I'm having a problem. I'm working on a custom cms for my site and for some reason the users will not update in the admin panel. It pulls there ID and displays there information in the proper fields, but it will not update and I have no clue why. It just refreshes with the same info, doesn't update my the database or anything. I've tried to fix this, but it won't work. I did different alterations, but all were fails so I decided to just post the original one with a few bug fixes not relating to the updating process.
Heres the whole code:
<?php
$id = $_GET['id'];
$result = $db->query("SELECT * FROM users WHERE Id = '".$id."'");
if(isset($_POST['submit']))
{
$username1 = $_POST['Username'];
$email1 = $_POST['Email'];
$password1 = $_POST['Password'];
$f_name = $_POST['FName'];
$l_name = $_POST['LName'];
$rank1 = $_POST['Rank'];
$skype1 = $_POST['SkypeID'];
$db->query("UPDATE users SET (Email, Username, FName, LName, Rank, SkypeID) VALUES(''.$email1.'', ''.$username1.'', ''.$f_name.'', ''.$l_name.'', ''.$rank1.'', ''.$skype1.'') WHERE Id = ".$id."");
}
?>
<b>Update User</b>
<?php
$id = $_GET['id'];
$result = $db->query("SELECT * FROM users WHERE id='$id'");
while($row = $result->fetch_assoc())
{
$username = $row['Username'];
$email = $row['Email'];
$fname = $row['FName'];
$lname = $row['LName'];
$rank = $row['Rank'];
$skype = $row['SkypeID'];
}
?>
<form method="POST">
Username: <input type="text" name="username" value="<?php echo($username); ?>"><br>
Email: <input type="email" name="email" value="<?php echo($email);?>"><br>
Passowrd: <input type="password" name="password"><br>
First Name: <input type="text" name="f_name" value="<?php echo($fname);?>"><br>
Last Name: <input type="text" name="l_name" value="<?php echo($lname); ?>"><br>
Rank: <input type="text" name="rank" value="<?php echo($rank); ?>"><br>
Skype: <input type="text" name="rank" value="<?php echo($skype); ?>">
<button type="submit" name="submit">Update User</button>
</form>
Config file/$db:
<?php
$db = new mysqli('localhost', 'user', 'pass', 'database');
function registerSession($name, $value)
{
$_SESSION[$name] = $value;
}
?>
UPDATE
I have fixed the problem, I changed the query to this
$db->query("UPDATE users SET Email= '$email1' , Username= '$username1' , FName= '$f_name' , LName= '$l_name', Rank= '$rank1' , SkypeID= '$skype1' WHERE Id = ".$id."") or die (mysql_error());
I cringed when I saw this...
$id = $_GET['id'];
$result = $db->query("SELECT * FROM users WHERE id='$id'");
Because you have yet to tell us what $db is, based on the looks of things I'm going to guess its a mysql_* function? I would enjoy watching someone SQL injecting this! Show us how $db is created (It better be at least mysqli, if not PDO! If not, Google "mysqli" or "PDO") please?
It's hard to tell what your problem is.
Related
Currently doing the address part in e-commerce website application. The address needs to be edited. I have included the SQL query and PHP code well, but still can't run. There is no error message prompt. Below is my part of the code:
As there are multiple addresses, each address has an edit and delete button. The edit button will do the editing work based on the address-id passed inside.
<?php
while($row = mysqli_fetch_array($address_result_query)) {
$address_id=$row['address_id'];
$_SESSION['address_id'] = $address_id;
echo "<td>
<a class='editbutton' href='editaddress.php?
address_id=".$address_id."'>Edit</a>
</td>";
?>
On the edit page, it will show the address data currently, and allow the user to modify it inside the text box. Below is the code to get the user data.
