I've been trying to update a MYSQL table in PHP but it doesn't seem to be working. I tweak the code and sometimes it says it has updated, when it hasn't and other times it says it didn't work. If anybody could have a look at my code and tell me if they can see anything wrong that would be much appreciated.
Form:
<form method="post" action="update.php" name="update" id="update">
<input type="text" name="username" placeholder="Username" id="regUsername" value="<?php echo $row['username'] ?>" /><br><br>
<input type="password" name="password" placeholder="Password" id="regPassword" value="<?php echo $row['password'] ?>" /><br><br>
<input type="email" name="email" placeholder="Email Address" id="regEmail" value="<?php echo $row['email'] ?>" /><br><br>
<p id="FillInFields"></p>
<input type="submit" value="submit"/><br>
</form>
Update.php
<?php
$linkme = mysql_connect("*******","******","******");
if (!$linkme)
die ("Could not connect to database");
mysql_select_db("*******", $linkme);
$username = mysql_real_escape_string($_REQUEST["username"]);
$password = mysql_real_escape_string($_POST["password"]);
$email = mysql_real_escape_string($_POST["email"]);
$edit_id = $_POST['edit_id'];
$query = mysql_query(
"UPDATE user
SET username = '$username' ,
password = '$password' ,
email = '$email'
WHERE user_id = '$edit_id'");
mysql_query ($query)
or die ("Sorry but your details were not uploaded.");
echo ("Your details didn't update");
mysql_close($linkme);
?>
edit_id is the session id that is on the form page: and the session has been started inside all pages using sessions.
$edit_id = $_SESSION['edit_id'];
Thank you
Comment to answer to close the question since it did work for the OP.
Try something like:
<input type="hidden" name="edit_id" value="<?php echo $row['id_row'] ?>">
['id_row'] being an example of the said row, since you're iterating over some type of fetching of rows from DB.
Since you're using sessions, you'll need to assign that POST array to a sessions array after.
Sidenote about the use of the deprecated MySQL library you are using:
Look into using mysqli with prepared statements, or PDO with prepared statements, they're much safer.
I noticed you may be storing passwords in plain text. If this is the case, it is highly discouraged.
I recommend you use CRYPT_BLOWFISH or PHP 5.5's password_hash() function.
For PHP < 5.5 use the password_hash() compatibility pack.
is your variable $edit_id missing in the form file?
<form method="post" action="update.php" name="update" id="update">
<input type="text" name="username" placeholder="Username" id="regUsername" value="<?php echo $row['username'] ?>" /><br><br>
<input type="password" name="password" placeholder="Password" id="regPassword" value="<?php echo $row['password'] ?>" /><br><br>
<input type="email" name="email" placeholder="Email Address" id="regEmail" value="<?php echo $row['email'] ?>" /><br><br>
You must to set an input (usualy of type hidden) to put the key id. In your case, the $edit_id
There are couple of things I've noticed.
To debug your sql query, seperate your sql query into a var
echo $query = "UPDATE user SET username = '$username', password = '$password', email = '$email' WHERE user_id = '$edit_id'";
$query = mysql_query($query); //echo the $query in update.php and
//run the actual query in a sql dialog
//if that doesn't work, then there's
//something definitely wrong with your
//query.
mysql_query ($query)
or die ("Sorry but your details were not uploaded.");
echo ("Your details didn't update"); //you have an echo statement in the
//middle of the script in an area
//without in a conditional loop, it
//will echo this error message even
//if the query committed
//successfully
You're also missing $edit_id. You can have a hidden field in your form as
<input type="hidden" name="edit_id" value="edit_id_val">
You also don't need to put single ticks in your query around the edit_id field value because its an integer.
