Update user profile page with PHP MySQL - php

I have created a social website, so far everything is good with the loggin and logout etc... but when it comes to the edit profile page I cant figure out my error can somebody suggest whats wrong or is there a better way to approach this Update Profile page.
The error I am getting is:
Parse error: syntax error, unexpected '$firstname' (T_VARIABLE) in C:\wamp\www\change.php on line 28
My PHP code:
<?php
session_start();
if (isset($_SESSION['username'])) {
$username = $_SESSION['username'];
}
else {
echo "You have not signed in";
}
?>
<?php
include_once ("php_includes/db_conx.php");
$sql = "SELECT * FROM users WHERE username='$u' AND activated='1' LIMIT 1";
$user_query = mysqli_query($db_conx, $sql);
while ($row = mysqli_fetch_array($user_query, MYSQLI_ASSOC)) {
$username = $row["surname"];
$firstname = $row["firstname"];
$surname = $row["surname"];
$weight = $row["weight"];
$height = $row["height"];
}
function filter($date)
{
return trim(htmlspecialchars($date));
}
$username = filter($_POST['username'])
$firstname = filter($_POST['firstname'])
$surname = filter($_POST['surname'])
$weight = filter($_POST['weight'])
$height = filter($_POST['height'])
if (username)
{
$sql = mysql_query ("UPDATE users SET username='$username', firstname='$firstname', surname='$surname', weight='$weight', height='$height' WHERE username='$username'")
or die (mysql_error());
}
?>
<form action="change.php" method="post">
Username: <input type="text" name="username"><br />
Firstname: <input type="text" name="firstname"><br />
Surname: <input type="text" name="surname"><br />
weight: <input type="text" name="weight"><br />
height: <input type="text" name="height"><br />
<input type="submit" value="Submit">
</form>


$username = filter($_POST['username']);
$firstname = filter($_POST['firstname']);
$surname = filter($_POST['surname']);
$weight = filter($_POST['weight']);
$height = filter($_POST['height']);
You need to terminate each statement/ line with ;


$sql = mysql_query ("UPDATE users SET weight='$weight', height='$height' WHERE username='$username'")
i think you have to create like this
$sql = mysql_query ('UPDATE users SET username ="'.$username.'" WHERE username="'.$username.'"');
$sql = mysql_query ('UPDATE users SET firstname="'.$firstname.'" WHERE username = "'.$username.'"');
$sql = mysql_query ('UPDATE users SET surname="'.$surname.'" WHERE username = "'.$username.'"');
$sql = mysql_query ('UPDATE users SET weight='".$weight."' WHERE username = "'.$username.'"');
$sql = mysql_query ('UPDATE users SET height="'.$height.'" WHERE username="'.$username'"');
paste this codes.


You need to terminate each line of code with a semicolon. Line 27 (and the next four lines) are missing the semicolon.

Related

PHP change password (old password does not match with the old password inside the database)

Here is my code
<?php
include("connect.php");
error_reporting(0);
session_start();
if($_SESSION['logged'] == true){
if($_SESSION['user_type'] == 2){
header("location:admin\home.php");
}
$user_id = $_SESSION['user_id'];
$query = "SELECT * FROM tbl_useraccounts where user_id = $id";
$q = mysqli_query($con,$query);
while($row = mysqli_fetch_array($q)){
$oldpassworddb = $row['password'];
}
if($user_id)
{
//user is logged in
if(isset($_POST['submit']))
{
//check fields
$oldpassword = md5($_POST['oldpassword']);
$newpassword = md5($_POST['newpassword']);
$repeatnewpassword = md5($_POST['repeatnewpassword']);
//check passwords
if ($oldpassword == $oldpassworddb)
{
// check two new passwords
if ($newpassword == $repeatnewpassword)
{
//success
//change password in db
$querychange = mysqli_query("
UPDATE tbl_useraccounts SET password='$newpassword' WHERE user_id='$user_id'");
session_destroy();
echo "Your password has been changed<br/>
<a href='home.php'>Return</a>";
}
else
echo "New passwords doesnt match";
}
else
echo "Old password doesnt match!";
}
else
{
echo"
<form action='changepassword.php' method='POST'>
Old Password: <input type='password' name='oldpassword'><p>
New Password: <input type='password' name='newpassword'><br>
Repeat New Password: <input type='password' name='repeatnewpassword'><p>
<input type='submit' name='submit' value='Change Password'>
</form>
";
}
}
else
die("You must be logged in to change your password");
}else{
header("location:login.php");
}
?>
I'm sorry I'm new to StackOverflow. When I type my old password inside the password bar, example is "123" wherein 123 is really the password stored in my database. But the always response when I click Change Password is "Old password does not match". 123 = 123 should be read as correct.
What is the error in my code?