<form name="update_" method="post" action="editaddress.php" >
<?php
$address_id = $_SESSION['address_id'];
$result2 = mysqli_query($mysqli, "SELECT * FROM user_address WHERE address_id='$address_id'");
$row2=mysqli_fetch_assoc($result2);
if(isset($row2['address'])!=null){
$address = $row2['address'];
$state = $row2['state'];
$city = $row2['city'];
$postcode = $row2['postcode'];
$address_name = $row2['address_name'];
$address_phone = $row2['address_phone'];
}
?>
Code to show the data:
<div class="container_header">
<p>Edit Address</p>
<br>
</div>
<label>Recipient Name:</label>
<br>
<input type="text" size="50" class="address_name"name="address_name" value="<?php echo $address_name;?>">
<br><br>
<label>Recipient Phone:</label>
<br>
<input type="text" size="50" class="address_phone"name="address_phone" value="<?php echo $address_phone;?>">
<br><br>
<label>Recipient address:</label>
<br>
<input type="text" size="50" class="address"name="address" value="<?php echo $address;?>">
<br><br>
<input type="text" size="50" class="state"name="state" value="<?php echo $state;?>">
<br><br>
<input type="text" size="50" class="city"name="city" value="<?php echo $city;?>">
<br><br>
<input type="text" size="50" class="postcode"name="postcode" value="<?php echo $postcode;?>">
<br><br>
<input type="button" onclick="location.href='index.php';" name="add_address" value="Cancel" class="cancel">
<input type="submit" name="update_address" value="Update">
</form>
When user click on the update address, below PHP will run, but it's not. The code are inside the edit page, same location with above
if(isset($_POST['update_address']))
{
if(isset($_POST['address'])){
$address = $_POST['address'];
}else echo"address not get";
$address_id = $_POST['address_id'];
$state = $_POST['state'];
$city = $_POST['city'];
$postcode = $_POST['postcode'];
$address_name = $_POST['address_name'];
$address_phone = $_POST['address_phone'];
$myquery = "UPDATE user_address SET
address='$address',
state='$state',
city='$city',
postcode='$postcode',
address_name='$address_name',
address_phone='$address_phone'
WHERE address_id='$address_id'";
$result = mysqli_query($mysqli,$myquery)or die(mysqli_error($mysqli));
header("Location: ../profile/index.php");
}
?>
The issue is that you are trying to set the address_id with a Post variable that is not submitted with the form. So when the query is being constructed the id is not being specified and it fails.
eg.
UPDATE user_address
SET address='123 Test Road',
state='Test',
city='Test City',
postcode='1234',
address_name='John',
address_phone='123456789'
WHERE address_id='' -- See no ID
It's best practice to use prepared statements. You can read more about them here:
https://www.w3schools.com/php/php_mysql_prepared_statements.asp
I'll help you out by showing you how you would do this in your code.
Below is code that shows how to fix the problem and resolve sql injection issues:
First update your select statement to use a prepared statement like this:
<?php
$address_id = $_SESSION['address_id'];
//Prepare the query
$stmt = $mysqli->prepare("SELECT * FROM user_address WHERE address_id = ?");
//bind the parameters
$stmt->bind_param("i",$address_id); //the i is for integer
//execute the query
$stmt->execute();
$result = $stmt->get_result();
while($row2 = $result->fetch_assoc()) {
$address = $row2['address'];
$state = $row2['state'];
$city = $row2['city'];
$postcode = $row2['postcode'];
$address_name = $row2['address_name'];
$address_phone = $row2['address_phone'];
}
$stmt->close();
?>
Then fix the initial problem by using the $_SESSION['address_id'] instead of $_POST['address_id'] and convert your update statement toa prepared statement:
<?php
if(isset($_POST['update_address']))
{
if(isset($_POST['address'])){
$address = $_POST['address'];
}else echo"address not get";
//$address_id = $_POST['address_id']; // <----- This is the problem line
//update your code so the above line is like this:
$address_id = $_SESSION['address_id'];
$state = $_POST['state'];
$city = $_POST['city'];
$postcode = $_POST['postcode'];
$address_name = $_POST['address_name'];
$address_phone = $_POST['address_phone'];
$myquery = "UPDATE user_address SET
address= ?,
state= ?,
city= ?,
postcode=?,
address_name=?,
address_phone=?