<?php
$linkme = mysqli_connect(DB_HOST, DB_USER, DB_PASS, DB_NAME) or die('could not connect because of '.mysqli_error())
$username = mysqli_real_escape_string($linkme, $_REQUEST["username"]);
$password = mysqli_real_escape_string($linkme, $_POST["password"]);
$email = mysqli_real_escape_string($linkme, $_POST["email"]);
$edit_id = mysqli_real_escape_string($linkme, $_POST['edit_id']);
$q = "UPDATE user SET
username = '$username',
password = SHA1('$password'),
email = '$email'
WHERE user_id = '$edit_id'";
$r = mysqli_query($linkme, $q);
if($r){
echo 'success';
}else{
echo '<p>'.$q.'</p>';
echo '<p>'.mysqli_error($linkme).'</p>';
}
?>
you should encrypt the password to using SHA1 or MD5
also you are missing the edit_id
Related
I used this code to create a user registration page in my website. I firstly connected to my database and then did the below codes ----->
<form action="index.php" method="post">
<p id="usr1">Name : </p><input id="input1" placeholder="Username" type="text" name="username" required> </br>
</br>
<p id="usr2">Password : </p><input id="input2" placeholder="Password" type="text" name="pwd" required> </br>
<p id="usr3">Password : </p><input id="input3" placeholder="Re-Type your password" type="text" name="cpwd" required> </br>
</br>
<input id="sub" name="subbox" type="submit">
</form>
<?php
if (isset($_POST['submit_button'])) {
$username= $_POST['username'];
$password=$_POST['pwd'];
$conpwd=$_POST['cpwd'];
}
if ($password == $conpwd) {
$query = "SELECT * FROM login WHERE name='$username' ";
$query_run = mysqli_query($con,$query);
if (mysqli_num_rows($query_run) > 1) {
echo '<script type="text/javascript">alert("This Username Already exists. Please try another username!")</script>';
// the above code will check if the username is already taken or not.
}else {
$query = "insert into login values('$username' , '$password')";
$query_run = mysqli_query($con,$query);
if ($query_run) {
echo '<script type="text/javascript">alert("Registration Successful!")</script>Click Here To Continue';
$_SESSION['username'] = $username;
$_SESSION['password'] = $password;
header( "Location: homepage.php");
}else {
echo '<script type="text/javascript">alert("Server Error. Please try again after a few minutes!")</script>';
}
}
}else {
echo "Please check and re-type both passwords";
}
?>
But it always return some errors.This is what I see when i try to run the code
Is anything wrong with this code?
To answer your initial question, yes there is something wrong. Your code is vulnerable to SQL injection. You should have a look at: How can I prevent SQL injection in PHP? And password is stored plain in your database, which means no respect for your user. There are some other problems with code style but it's just bonus.
Anyway, the thing that cause you the "alert" problem is that submit_button button does not exists. There is no button with that name. Your if condition is always false. So you have to replace:
if (isset($_POST['submit_button'])) {
With
if (isset($_POST['subbox'])) {
And maybe add a value to your input (not sure it's required, I did not tested):
<input id="sub" name="subbox" type="submit" value="1">
Thanks to #Fred-ii-
I'm having a problem in inserting data to my database. I don't have any clues what's the error.
Here's my index:
<form id="myForm" action="insert.php" method="post">
Name: <input type="text" name="name"/><br/>
Username: <input type="text" name="username"/><br/>
Password: <input type="password" name="password"/><br/>
<button id="sub">Save</button>
</form>
<span id="result"></span>
And here's my insert.php:
include_once('db.php');
$name = $_POST['name'];
$username = $_POST['username'];
$password = $_POST['password'];
if(mysql_query("INSERT INTO table_users VALUES('$name', '$username', '$password')")){
echo "Successfully Inserted";
} else {
echo "Insertion Failed";
}
And my db.php:
$conn = mysql_connect('localhost', 'root', '');
$db = mysql_select_db('neverstoplearning');
You need to make the HTML form in a valid way like you use form but not a submit button as type submit.
HTML Form
<form id="myForm" action="insert.php" method="post">
Name: <input type="text" name="name"/><br/>
Username: <input type="text" name="username"/><br/>
Password: <input type="password" name="password"/><br/>
<input type="submit" id="sub" value="Save" name='submit_form'/>
</form>
Now when you click on he submit button its go for the page insert.php and from there you need to store your the username, name and password.
insert.php
For this part you need to follow some rules, Stay away from SQL Injection, follow what i share as a Note at the bottom. And must use a isset submit for doing all these thing.
if(isset($_POST['submit_form']){
include_once('db.php');
$name = $_POST['name'];
$username = $_POST['username'];
$password = $_POST['password'];
// use mysqli_* and the $conn string.
if(mysqli_query($conn, "INSERT INTO table_users VALUES('$name', '$username', '$password')")){
echo "Successfully Inserted";
} else {
echo "Insertion Failed";
}
}
Note:
For the protection of SQL Injection must use mysqli_escape_string,
mysql_real_escape_string, addslashes , md5, hash.
and mysql_* now Deprecated, so start use of mysqli_* or PDO.