you might be picking wrong user as :
$user_id = $_SESSION['user_id']; // here you pick in $user_id
$query = "SELECT * FROM tbl_useraccounts where user_id = $id"; // here you check with $id
so change to
$query = "SELECT * FROM tbl_useraccounts where user_id = $user_id";
Also print_r($variable) can be helpful for you.

Change the below:
$user_id = $_SESSION['user_id'];
$query = "SELECT * FROM tbl_useraccounts where user_id = $id";
To
$user_id = $_SESSION['user_id'];
$query = "SELECT * FROM tbl_useraccounts where user_id = $user_id";
You have stored user id in the $user_id variable but using $id variable, which is not defined.

You used $id insted of $user_id in the where statment:
$user_id = $_SESSION['user_id'];
$query = "SELECT * FROM tbl_useraccounts where user_id = $id";
$q = mysqli_query($con,$query);
while($row = mysqli_fetch_array($q)){
$oldpassworddb = $row['password'];
}
You can dump the value which is in the database like this:
$user_id = $_SESSION['user_id'];
$query = "SELECT * FROM tbl_useraccounts where user_id = $id";
$q = mysqli_query($con,$query);
while($row = mysqli_fetch_array($q)){
$oldpassworddb = $row['password'];
var_dump($oldpassworddb);
}
Check how many user's you have in the db. Dump your old password and compare it to the one you are providing. If it doesn't match, change the password in the db with the result of:
var_dump(md5('123'));
Then run your code again. At this point we can't be sure what is sitting in your db ;)

Can't make the user update there information

Here is the code, I search in the net for the UPDATE statement, and this is what I learned, but even if it doesn't make an error, it doesnt change the information in database.
update.inc.php:
<?php
session_start();
include '../data_base.php';
include 'header.php';
$first = $_POST['first'];
$last = $_POST['last'];
$uid = $_POST['uid'];
$pwd = $_POST['pwd'];
$number = $_POST['number'];
$age = $_POST['age'];
$email = $_POST['email'];
$sql = "UPDATE user
SET first = $first, last = $last, uid = $uid, pwd = $pwd, number = $number, age = $age, email = $email
WHERE id = $id";
$result = mysqli_query($conn,$sql);
header("Location: ../index.php");
?>
update.php:
<?php
include 'header.php';
?>
<?php
if (isset($_SESSION['id'])) {
echo "You Can Edit Your Files!";
} else {
echo "You Need To Create An Account First!";
}
?>
<br><br><br>
<?php
if (isset($_SESSION['id'])) {
echo "<form action='includes/update.inc.php' method='POST'>
<input type='text' name='first' placeholder='FirstName'><br>
<input type='text' name='last' placeholder='LastName'><br>
<input type='text' name='uid' placeholder='UserName'><br>
<input type='password' name='pwd' placeholder='Password'><br>
<input type='text' name='number' placeholder='Telemóvel'><br>
<input type='text' name='age' placeholder='Idade'><br>
<input type='text' name='email' placeholder='Email'><br>
<button type='submit'>EDIT</button>
</form>";
}
?>
Need Help.

