i have this piece of code that allow user to edit their profile from the form using php and mysql when i echo the submitted or changed value it display the right and the edit value but nothing change in the database can anyone help me to solve this problem
this is the part that i am updating the query
if you need any addition files let me know and thank you
search.php
//submit whatthe user types into the database
$fname = $_POST['fname'];
$lname = $_POST['lname'];
$country = $_POST['country'];
$spec = $_POST['specialization'];
///errroor in updating the dataabse
$edit_query = mysql_query("UPDATE user SET first_name= '$fname', last_name= '$lname', address= '$country', specialization_name= '$spec' WHERE user_name = '$username'") or die(mysql_error());
$username is not defined. As result the query is executed for no database row.
Please use prepared statements instead of sql injectionable mysql_query().
You need to initialise the userName variable.
Try this.....
$edit_query = mysql_query("UPDATE `user` SET first_name= '".$fname."', last_name= '".$lname."', address= '".$country."', specialization_name= '".$spec."' WHERE user_name = '".$username."'") or die(mysql_error());
//Make sure that your $username hold some valid value.
$username is required and your query is vulnerable by sql injection. so use mysql_real_escape_string() function
$fname = mysql_real_escape_string($_POST['fname']);
$lname = mysql_real_escape_string($_POST['lname']);
$country = mysql_real_escape_string($_POST['country']);
$spec = mysql_real_escape_string($_POST['specialization']);
$edit_query = mysql_query("UPDATE user SET first_name= '$fname', last_name= '$lname', address= '$country', specialization_name= '$spec' WHERE user_name = '$username'") or die(mysql_error());
Related
I have three files reg_form.php, dbconnection.php and insert.php.
When submitting the form the data is not inserted into the database. I can't figure out why. Initially I didn't know how to use insert into multiple tables but took the advice of many posts from here. Unfortunately I have still failed to make it work and it is driving me insane. Here is the sql code so far for the insert.
<?php
include ("dbconnection.php");
if(file_exists("dbconnection.php")) {
echo"Connected to database successfully";
} else if(!file_exists("dbconnection.php")){
echo "Connection failed";
}
$forename = "forename";
$surname = "surname";
$address_line1 = "address_line1";
$address_line2 = "address_line2";
$address_line3 = "address_line3";
$city = "city";
$postcode = "postcode";
$phone = "phone";
$email = "email";
$username = "username";
$password = "password";
$cpassword = "cpassword ";
$query = "INSERT INTO users (username,
password)VALUES('$username','$password');";
$query2 = "INSERT INTO users_details (forename, surname,address_line1,
address_line2, address_line3, city, postcode, phone, email)
VALUES('$forename','$surname','$address_line1','$address_line2',
'$address_line3','$city','$postcode','$phone','$email')";
query ($dbconnection,$sql);
?>
Ok problem is solved. I made a stored procedure because I am doing an INSERT INTO multiple tables and then called it like this.
$sql ="CALL add_user('".$username."', '".$password."', 'user',
'".$forename."','".$surname."', '".$address_line1."' ,
'".$address_line2."', '".$address_line3."', '".$city."', '".$postcode."',
'".$phone."', '".$email."','".is_bool($email_contact)."',
'".is_bool($phone_contact)."')";
$query = $con->prepare($sql);
$query->execute();
I want users to UPDATE any field(s) they want in d database - table but I don't want the UPDATE .. SET to erase existing records with empty submission if they submit without changing all the fields.. but changed only the ones they want to..
$sql = "UPDATE table SET username = '$username', email = '$email',
fname = '$fname', lname = '$lname', address = '$address', city = '$city',
country = '$country', phone = '$phone', aboutme = '$aboutme' WHERE email = '$email'";
If the user only updates address and phone then submits his entry.. this instruction erases other fields that is not filled in the form.... I don't want that to happen. Kindly look into this. Thanks
Please I have tried your suggestion but its not working for me.. may I am doing something wrong -- I am new to PHP - Here is my code below:
$sql = "UPDATE user_profile SET ";
if ($username!="")
$sql ."username = '$username',"
if ($fname!="")
$sql ."fname = '$fname',"
if ($lname!="")
$sql ."lname = '$lname',"
if ($address!="")
$sql ."address = '$address',"
if ($city!="")
$sql ."city = '$city',"
if($country!="")
$sql ."country = '$country', "
if($phone!="")
$sql ."phone = '$phone', "
if($aboutme!="")
$sql ."aboutme = '$aboutme' "
$sql ."WHERE email = '$email'";
$query = mysqli_query($database,$sql);
if($query)
{
$message = "<div class=\"btn btn-lg btn-default\"><i class=\"text-success text-center\">Update Successful!</i></div>";
//echo "update successful";
}
You should be using parameters rather than placing user input directly into strings. However, that is good practice and protects against SQL injection and poorly formed parameters.
Doesn't help your problem, though. You need to see if there is a new value, otherwise, use the old one. Assuming the new value is NULL when not present, then use COALESCE(). For example:
SET username = COALESCE($username, username),
. . .
Note: There is no reason to set email in the SET statement because you are using it in the WHERE.
I have a question, I want to edit customer information, but I only want to update record of one customer at a time. I tried to add where _SESSION['customerCode'] but it doesn't seem to work.