I am trying to build a login system with registration etc.
now for the registration i use a form and the method "post". Now it fails in what i think is sending the input trough the post. can you help me fix it? here is the code involved in it:
above !doctype
<?php
include('connect.php');
// If the values are posted, insert them into the database.
if (isset($_POST["username"]) && isset($_POST["password"])){
$username = $_POST["username"];
$email = $_POST["email"];
$password = $_POST["password"];
$query = "INSERT INTO `user` (username, password, email) VALUES ($username, $password, $email)";
$result = mysqli_query($query);
if($result){
$msg = "User Created Successfully.";
}
else
{echo "fail";}
}
?>
the form:
<div class="register-form">
<?php
if(isset($msg) & !empty($msg)){
echo $msg;
}
?>
<h1>Registreer</h1>
<form action="" method="POST">
<p><label>User Name : </label>
<input id="username" type="text" name="username" placeholder="username" /></p>
<p><label>E-Mail : </label>
<input id="password" type="email" name="email" required placeholder="name#email.com" /></p>
<p><label>Password : </label>
<input id="password" type="password" name="password" placeholder="password" /></p>
<a class="btn" href="login.php">Login</a>
<input class="btn register" type="submit" name="submit" value="Registreer" />
</form>
</div>
The connect.php
<?php
$servername = "localhost";
$username = "sqluser";
$password = "Welkom01!";
$dbname = "users";
$connection = mysqli_connect($servername, $username, $password);
if (!$connection){
die("Database Connection Failed". mysqli_error($connection));
}
$select_db = mysqli_select_db($connection, $dbname);
if (!$select_db){
die("Database Selection Failed" . mysqli_error($connection));
}
?>
Thanks in advance.
As per your originally posted question and without marking it as an edit under your newly edited question, should anyone wonder why the answer.
Since we're more than likely dealing with strings
VALUES ($username, $password, $email)
needs to be wrapped inside quotes:
VALUES ('$username', '$password', '$email')
you also need to pass DB connection to your query $result = mysqli_query($query);
Edit: (you added your DB connection code after) from your original post
Since you've not shown what your DB connection is, this would be something like
$result = mysqli_query($connection,$query);
plus, adding or die(mysqli_error($connection)) to mysqli_query()
You also have a missing & in if(isset($msg) & !empty($msg)){ which should read as if(isset($msg) && !empty($msg)){
However, your present code is open to SQL injection.
Use prepared statements, or PDO with prepared statements, they're much safer.
Passwords
I also noticed that you may be storing passwords in plain text. This is not recommended.
Use one of the following:
CRYPT_BLOWFISH
crypt()
bcrypt()
scrypt()
On OPENWALL
PBKDF2
PBKDF2 on PHP.net
PHP 5.5's password_hash() function.
Compatibility pack (if PHP < 5.5) https://github.com/ircmaxell/password_compat/
Other links:
PBKDF2 For PHP
<?php
include ("db.php");
if (isset($_POST['register'])) {
echo $name = ($_POST["name"]);
echo $email = ($_POST["email"]);
echo $uname = ($_POST["uname"]);
echo $password = ($_POST["pass"]);
$result = mysql_query($con,'SELECT * from company_profile where user_name = "'.$uname.'" or email = "'.$email.'"');
if(mysql_num_rows($result) > 0){
echo "Username or email already exists.";
}else{
$query = mysql_query($con,"INSERT INTO company_profile(user_name, password, company_name, email, phone, country, activation_string) VALUES ('$uname','$password','$name','$email','','','')");
if($query){
echo "data are inserted succesfully.";
}else{
echo "failed to insert data.";
}
}
}
?>
HTML form
<form action="register.php" method="post" id="reg" onsubmit='return validate();'>
Company Name:
<input type="text" class="inputs" name="name" id="name" /><br />
Email:
<input type="text" class="inputs" name="email" id="txtEmail" /><br />
User name:
<input type="text" class="inputs" name="uname" id="uname"/><br />
Password:
<input type="password" class="inputs" name="pass" id="pass1"/><br />
Conferm Password:
<input type="password" class="inputs" name="cpass" id="pass2"/><br /><br />
<input type="submit" value="Register" class="button" />
</form>
Trying to check whether username or email exist in database if yes alert user if no insert values to db. The code doesn't work for me. no error no echo no insertion. any solution?