WHERE address_id=?";
//Prepare the query
$stmt = $mysqli->prepare( $myquery );
//bind the parameters
$stmt->bind_param("ssssssi", $address, $state, $city,$postcode, $address_name,$address_phone, $address_id); // s means string & i means int
//execute the query
$stmt->execute();
$stmt->close();
header("Location: ../profile/index.php");
}
?>
Another good read is this website here:
https://websitebeaver.com/prepared-statements-in-php-mysqli-to-prevent-sql-injection
I am trying to implement and update query that updates a record in the database. I'm new to php here is my code :
<input type="text" name="name" value="<?= $name ?> "><br><br>
E-mail: <input type="text" name="email" value="<?= $email ?>" ><br><br>
Password: <input type="password" name="password" value="<?= $pass ?>" >
Here is the fetch command:
<?php
include("connection.php");
$id = $_GET['id'];
$qry = "SELECT * from studentinformation WHERE ID = $id";
$result = mysqli_query($con,$qry) or die(mysqli_error($con));
while($row = mysqli_fetch_assoc($result)){
$name= $row['FullName'];
$email = $row['email'];
$pass = $row['Password'];
$major = $row['major'];
}
?>
here is the action page:
<?php
include("connection.php");
//include("UpdateStudent.php");
$id = $_GET['id'];
$name = $_GET['name'];
$email= $GET['email'];
$pass = $_GET['password'];
//$major = $_POST['major'];
$qry = "UPDATE studentinformation SET FullName = '$name', email='$email', Password= '$pass'
WHERE ID = $id";
$result = mysqli_query($con,$qry) or die(mysqli_error($con));
if($result === false){
echo "Record didn't update";
}
else{
echo "Record Updated";
}
?>
Here is the form:
<form action="UpdateStudentAction.php?id=<?= $id ?>" method="get" enctype="multipart/form-data">
Please help guys I'm new to php
Move id from action attribute into a hidden input:
<form action="UpdateStudentAction.php" method="get" enctype="multipart/form-data">
<input type="hidden" name="id" value="<?=$id?>">
...
will do the magic.
And avoid empty spaces into value attributes;
Make your form POST data instead of using GET method (that passes form data through url). Especially that you already using id query param in the url. You can include the id inside the form as a hidden field:
<form action="UpdateStudentAction.php?id=<?= $id ?>" method="POST" enctype="multipart/form-data">
<input type="hidden" name="id" value="<?= $id ?> ">
<input type="text" name="name" value="<?= $name ?> "><br><br>
E-mail: <input type="text" name="email" value="<?= $email ?>" ><br><br>
Password: <input type="password" name="password" value="<?= $pass ?>" >
</form>
Then in your UpdateStudentAction.php file you can receive data using post:
<?php
include("connection.php");
//include("UpdateStudent.php");
$id = $_POST['id'];
$name = $_POST['name'];
$email= $_POST['email'];
$pass = $_POST['password'];
//$major = $_POST['major'];
$qry = "UPDATE studentinformation SET FullName = '$name', email='$email', Password= '$pass'
WHERE ID = $id";
$result = mysqli_query($con,$qry) or die(mysqli_error($con));
if($result === false){
echo "Record didn't update";
}
else{
echo "Record Updated";
}
?>
The GET method is restricted to send upto 1024 characters only.
The POST method does not have any restriction on data size to be sent. (You can use POST method instead of GET method)
I wanna update just one data from a record using php form but the thing is, when i do that, the rest of the data gets removed from the record.. What do i do :/ here are my codes for updating. What is the mistake i am making.. I am very confused. Would really appreciate some help.
<?php
include('db.php');
if(isset($_POST['update']))
{
$hostname = "localhost";
$username = "root";
$password = "";
$databaseName = "winc sports";
$connect = mysqli_connect($hostname, $username, $password, $databaseName);
$id = $_POST['id'];
$fname = $_POST['fname'];
$lname = $_POST['lname'];
$age = $_POST['age'];
$country=$_POST['country'];
$phone=$_POST['phone'];
$email=$_POST['email'];
$select = "SELECT * FROM studens WHERE id = '$id'";
$selected = mysqli_query($connect, $select);
$row = mysqli_fetch_assoc($selected);
if (empty($_POST['fname'])) {$fname = $row['fname'];} else {$fname = $_POST['fname'];}
if (empty($_POST['country']))
{
$country = $row['country'];
}
else {
$country = $_POST['country'];
}
if (empty($_POST['id'])) {
$id = $row['id'];
}
else {
$id = $_POST['id'];
}
if (empty($_POST['age'])) {$age = $row['age'];} else {$age = $_POST['age'];}
if (empty($_POST['phone'])) {$phone = $row['phone'];} else {$phone = $_POST['phone'];}
if (empty($_POST['email'])) {$email = $row['email'];} else {$email = $_POST['email'];}
$query = "UPDATE students SET Fname= '$fname', Lname = '$lname', Nationality = '$country', PhoneNumber = '$phone', Email= '$email', Age = '$age' WHERE Id = '$id'";
$result = mysqli_query($connect, $query);
var_dump($result);
if($result)
{
echo 'Data Updated';
}else
{
echo 'Data Not Updated';
}
mysqli_close($connect);
}
?>
<!DOCTYPE html>
<html>
<head>
<title>PHP INSERT DATA USING PDO</title>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
</head>
<body>
<form action="updating.php" method="post">
<input type="text" name="id" placeholder="Enter new ID"><br><br>
<input type="text" name="fname" placeholder="Enter new First Name"><br><br>
<input type="text" name="lname" placeholder="Enter new Last Name"><br><br>
<input type="number" name="age" placeholder="Enter new age" min="13" max="90"><br><br>
<input type="text" name="country" placeholder="Enter new Nationality"><br><br>
<input type="number" name="phone" placeholder="Enter new Phone Number"><br><br>
<input type="text" name="email" placeholder="Enter new Email"><br><br>
<input type="submit" name="update" value="update">
</form>
</body>
</html>
The select statement is fetching data from a table called studens. This looks like a typo of the actual table so it won't actually fetch any results for you to update. Thus, the data you wind up updating the table with is empty. Rename the initial select table to students and it should properly fetch the data.