<?php
$connection =
mysql_connect("com-db-02.student-cit.local", "team16", "DbSLzU")
or die (mysql_error());
$db = mysql_select_db("team16") or die(mysql_error());
$FName = $_POST['fname'];
$LName = $_POST['lname'];
$Email = $_POST['custemail'];
$Address = $_POST['address'];
$Town = $_POST['town'];
$County = $_POST['county'];
$Eircode = $_POST['eircode'];
$Phone = $_POST['phone'];
$query = mysql_query("UPDATE CUSTOMER set custFName = '$FName', custLName = '$LName', custemail = '$Email' where customerCode = "$_SESSION['customerCode']"") or die(mysql_error());
?>
I get an error unexpected '$_SESSION' (T_VARIABLE)
Also is it possible to add not update those fields that are blank, so if customer wants to change their address only, other fields won't get wiped out
You have a mistake on your concatination. Make it like this .$_SESSION['customerCode']
Try the code below.
session_start();
$custCode = $_SESSION['customerCode'];
$query = mysql_query("UPDATE CUSTOMER set custFName = '$FName', custLName = '$LName', custemail = '$Email' where customerCode = ".$custCode) or die(mysql_error())
Also is it possible to add not update those fields that are blank, so
if customer wants to change their address only, other fields won't get
wiped out
This was already been answered here before. Search for MySQL COALESCE
You can check the following:
https://dba.stackexchange.com/a/36748
https://stackoverflow.com/a/15525287/4672534
Using data from an activation email. $email & $key.
$result1 mysql_query -
The result is that only the email, role, credits are inserted into table users. Data items username, password are not inserted.
$result2 mysql_query -
The data is not deleted from table tempusers
If I echo the data from the while loop the correct data is returned.
Got to be something simple but I just cannot see it. Thanks.
CODE:
include 'core/init.php'; /* database connection*/
if (isset($_GET['email']) && preg_match("/^([a-zA-Z0-9])+([a-zA-Z0-9\._-])*#([a-zA-Z0-9_-])+([a-zA-Z0-9\._-]+)+$/", $_GET['email'])){
$email = mysql_real_escape_string($_GET['email']);
}
if(isset($_GET['key']) && (strlen($_GET['key']) == 32)) {
$key = mysql_real_escape_string($_get['key']);
}
if(isset($email) && isset($key)) {
$result = mysql_query("SELECT * FROM `tempusers` WHERE `email` = '$email' AND `activation` = '$key' ") or die(mysql_error());
while($row = mysql_fetch_array($result)) {
$user_id = mysql_real_escape_string($row['user_id']);
$username = mysql_real_escape_string($row['username']);
$email = mysql_real_escape_string($row['email']);
$password = mysql_real_escape_string($row['password']);
}
$result1 = mysql_query("INSERT INTO `users` (`username`, `email`, `password`, `role`, `credits`) VALUES ('$username', '$email', '$password', 'user', 0)") or die(mysql_error());
$result2 = mysql_query("DELETE FROM `tempusers` WHERE `user_id` = '$user_id'") or die(mysql_error());
if(!$result1) {
echo "Oops your account could not be activated. Please contact the system administrator!";
} else {
header('Location: prompt.php?x=0');
}
} else {
echo "Error. Please contact the system administrator!";
}
?>
Are you sure the query goes execute? And are you also sure the query have at least 1 result? The $email is already set but to set the username and passwors your query needs to have at least 1 result.
I also noticed $_get['key'] but i am not sure if its neccecary to change it to $_GET['key'].
This $_get in => mysql_real_escape_string($_get['key']) is in lowercase letters.
$_GET is a superglobal and it must be set in uppercase letters like this => $_GET
Sidenote: I noticed that you are using the word key in $_GET['key'] etc.
If your other script happens to be using this word as a column reference, you will need to set it inside backticks, since key is a MySQL reserved word. I'm just thinking outloud here.
Add error reporting to the top of your file(s) which will help during production testing.
error_reporting(E_ALL);
ini_set('display_errors', 1);
Plus, I recommend you use mysqli_ functions with prepared statements, or PDO with prepared statements.
header ('Refreash: 1;url=registrationform.php');
include 'dbconnect.php';
$id = $_POST['id'];
$firstName = $_POST['firstName'];
$lastName = $_POST['lastName'];
$email = $_POST['email'];
$password = $_POST['password'];
$DOB = $_POST['dob'];
$gender = $_POST['gender'];
$telephone = $_POST['telephone'];
$memberTypeID = $_POST['memberTypeID'];
$Active = $_POST['Active'];
$sql = "UPDATE user SET firstName = '$firstName', lastName = '$lastName', email = '$email', password = '$password', DOB = '$DOB', gender = '$gender', telephone = '$telephone', memberTypeID = '$memberTypeID', Active = '$Active' WHERE userID = $id";
$result=mysql_query($sql)or die ("COULD NOT UPDATE USER!!");
This is the code i am using to enter the DOB back into the database, when entered it returns 0000-00-00.
Try what is inside $_POST['dob']..Also if the input value is not a valid date value then don't try to insert it. So if its not a valid value then make the dob as null and also make your table structure compatible to allow NULL values.If your $_POST['dob'] doesn't contains a valid date value in YYYY-MM-DD format then that value will be inserted as 0000-00-00 in the database.
So try something like the following
$DOB = NULL;
if(isset($_POST['dob']) && trim($_POST['dob']) != '')
//make necessary validateions and assign the value
$DOB = $newValue;//Assume $newValue contains new date value in YYYY-MM-DD format
Also don't use mysql_ functions anymore since they are deprecated. Try using mysqli_ functions and prepare statements because your code is vulnerable to sql injections