First enable error in your file and change your query with
$sql = "UPDATE user
SET first = '$first', last = '$last', uid = '$uid', pwd = '$pwd', number = '$number', age = '$age', email = '$email'
WHERE id = $id";
enable errors
ini_set('display_errors', 1);
ini_set('display_startup_errors', 1);
error_reporting(E_ALL);

Your code is open to sql injection so I would like to prefer to make use of prepared statement with mysqli(preferred is PDO one)
$sql = "UPDATE user
SET first = ?,
last = ?,
uid = ?,
pwd = ?,
number = ?,
age = ?,
email = ?
WHERE id = ?";
$stmt = $mysqli->prepare($sql);
// here s represnts string and i represents integer to the corresponding variable
// example $firstname is string, i $uid is integer
$stmt->bind_param("ssisiisi",$firstname,$lastname,$uid,$pwd,$number,$age,$email,$id);
$first = $_POST['first'];
$last = $_POST['last'];
$uid = $_POST['uid'];
$pwd = $_POST['pwd'];
$number = $_POST['number'];
$age = $_POST['age'];
$email = $_POST['email'];
// in above your $id is missing
$id = $_POST["id"];
// now execute the statement now your database changes
$stmt->execute();
echo "Record updated successfylly";
header("Location: ../index.php");

MySQL query not executing properly

I want to make a PHP login script, that when user signs in, it removes the Sign-In form with another div saying "Welcome [user_name]". I am running the script on same page as my html, but the query always fails. Can anyone please sort out this problem, why is this happening?
PHP CODE:
<?php include("connect.php")?>
<?php
session_start();
//Function to sanitize values received from the form. Prevents SQL injection
function clean($str) {
$str = #trim($str);
if(get_magic_quotes_gpc()) {
$str = stripslashes($str);
}
return mysql_real_escape_string($str);
}
if(isset($_POST['username']) && isset($_POST['username'])){
//Sanitize the POST values
$UserName = clean($_POST['username']);
$Password =(md5($_POST['password']));
//Create query
$qry = "SELECT 'UserName' , 'Password' FROM users WHERE UserName='$UserName' AND Password='$Password'";
$result = mysql_query($qry);
//Check whether the query was successful or not
if($result) {
if(mysql_num_rows($result) > 0) {
//Login Successful
session_regenerate_id();
$member = mysql_fetch_assoc($result);
$_SESSION['SESS_MEMBER_ID'] = $member['mem_id'];
$_SESSION['SESS_FIRST_NAME'] = $member['FName'];
$_SESSION['SESS_LAST_NAME'] = $member['LName'];
//session_write_close();
echo 'SUCCESS';
//loggedin();
//exit();
}
else {
//Login failed
echo 'FAILED.';
//loginfail();
//exit();
}
}
else {
die("Query failed");
}
}
?>
HTML CODE:
<form name="user-form" id="user-form" action="members.php" method="POST">
<input type="text" name="username" id="username" placeholder="Username"></input>
<input type="password" name="password" id="password" placeholder="Password"></input>
<br/>
<input type="submit" id="sign" name="Sign In"></input>
</form>
Your help will be appreciated as I am new to this.

This is wrong-
SELECT 'UserName' , 'Password'....
remove ' and replace with
Also take care of the strings properly, just replace WHERE UserName='$UserName' AND Password='$Password'" with-
WHERE UserName=\"".$UserName."\" AND Password=\"".$Password."\""
So the complete query would be-
"SELECT `UserName` , `Password` FROM users WHERE UserName=\"".$UserName."\" AND Password=\"".$Password."\""
(also keep in mind that the column names are case-sensitive)

This:
$qry = "SELECT 'UserName' , 'Password' FROM users WHERE UserName='$UserName' AND Password='$Password'";
Should be:
$qry = "SELECT username , password FROM users WHERE UserName='$UserName' AND Password='$Password'";