Also, please look into prepared statements or various other methods to sanitize inputs. Using POST variables directly in a query makes you extremely vulnerable to SQL Injection.
I'm sorry to ask such a narrow question, but I have this code in PHP and it is supposed to update a user's account. There is no error being returned and my IDE cannot identify the problem either. The problem is now that the code is not updating the database. I hope I can get some help on the subject.
Here is my PHP code:
<?php
session_start();
$con = mysqli_connect("mysql.serversfree.com", "u190182631_embo", "17011998embo", "u190182631_login");
$username = $_POST['user_name'];
$last = $_POST['lname'];
$first = $_POST['fname'];
$address = $_POST['address'];
$email = $_POST['email'];
$year = $_POST['year'];
if ($_SERVER["REQUEST_METHOD"] == "POST") {
if (mysqli_connect_errno()) {
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
mysqli_query($con,"UPDATE users SET last_name = '$last'
WHERE user_name = $_SESSION[user_name]");
mysqli_close($con);
}
?>
Any my HTML form if that is needed:
<form method="post" action="update.php">
Username: <input type="text" name="user_name" value="<?php echo $_SESSION['user_name']?>"><br><br>
Email: <input type="text" name="email" value="<?php echo $_SESSION['user_email']?>"><br><br>
Last Name: <input type="text" name="lname" value="<?php echo $_SESSION['last_name']?>"><br><br>
First Name: <input type="text" name="fname" value="<?php echo $_SESSION['first_name']?>"><br><br>
Street Address: <input type="text" name="address" value="<?php echo $_SESSION['address']?>"><br><br>
Year Graduated: <input type="text" name="year" value="<?php echo $_SESSION['year']?>"><br><br>
<input type="submit" value="Update Information"><br>
</form>
<form method="link" action="manage.php">
<input type = "submit" value = "Cancel"><br>
</form>
Any help would be great!
Try this - it will also help against SQL injection attacks:
$db = new mysqli("mysql.serversfree.com", "u190182631_embo", "17011998embo", "u190182631_login");
$username = $_POST['user_name'];
$last = $_POST['lname'];
$first = $_POST['fname'];
$address = $_POST['address'];
$email = $_POST['email'];
$year = $_POST['year'];
if ($_SERVER["REQUEST_METHOD"] == "POST")
{
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
$stmt = $db->prepare("UPDATE users SET last_name = ? AND WHERE user_name = ?;");
$stmt->bind_param("ss", $last, $_SESSION['user_name']);
$stmt->execute();
$stmt->close();
}
The big problem here is that you don't know how to debug the problem yourself, nor what information to include in a request for help.
There is no error being returned
How do you know? you don't check for any error from the query. Consider:
$upd="UPDATE users SET last_name = '$last'
WHERE user_name = $_SESSION[user_name]";
if (!mysqli_query($con,$upd)) {
print "query failed: $upd \n\n<br />" . mysqli_error();
}
You've shown a fragment of the code used to generate the form - but not what actually got sent to to the browser,
As Fred -ii- says, it seems very strange that $_SESSION[user_name] is not quoted in your SQL.
try this
mysqli_query($con,"UPDATE users SET last_name = '$last' WHERE user_name = {$_SESSION['user_name']}");
Update this line of code:
mysqli_query($con,"UPDATE users SET last_name = '$last'
WHERE user_name = $_SESSION[user_name]");
with the new one:
mysqli_query($con,"UPDATE users SET last_name = '$last'
WHERE user_name = $_SESSION['user_name']");
Hope it will work!
Question at hand:
How do I create the php code to let users who are logged into my site edit/update their profile settings/information?
