header ('Refreash: 1;url=registrationform.php');
include 'dbconnect.php';
$id = $_POST['id'];
$firstName = $_POST['firstName'];
$lastName = $_POST['lastName'];
$email = $_POST['email'];
$password = $_POST['password'];
$DOB = $_POST['dob'];
$gender = $_POST['gender'];
$telephone = $_POST['telephone'];
$memberTypeID = $_POST['memberTypeID'];
$Active = $_POST['Active'];
$sql = "UPDATE user SET firstName = '$firstName', lastName = '$lastName', email = '$email', password = '$password', DOB = '$DOB', gender = '$gender', telephone = '$telephone', memberTypeID = '$memberTypeID', Active = '$Active' WHERE userID = $id";
$result=mysql_query($sql)or die ("COULD NOT UPDATE USER!!");
This is the code i am using to enter the DOB back into the database, when entered it returns 0000-00-00.
Try what is inside $_POST['dob']..Also if the input value is not a valid date value then don't try to insert it. So if its not a valid value then make the dob as null and also make your table structure compatible to allow NULL values.If your $_POST['dob'] doesn't contains a valid date value in YYYY-MM-DD format then that value will be inserted as 0000-00-00 in the database.
So try something like the following
$DOB = NULL;
if(isset($_POST['dob']) && trim($_POST['dob']) != '')
//make necessary validateions and assign the value
$DOB = $newValue;//Assume $newValue contains new date value in YYYY-MM-DD format
Also don't use mysql_ functions anymore since they are deprecated. Try using mysqli_ functions and prepare statements because your code is vulnerable to sql injections
Related
I have a HTML contact form in which the user is allowed to write whatever he wants in the message input field. This form is being posted using AJAX and being processed in the below PHP.
My problem is that i get an empty row in the MySql Table.
I am simply wondering why $message = $_POST['message']; returns the proper value, when $message = mysql_real_escape_string($_POST['message']); returns empty string!!
What am I missing here??
//posted data
$firstName = mysql_real_escape_string($_POST['firstName']);
$lastName = mysql_real_escape_string($_POST['lastName']);
$name = $firstName. ' ' .$lastName ;
$email = mysql_real_escape_string($_POST['email']);
$phone = mysql_real_escape_string($_POST['phone']);
$subject = mysql_real_escape_string($_POST['subject']);
$hear = mysql_real_escape_string($_POST['hear']);
$message = mysql_real_escape_string($_POST['message']);
$db_server = mysql_connect($db_hostname, $db_username, $db_password)
// Check if is Duplicates
$query_usercheck = " select * from `test` where Name='$name' and Email='$email' and Phone='$phone' and Subject='$subject' and Message='$message' "; //matching all fields
$usercheck = mysql_query($query_usercheck) or die(mysql_error());
$row_usercheck = mysql_fetch_assoc($usercheck);
$totalRows_usercheck = mysql_num_rows($usercheck);
if ( $totalRows_usercheck > 0 ) {
$duplicate = 'Yes';
} else {
$duplicate = 'No';
//adding application data to MySql database
$add = mysql_query("INSERT INTO `test` (`Date`, `Day`, `Time`, `Name`, `Email`, `Phone`, `Subject`, `From`, `Message`)
VALUES ('$date','$day','$time','$name','$email','$phone','$subject','$hear','$message')");
}
// close mysql
mysql_close();
The problem is that you connect to the database after you do mysql_real_escape_string. Please move your connecting to the database before escaping your variables.
Even better, get rid of the deprecated mysql_* functions (there are even gone in PHP7)! Use mysqli or even better: use PDO with prepared statements as even mysql_real_escape_string is not safe.
mysql_real_escape_string requires an active database connection to do its job. You have not established a connection at the point of calling it.
I have a question, I want to edit customer information, but I only want to update record of one customer at a time. I tried to add where _SESSION['customerCode'] but it doesn't seem to work.
<?php
$connection =
mysql_connect("com-db-02.student-cit.local", "team16", "DbSLzU")
or die (mysql_error());
$db = mysql_select_db("team16") or die(mysql_error());
$FName = $_POST['fname'];
$LName = $_POST['lname'];
$Email = $_POST['custemail'];
$Address = $_POST['address'];
$Town = $_POST['town'];
$County = $_POST['county'];
$Eircode = $_POST['eircode'];
$Phone = $_POST['phone'];
$query = mysql_query("UPDATE CUSTOMER set custFName = '$FName', custLName = '$LName', custemail = '$Email' where customerCode = "$_SESSION['customerCode']"") or die(mysql_error());
?>
I get an error unexpected '$_SESSION' (T_VARIABLE)
Also is it possible to add not update those fields that are blank, so if customer wants to change their address only, other fields won't get wiped out
You have a mistake on your concatination. Make it like this .$_SESSION['customerCode']
Try the code below.
session_start();
$custCode = $_SESSION['customerCode'];
$query = mysql_query("UPDATE CUSTOMER set custFName = '$FName', custLName = '$LName', custemail = '$Email' where customerCode = ".$custCode) or die(mysql_error())
Also is it possible to add not update those fields that are blank, so
if customer wants to change their address only, other fields won't get
wiped out
This was already been answered here before. Search for MySQL COALESCE
You can check the following:
https://dba.stackexchange.com/a/36748
https://stackoverflow.com/a/15525287/4672534
I'm trying to do an update without replace the empty fields, for examplo, if i have field number 1 and it is empty nothing happens in database but if field number 2 has some content i want it to be updated. the thing happens is when i do it the empty field goes to the database and REPLACE the content of the field for an empty value.