Update MySql Query for user profile update using php

I am trying to update user profile by overwriting current data in the MySql.
It isn't working properly its stating it echos my "the name doesn't exist"
Here is my php code:
``````
<?php
// see if the form has been completed
session_start();
include_once("php_includes/check_login_status.php");
include_once("php_includes/db_conx.php");
// Initialize any variables that the page might echo
$u = "";
$firstname = "";
$surname = "";
$gender = "Male";
$country = "";
$weight = "";
$height = "";
$password = "";
$password2 = "";
if(isset($_GET["u"])){
$u = preg_replace('#[^a-z0-9]#i', '', $_GET['u']);
}
$sql = "SELECT * FROM users WHERE username='$u' AND activated='1' LIMIT 1";
$user_query = mysqli_query($db_conx, $sql);
// check if the user exists in the database
while ($row = mysqli_fetch_array($user_query, MYSQLI_ASSOC)) {
$firstname = $row["firstname"];
$surname = $row["surname"];
$weight = $row["weight"];
$height = $row["height"];
$email = $row["email"];
$gender = $row ["gender"];
}
if (isset($_POST['submit'])){
$firstname = $_POST['firstname'];
$surname = $_POST['surname'];
$weight = $_POST['weight'];
$height = $_POST['height'];
$email = $_POST['email'];
$gender = $_POST['gender'];
mysql_connect ("localhost","root","pass123"); mysql_select_db('worldoi5_social');
// check if that user exist
$exists = mysql_query ("SELECT * FROM users WHERE username='$u' ") or die ("query cant connect");
if (mysql_num_rows ($exists) != 0) {
// update the description in the database
mysql_query("UPDATE users SET firstname='$firstname', surname='$surname', weight='$weight', height='$height' WHERE username='$u'") or die ("update could not be applied");
echo "successful";
} else echo "the name does not exist";
}
?>
I have made the code work with less code, but since i have added more it stopped working, and the data reads fine, I do not see the errors or mistake.
here is a bit of the HTML aswell:
<form action="user1.php" method="POST">
<div>
<p>First Name: <input type="text" name="firstname" id="firstname" value="<?=$firstname?>"></p>
<p>Surname: <input type="text" name="surname" id="surname" value="<?=$surname?>"></p>
<p>Weight: <input type="text" name="weight" id="weight" value="<?=$weight?>"></p>
<p>Height: <input type="text" name="height" id="height" value="<?=$height?>"></p>
<p> <input type="submit" name="submit" id="submit" value="Update Description"></p>
</div>
</form>
</body>

I figured out the answer:
from the php code line
$exists = mysql_query ("SELECT * FROM users WHERE username='$u' ")
the single and double quots where messed up so i had to use it like this;
$exists = mysql_query ("SELECT * FROM users WHERE firstname='" . $firstname . "'")
then it read it properly also i decided to use firstname as the selective

Simple php and sql login form not working

I am trying to make a simple php and sql login form, but it is not working
Can anyone help me to fix my code?
<form method="post" action="form.php">
Username <input type="text" name="username"><br>
Password <input type="password" name="password">
<br>
<input type="submit" name="submit" value="submit">
</form>
<?php
if (isset($_POST['submit'])) {
$username = $_POST['username'];
$password = $_POST['password'];
$con = mysql_connect("localhost", "root", "");
mysql_select_db($con, "formcolumn");
$sql = mysql_query("select * from data1_table where username='$username' and password='$password' ");
$row = mysql_fetch_array($sql);
$uname = $row['username'];
$pass = $row['password'];
if ($username == $uname && $password == $pass) {
header("Location: main.php");
} else {
echo "invalid username and password ";
}
}
?>

Replace mysql_select_db($con, "formcolumn"); with mysql_select_db("formcolumn",$con); where formcolumn is your Database name

Interchange the positions of your parameters in your mysql_select_db function bass the name of your database first then pass the connection. You must remember this is a predefined function and it is defined to accept parameters in a certain order therefore it expects that the first parameter passed to the function is going to be the database name.
You should have
mysql_select_db("formcolumn",$con);
also why not try something along the lines of this:
$sql = "select * from data1_table where username='$username' and password='$password'";
$result = mysql_query($sql,$con);
$row= mysql_fetch_assoc($result);

Categories