let's remove
$sql = "UPDATE member SET firstname = :firstname,
lastname = :lastname,
username = :username,
email = :email,
age = :age,
country = :country
where username = :username";
//snip
$stmt->bindParam(':username', $_SESSION['username'], PDO::PARAM_STR);
You need the quotes in your where clause.
$sql = "UPDATE member SET firstname = :firstname,
lastname = :lastname,
username = :username,
email = :email,
age = :age,
country = :country
where username = '$signedin'";
Also, it's better to update by id since it's unique.
Related
I'm trying to insert data to database but i always get error
What I'm doing wrong?
// Enter the new user in the database
$sql = "INSERT INTO policajt (meno, priezvisko, cislo_odznaku) VALUES (:fname, :lname, :co)";
$stmt = $conn->prepare($sql);
$sql = "INSERT INTO users (policajt_id, username, heslo) VALUES (LAST_INSERT_ID(), :username, :password)";
$stmt = $conn->prepare($sql);
$stmt->bindParam(':fname', $_POST['fname'], PDO::PARAM_STR);
$stmt->bindParam(':lname', $_POST['lname'], PDO::PARAM_STR);
$stmt->bindParam(':co', $_POST['co'], PDO::PARAM_STR);
$stmt->bindParam(':username', $_POST['username'], PDO::PARAM_STR);
$password = password_hash($_POST['password'], PASSWORD_BCRYPT);
$stmt->bindParam(':password', $password, PDO::PARAM_STR);
if( $stmt->execute()):
$message = 'Successfully created new user';
else:
$message = 'Sorry there must have been an issue creating your account';
endif;
When I run code, I get this error:
Warning: PDOStatement::execute(): SQLSTATE[HY093]: Invalid parameter
number: number of bound variables does not match number of tokens
Any help would be greatly appreciated. Thank you in advance!
In your insert statement you are not specifying the tokens for all fields that you want to do an insert for.
INSERT INTO policajt (meno, priezvisko, cislo_odznaku) VALUES (:fname, :lname, :co)
should be
INSERT INTO policajt (meno, priezvisko, cislo_odznaku) VALUES (:meno, :fname, :lname, :co)
Afternoon,
Currently I am writing a program that allows an admin to update the members datebase.
My code is as follows:
$member_id = $formdata['update'];
$surname = $formdata['surname'];
$other_name = $formdata['othername'];
$contactmethod = $formdata['contactmethod'];
$email = $formdata['email'];
$mobilenum = $formdata['mobilenum'];
$phonenum = $formdata['phonenum'];
$occupation = $formdata['occupation'];
$userpass = $formdata['userpass'];
if(!isset($formdata['magazine']))
$magazine = 0;
else
$magazine = 1;
//Get ready to talk to the DB
$db = getDBConnection();
//Make a prepared query so that we can use data binding and avoid SQL injections.
$insertUser = $db->prepare('INSERT into member VALUES
(:surname, :other_name, :contact_method,
:email, :mobile, :landline, :magazine, :street,
:suburb, :postcode, :password,
:occupation) WHERE member_id=$member_id');
//Bind the data from the form to the query variables.
//Doing it this way means PDO sanitises the input which prevents SQL injection.
$insertUser->bindParam(':surname', $surname, PDO::PARAM_STR);
$insertUser->bindParam(':other_name', $other_name, PDO::PARAM_STR);
$insertUser->bindParam(':contact_method', $contactmethod, PDO::PARAM_STR);
$insertUser->bindParam(':email', $email, PDO::PARAM_STR);
$insertUser->bindParam(':mobile', $mobilenum, PDO::PARAM_STR);
$insertUser->bindParam(':landline', $phonenum, PDO::PARAM_STR);
$insertUser->bindParam(':magazine', $magazine, PDO::PARAM_INT);
$insertUser->bindParam(':street', $streetaddr, PDO::PARAM_STR);
$insertUser->bindParam(':suburb', $suburbstate, PDO::PARAM_STR);
$insertUser->bindParam(':postcode', $postcode, PDO::PARAM_INT);
$insertUser->bindParam(':password', $userpass, PDO::PARAM_STR);
$insertUser->bindParam(':occupation', $occupation, PDO::PARAM_STR);
Current error is within WHERE member_id=$member_id
I have no idea what the error is and how to fix it.
Any tips?
try using an UPDATE.
'UPDATE member SET surname = :surname, other_name = :other_name, contact_method = :contact_method,
email = :email, mobile = :mobile, landline = :landline, magazine = :magazine, street = :street,
suburb = :suburb, postcode = :postcode, password = :password,
occupation = :occupation) WHERE member_id = :member_id'
Additionally, bind another param for member_id otherwise ther isnt much point in doing the others
$insertUser->bindParam(':member_id', $member_id, PDO::PARAM_INT);
I am trying to run the following in PHP:
$stmt = $db_con->prepare("SELECT * FROM users WHERE email=:email");
$stmt->execute(array(":email"=>$user_email));
$count = $stmt->rowCount();
if($count==0){
$stmt = $db_con->prepare("INSERT INTO users(username,email,password,ip)VALUES(:uname, :email, :password, :ip)");
$stmt->bindParam(":username",$username);
$stmt->bindParam(":email",$useremail);
$stmt->bindParam(":password",$hasheduserpassword);
$stmt->bindParam(":ip",$userip);
As a result, I get the following error:
SQLSTATE[HY093]: Invalid parameter number: parameter was not defined
In the query you are defining uname while setting a parameter called username
try
$stmt = $db_con->prepare("INSERT INTO users(username,email,password,ip)VALUES(:username, :email, :password, :ip)");
Your error lies here
$stmt = $db_con->prepare("INSERT INTO users(username,email,password,ip)VALUES(:uname, :email, :password, :ip)");
// $stmt->bindParam(":username",$username);// this shoud be uname
$stmt->bindParam(":uname",$username);
Error is here:
VALUES(:uname,
$stmt->bindParam(":username",$username);
MySql is looking for :username but it cannot find it because you named it :uname.
