session form data across multiple pages and insert into mysql? - php

can someone help me please, im trying to submit a form over 3 pages. theres 3 text area fields in each and im using session start to echo the form data other the pages.
so then at the end all i have to do is echo out the form data and insert it into the mysql table ptb_registrations.
for some reason though its not working and im getting the error updating database error. i have been working on this for a few hours im sorry to say and i can not figure it out. please can someone help me and show me where i might be going wrong.
page 1:
<?php
session_start();
?>
<form class="" method="post" action="register_p2.php">
<input type="text" id="first_name" name="first_name" placeholder="First Name" />
<input type="text" id="last_name" name="last_name" placeholder="Last Name" />
<input type="email" id="email" name="email" placeholder="Email" />
<input type="submit" value="Next >" />
</form>
page 2:
<?php
session_start();
// other php code here
$_SESSION['first_name'] = $first_name;
$_SESSION['last_name'] = $last_name;
$_SESSION['email'] = $email;
?>
<form name="myForm" method="post" action="register_p3.php" onsubmit="return validateForm()" >
<input type="text" id="date_of_birth" name="date_of_birth" placeholder="D.O.B 10/02/1990" />
<input type="text" id="number" name="number" placeholder="Mobile Number" />
<input type="text" id="confirm" name="confirm" placeholder="Are You a UK resident?" />
<input type="submit" value="Next >" />
</form>
page 3:
<?php
session_start();
// other php code here
$_SESSION['first_name'] = $first_name;
$_SESSION['last_name'] = $last_name;
$_SESSION['email'] = $email;
$_SESSION['dat_of_birth'] = $date_of_birth;
$_SESSION['number'] = $number;
?>
<form class="" method="post" action="register_p4.php">
<input type="text" id="display_name" name="date_of_birth" placeholder="Display Name" />
<input type="password" id="password" name="password" placeholder="Password" />
<input type="password" id="password2" name="password2" placeholder="Password (Confirm)" />
<input type="submit" value="Next >" />
</form>
page 4: (mysql function)
<?php
session_start();
// other php code here
$_SESSION['first_name'] = $first_name;
$_SESSION['last_name'] = $last_name;
$_SESSION['email'] = $email;
$_SESSION['dat_of_birth'] = $date_of_birth;
$_SESSION['number'] = $number;
$_SESSION['display_name'] = $display_name;
$_SESSION['password'] = $password;
?>
<?php
////// SEND TO DATABASE
/////////////////////////////////////////////////////////
// Database Constants
define("DB_SERVER", "localhost");
define("DB_USER", "root");
define("DB_PASS", "");
define("DB_NAME", "database");
// 1. Create a database connection
$connection = mysql_connect(DB_SERVER,DB_USER,DB_PASS);
if (!$connection) {
die("Database connection failed: " . mysql_error());
}
// 2. Select a database to use
$db_select = mysql_select_db(DB_NAME,$connection);
if (!$db_select) {
die("Database selection failed: " . mysql_error());
}
//////////////////////////////////////////////////////////////
$query="INSERT INTO ptb_registrations (ID,
first_name,
last_name,
email,
date_of_birth,
contact_number,
display_name,
password
)
VALUES('NULL',
'".$first_name."',
'".$last_name."',
'".$email."',
'".$date_of_birth."',
'".$number."',
'".$display_name."',
'".$password."'
)";
mysql_query($query) or die ('Error updating database');
?>
<?php
function confirm_query($result_set) {
if (!$result_set) {
die("Database query failed: " . mysql_error());
}
}
function get_user_id() {
global $connection;
global $email;
$query = "SELECT *
FROM ptb_registrations
WHERE email = \"$email\"
";
$user_id_set = mysql_query($query, $connection);
confirm_query($user_id_set);
return $user_id_set;
}
?>
<?php
$user_id_set = get_user_id();
while ($user_id = mysql_fetch_array($user_id_set)) {
$cookie1 = "{$user_id["id"]}";
setcookie("ptb_registrations", $cookie1, time()+3600); /* expire in 1 hour */
}
?>
<?php include ('includes/send_email/reg_email.php'); ?>
<? ob_flush(); ?>