I need an example of how can i do it.
PD: I am using PHP OOP.
This is my query:
$conio = "UPDATE affiliates SET nickname = '$nickname', fullname = '$fullname' , email = '$email', skype = '$skype', country = '$country', address = '$address', city = '$city', zip = '$zip', bankname = '$bankname', bankaccount = '$bankaccount', beneficiary = '$beneficiary', username = '$username', password = '$password', whene = '$whene' WHERE id = '$users'";
mysqli_query($this->link, $conio) or die (mysqli_error($this->link));
Example: If you want to update the input where the value is not null.
<?php
...
$sql = "UPDATE affiliates SET ";
$sql_where = "WHERE id = '$users'";
$sql_set = "";
$firstName = $_POST['firstName'];
if(!empty($firstName))
$sql_set .= "firstName = '$firstName',";
$lastName = $_POST['lastName'];
if(!empty($lastName))
$sql_set .= "lastName = '$lastName',";
and the same thing for all the other inputs ...
...
mysql_query($sql.$sql_set.$sql_where);
Of course there are better ways of writing this code (ex: using for loop on elements of $_POST), but that's the concept, ...
I have a sign up form and I am trying to record the date the form was filled out, into MySQL table. All of the information that I am requesting within the form is being recorded, except for the date. Would anyone be able to help me out with this task?
Here is a snippet of my PHP code of where I think the problem resides. I am also using PHPmyadmin for my database; if that is relevant.
Here is the link to the page www.3elementsreview.com/sign-up
$value = $_POST['First'];
$value2 = $_POST['Last'];
$value3 = $_POST['City'];
$value4 = $_POST['State'];
$value5 = $_POST['Country'];
$value6 = $_POST['Email'];
$value7 = $_POST['Y-m-d H:i:s'];
$sql = "INSERT INTO members (First, Last, City, State, Country, Email, Date) VALUES ('$_POST[First]','$_POST[Last]','$_POST[City]','$_POST[State]','$_POST[Country]','$_POST[Email]','$_POST[Date]')";
Your code is dangerous and allows sql injection attacks.
First off mysql_* library is depreciated.
Second if you are going to use mysql_* functions, use mysql_real_escape string on ALL your POST fields.
Thirdly this will solve your issue:
$value = mysql_real_escape_string($_POST['First']);
$value2 = mysql_real_escape_string($_POST['Last']);
$value3 = mysql_real_escape_string($_POST['City']);
$value4 = mysql_real_escape_string($_POST['State']);
$value5 = mysql_real_escape_string($_POST['Country']);
$value6 = mysql_real_escape_string($_POST['Email']);
$sql = "INSERT INTO members (First, Last, City, State, Country, Email, Date) VALUES ('$value','$value2','$value3','$value4','$value5','$value6',NOW())";
in mysql, the function NOW() is used to return the current date/time.
Unless your parameter is called Y-m-d%20H:i:s=____, you should probably be collecting a $_POST['date'] variable or something, then converting it into a date after assigning it to a variable.
$value7 = $_POST['date'];
$value7 = date('Y-m-d H:i:s', $value7);
i have this piece of code that allow user to edit their profile from the form using php and mysql when i echo the submitted or changed value it display the right and the edit value but nothing change in the database can anyone help me to solve this problem
this is the part that i am updating the query
if you need any addition files let me know and thank you
search.php
//submit whatthe user types into the database
$fname = $_POST['fname'];
$lname = $_POST['lname'];
$country = $_POST['country'];
$spec = $_POST['specialization'];
///errroor in updating the dataabse
$edit_query = mysql_query("UPDATE user SET first_name= '$fname', last_name= '$lname', address= '$country', specialization_name= '$spec' WHERE user_name = '$username'") or die(mysql_error());
$username is not defined. As result the query is executed for no database row.
Please use prepared statements instead of sql injectionable mysql_query().
You need to initialise the userName variable.
Try this.....
$edit_query = mysql_query("UPDATE `user` SET first_name= '".$fname."', last_name= '".$lname."', address= '".$country."', specialization_name= '".$spec."' WHERE user_name = '".$username."'") or die(mysql_error());
//Make sure that your $username hold some valid value.
$username is required and your query is vulnerable by sql injection. so use mysql_real_escape_string() function
$fname = mysql_real_escape_string($_POST['fname']);
$lname = mysql_real_escape_string($_POST['lname']);
$country = mysql_real_escape_string($_POST['country']);
$spec = mysql_real_escape_string($_POST['specialization']);
$edit_query = mysql_query("UPDATE user SET first_name= '$fname', last_name= '$lname', address= '$country', specialization_name= '$spec' WHERE user_name = '$username'") or die(mysql_error());