Both must match.
I'm trying to create a Login/Registeration System, Everything is done, password is encrypted, Using PDO to prevent SQL Injections. etc...
The only problem that I have is, Just like Facebook, I want to immediately redirect the user after the success registration to their profile, So when they click submit on the registration form, I want to redirect them to their profile, So It should display something like this, You're logged in as Akar, I set the $_SESSION['logged_in'] to 1. But it doesn't display the name. So instead of You're logged in as Akar, It displays You're logged in as, blank, It doesn't display my name.
Here is my code:
else {
$sql = "INSERT INTO `users` (first_name, last_name, email, username, password, gender, birthday)
VALUES(:firstname, :lastname, :email, :username, :password, :gender, :birthday)";
$stmt = $this->db_connection->prepare($sql);
$stmt->bindParam(':firstname', $first_name);
$stmt->bindParam(':lastname', $last_name);
$stmt->bindParam(':email', $email);
$stmt->bindParam(':username', $username);
$stmt->bindParam(':password', $password_hash);
$stmt->bindParam(':gender', $gender);
$stmt->bindParam(':birthday', $birthday);
$user_register = $stmt->execute();
if ($user_register) {
$_SESSION['logged_in'] = 1;
$_SESSION['username'] = $row->username;
//$this->messages[] = "Your account has been succesfully registered, Login above!";
And the $row variable is:
$sql = "SELECT * FROM users WHERE username = :username OR email = :email";
$stmt = $this->db_connection->prepare($sql);
$stmt->bindParam(':username', $username, PDO::PARAM_STR);
$stmt->bindParam(':email', $email, PDO::PARAM_STR);
$stmt->execute();
$row = $stmt->fetchObject();
I fixed it, By doing this:
if ($user_register) {
$sql = "SELECT * FROM users WHERE username = :username";
$stmt = $this->db_connection->prepare($sql);
$stmt->bindParam(':username', $username);
$stmt->execute();
$row = $stmt->fetchObject();
$_SESSION['logged_in'] = 1;
$_SESSION['username'] = $row->username;
Thanks...
If you want to redirect the user to another page(as i understand thats what you want to do)
Execute this code:
header( 'Location: http://www.yoursite.com/account_page.php' );
Wait, what is $row equal to? ;) http://php.net/manual/en/pdostatement.fetch.php
Do $row = $stm->fetch();
Your problem should be solved I think.
Since you said:
when they click submit on the registration form, I want to redirect them to their profile
How about use
$_SESSION['username'] = $username;
instead ? sorry I'm not allowed to add comment
I have a weird error, using MyPhpAdmin, I added a row, and the script it generates is:
INSERT INTO 'Users'.'User_Accounts'('Account_ID', 'UserName',
'Email', 'PhoneNumber', 'Password') VALUES (NULL, 'fdsfsadf',
'dfsadf', 'sdfads', 'fsdfasdfsd');
That works, however when I use PHP PDO to insert it gives this error:
Table 'Users.User_Acounts' doesn't exist
uhhhh yes it does...
The PHP code:
$hostname = "127.0.0.1";
$port = "3306";
$database = "Users";
$username = "AccountControl";
$password = "w67hLAanWESGNJMC";
echo ">>";
$db = new PDO("mysql:host=$hostname; port=$port; dbname=$database", $username, $password);
echo ">>";
$UserName = "KiteDev";
$Email = "johndoveail.com";
$PhoneNumber = "66666";
$Password = "dfsgetagfdasg";
// Create the query
$query = "INSERT INTO User_Acounts (UserName, Email, Phon2eNumber, Password) VALUES (:name, :email, :phone, :pass )";
// Prepare statement with $stmt variable
$stmt = $db->prepare($query);
echo ">>";
// Bind parameters, (you can also remove the PDO::PARAM_INT)
$stmt->bindParam(':name', $UserName, PDO::PARAM_STR);
$stmt->bindParam(':email', $Email, PDO::PARAM_STR);
$stmt->bindParam(':phone', $PhoneNumber, PDO::PARAM_STR);
$stmt->bindParam(':pass', $Password, PDO::PARAM_STR);
// Execute the query once you're done binding all the params
$stmt->execute() or die(print_r($stmt->errorInfo(), true));
echo ">>";
Any ideas as to what's causing this?
You've misspelled User_Accounts. The table you created is User.User_Accounts but the table that doesn't exist is User.User_Acounts.
You wrote accounts with one c
Table 'Users.User_Acounts' doesn't exist
The Table Name is User_Accounts. In your php code, it is misspelled as User_Acounts
Correct it as
$query = "INSERT INTO User_Accounts (UserName, Email, Phon2eNumber,
Password) VALUES (:name, :email, :phone, :pass )";