You have no field with name register
Regarding this
if (isset($_POST['register'])) {
It will never evaluate to true.
<input type="submit" value="Register" class="button" />
needs name attribute name="register"
In addition:
http://php.net/mysql_query
You have wrong order of arguments. However, using mysql_* is highly NOT encouraged. It is an obsolette database API with a lot of vulnerabilities. Switch to mysqli or PDO instead
your first check isset($_POST['register']) is always false because there is no input in your form with the name="register"
and also you chould fix your query , $con should be the second parametre.
and keep in mind that your code is highly vulnerable don't publish this on a server except of your localhost
Try this:-
$result = mysql_query('SELECT * from company_profile where user_name = "'.$uname.'" or email = "'.$email.'"',$con);
mysql_query
as you are using mysql_query, the link identifier should be second paramater
$result = mysql_query('SELECT * from company_profile where user_name = "'.$uname.'" or email = "'.$email.'"', $con);
You are over complicating yourself...
First of all, to check the user, just do this when form submits:
var_dump(mysql_num_rows(mysql_query("select bla bla where username=`{$_GET['username']}`")));
//by bla bla i mean primary key, don't select *, affects performance.
Also, please see this, you have an error in your syntax... take a look at the right parameters for mysql_query
http://ro1.php.net/mysql_query
After you set your queries and do the above test and figure out if its good or not, you can cut the 3-4 lines you have above in 1 if line like this
if(mysql_num_rows(mysql_query("select bla bla where username=`{$_GET['username']}`"))) { //code here
}
Try Without $con in INSERT query
$query = mysql_query("INSERT INTO company_profile
(
user_name, password,
company_name, email,
phone, country,
activation_string
)
VALUES
(
'$uname', '$password',
'$name', '$email',
'', '',
''
)");
You need to specify the name to your input field and check for that:-
<input type="submit" name="register" value="register">
OR
<button type="submit" name="register">Register</buton>
Below is my html code...
<form action="http://mycloud.zymichost.com/registerPHP.php" method="post" id="register" data-ajax="false">
<label>Name: <br></label>
<input name="name" type="text" maxlength="50" ><br>
<label>Email: <br></label>
<input name="email" type="text" maxlength="50" ><br>
<label>Password: <br></label>
<input name="password" type="password" maxlength="50" ><br>
<input name="fsubmit" type="button" value="Submit"><br>
</form>
Below is my php code...
<title>registerPHP</title>
<?php
$name = $_POST ['name'];
$mail = $_POST['email'];
$pass = $_POST ['pass'];
//$un = 'abc';
//$pw = 'abc';
$mysql_hostname = "localhost";
$mysql_database = "mycloud_zymichost_register";
$mysql_user = "lorem-ipsum";
$mysql_password = "********";
$conn = mysql_connect($mysql_hostname,$mysql_user,$mysql_password);
mysql_select_db($mysql_database, $conn );
//$query = "SELECT * FROM Login WHERE username = '$un' AND password = '$pw'";
$query = "INSERT INTO Register (name,email,pass) VALUES ('$name','$email','$pass')";
$result = mysql_query($query) or die("Unable to insert user data because : " . mysql_error());
if ($result = mysql_query($query))
echo "Data is inserted";
?>
i cnt send the input data to my database which is mysql online.. may i know why? the sometimes null value is send to the database.. i tried input from my php.. it can.. bt using the post method in html to call the php file to insert.. the value is nt go in.. and everytime i refresh the php page.. null value will be inserted into my db...
Looks like (from a guess) that you're trying to submit the form data to loginPHP but the PHP that saves the data is registerPHP?!
Your formaction has loginphp.php.
Are you sure the php code you posted has the name loginphp.php?