I have 1 part working correctly for users to change their password, however, have no idea where to start when it comes to allowing users who are logged in to edit/update their other settings such as:
(1) nickname,
(2) country,
(3) date of birth,
(4) gender,
(5) motto and
(6) bio
I'll provide the php and html code below that I have that is working for changing password, but I know that I need more to let users change/edit/update their other information. I tried using what is below as a reference to create the php code for the other information, but it didn't work so I have no idea where to even begin! Any help will be much appreciated...
PHP reference code:
if($_POST['submit']=='Change')
{
$err = array();
if(!$_POST['password1'] || !$_POST['passwordnew1'])
$err[] = 'All the fields must be filled in!';
if(!count($err))
{
$_POST['password1'] = mysql_real_escape_string($_POST['password1']);
$_POST['passwordnew1'] = mysql_real_escape_string($_POST['passwordnew1']);
$row = mysql_fetch_assoc(mysql_query("SELECT id,username FROM members WHERE username='{$_SESSION['username']}' AND pass='".md5($_POST['password1'])."'"));
if($row['username'])
{
$querynewpass = "UPDATE members SET pass='".md5($_POST['passwordnew1'])."' WHERE username='{$_SESSION['username']}'";
$result = mysql_query($querynewpass) or die(mysql_error());
$_SESSION['msg']['passwordchange-success']='* You have successfully changed your password!';
}
else $err[]='Wrong password to start with!';
}
if($err)
$_SESSION['msg']['passwordchange-err'] = implode('<br />',$err);
header("Location: members.php?id=" . $_SESSION['username']);
exit;
}
HTML reference code:
<form action="" method="post">
<label class="grey" for="password1">Current Password:</label>
<input class="field" type="password" name="password1" id="password1" value="" size="23" />
<label class="grey" for="password">New Password:</label>
<input class="field" type="password" name="passwordnew1" id="passwordnew1" size="23" />
<input type="submit" name="submit" value="Change" class="bt_register" style="margin-left: 382px;" />
<div class="clear"></div>
<?php
if($_SESSION['msg']['passwordchange-err'])
{
echo '<div class="err">'.$_SESSION['msg']['passwordchange-err'].'</div>';
unset($_SESSION['msg']['passwordchange-err']);
}
if($_SESSION['msg']['passwordchange-success'])
{
echo '<div class="success">'.$_SESSION['msg']['passwordchange-success'].'</div>';
unset($_SESSION['msg']['passwordchange-success']);
}
?>
</form>
So how would I create the php code to make this work for users to be able to edit/update their own profile settings/information from the numeric list I provided above (1-6)?
And I know using mysqli/pdo is a better alternative to use, but I unfortunately need to use the old deprecated mysql_* stuff for this project at this time...
If you need more info, let me know ;)
EDIT:
Additional Question,
I'd assume too that I'd need to create variables for each column too such as:
$nickname = $_POST['nickname'];
$country = $_POST['country'];
etc...or is that not correct?
RE-EDIT:
Would something like this be applicable?
$id = $_SESSION['id'];
if ($_POST['country']) {
$country = $_POST['country'];
$nickname = $_POST['nickname'];
$DOB = $_POST['DOB'];
$gender = $_POST['gender'];
$motto = $_POST['motto'];
$bio = $_POST['bio'];
$sql = mysql_query("UPDATE members SET country='$country', nickname='$nickname', DOB='$DOB', gender='$gender', motto='$motto', bio='$bio' WHERE id='$id'");
exit;
}
$sql = mysql_query("SELECT * FROM members WHERE id='$id' LIMIT 1");
while($row = mysql_fetch_array($sql)){
$country = $row["country"];
$nickname = $row["nickname"];
$DOB = $row["DOB"];
$gender = $row["gender"];
$motto = $row["motto"];
$bio = $row["bio"];
}
Or am I way off base?
short version ;)
HTML file:
<form action="./change.php" method="post">
Nickname: <input type="text" name="nickname"><br />
Country: <input type="text" name="country"><br />
Date of birth: <input type="text" name="date_of_birth"><br />
Gender: <input type="text" name="gender"><br />
Motto: <input type="text" name="motto"><br />
Bio: <input type="text" name="bio"><br />
<input type="submit" value="Submit">
</form>
change.php:
<?php
function filter($date)
{
return trim(htmlspecialchars($date));
}
$nickname = filter($_POST['nickname'])
$country = filter($_POST['country'])
$date_of_birth = filter($_POST['date_of_birth'])
$gender = filter($_POST['gender'])
$motto = filter($_POST['motto'])
$bio = filter($_POST['bio'])
if (isUserLogIn)
{
//SQL update query
}
?>