please can someone help me and show me where i might be going wrong.
Your code itself is just horrible. Because:
1) You mix session and database responsibilities
2) You use mysql_query() for queries you do not expect a result-set. For INSERT, UPDATE, DELETE queries should be used mysql_unbuffered_query()
3) You do not escape values using mysql_real_escape_string() so that you're vulnerable to SQL injection
4) You use procedural code and global state
5) You use deprecated mysql_* functions instead of PDO or MySQLi
6) You use string concatenation instead of sprintf(), here:
)
VALUES(
'".$first_name."',
'".$last_name."',
'".$email."',
'".$date_of_birth."',
'".$number."',
'".$display_name."',
'".$password."'
7) You do not validate anything in $_SESSION and $_POST. What if you have set the variables and they do not exist?
8) Your query validation is wrong, here: confirm_query($result_set) {..
I'd better stop here.
So instead of coding this way, you'd really separate responsibilities.
For session, it should look like this:
File session.php
function seesion_init(){
if ( session_id() == '' ){
return session_start();
} else {
return true;
}
}
function session_set(array $values){
foreach($values as $key => $val){
$_SESSION[$key] = $val;
}
}
/**
* It will give you a confidence that you get an existing value
* #param string $key
*/
function session_get($key){
if ( isset($_SESSION[$key]) ){
return $_SESSION[$key];
} else {
throw new RuntimeException(sprintf('Accessed to non-existing session variable %s', $key));
}
}
File: dbconnection.php
<?php
define('HOST', '...');
define('USER', '...');
...
function connect(){
if ( ! mysql_connect(...) ){
die('...');
}
if ( ! mysql_select_db('DB_NAME_HERE') ){
die('...');
}
}
function query($query){
return mysql_query($query); //<- Should only be used for SELECT queries
}
function ub_query($query){
return mysql_unbuffered_query($query); // <- Should only be used for INSERT, DELETE, UPDATE queries
}
function fetch($result){
return mysql_fetch_assoc($result);
}
File: users.php
require_once('dbconnection.php');
connect();
/**
* Returns user id by his username
*
* #return array on success
* FALSE if email does not exists
*/
function get_user_id_by_email($email) {
$query = sprintf("SELECT `id` FROM `ptb_registrations` WHERE `email` = '$email' LIMIT 1", mysql_real_escape_string($email));
$result = ub_query($query);
if ( $result ){
return fetch($result);
} else {
return false;
}
}
and so on. The concept here is to separate responsibilities for each script and then use the "part" you need.
Back to the original question
You want to insert a value into the table? Then validate this value firstly. The problem is that you do not do that. Nothing more.


In page2.php you need set session as below.
because $first_name, etc.. did not declared.
page2.php
$_SESSION['first_name'] = $_POST['first_name'];
$_SESSION['last_name'] = $_POST['last_name'];
$_SESSION['email'] = $_POST['email'];
page3.php
$_SESSION['dat_of_birth'] = $_POST['date_of_birth'];
$_SESSION['number'] = $_POST['number'];
page4.php
$_SESSION['display_name'] = $_POST['display_name'];
$_SESSION['password'] = $_POST['password'];
in page4.php do one more variables declaration.
$first_name = $_SESSION['first_name'];
$last_name = $_SESSION['last_name'];
$email = $_SESSION['email']; etc...
then store it in database.


It is bad practice, this whole script but I believe your SQL error is because you are supplying an ID as null. ID is probably an integer and most likely auto increment. Do this instead:
$query="INSERT INTO ptb_registrations (
first_name,
last_name,
email,
date_of_birth,
contact_number,
display_name,
password
)
VALUES(
'".$first_name."',
'".$last_name."',
'".$email."',
'".$date_of_birth."',
'".$number."',
'".$display_name."',
'".$password."'
)";


Pge 1:
<form class="" method="post" action="register_p2.php">
<input type="text" id="first_name" name="first_name" placeholder="First Name" />
<input type="text" id="last_name" name="last_name" placeholder="Last Name" />
<input type="email" id="email" name="email" placeholder="Email" />
<input type="submit" value="Next >" />
</form>
No need of session_start here
Page2:
<?php
session_start();
// other php code here
$_SESSION['first_name'] = $_POST['first_name'];
$_SESSION['last_name'] = $_POST['last_name'];
$_SESSION['email'] = $_POST['email'];
?>
<form name="myForm" method="post" action="register_p3.php" onsubmit="return validateForm()" >
<input type="text" id="date_of_birth" name="date_of_birth" placeholder="D.O.B 10/02/1990" />
<input type="text" id="number" name="number" placeholder="Mobile Number" />
<input type="text" id="confirm" name="confirm" placeholder="Are You a UK resident?" />
<input type="submit" value="Next >" />
</form>
Added $_POST
Page 3:
<?php
session_start();
// other php code here
$_SESSION['dat_of_birth'] = $_POST['date_of_birth'];
$_SESSION['number'] = $_POST['number'];
?>
<form class="" method="post" action="register_p4.php">
<input type="text" id="display_name" name="date_of_birth" placeholder="Display Name" />
<input type="password" id="password" name="password" placeholder="Password" />
<input type="password" id="password2" name="password2" placeholder="Password (Confirm)" />
<input type="submit" value="Next >" />
</form>
Added $_POST $_SESSION['first_name'] = $_POST['first_name'];
No need to add this section again in page3 :
$_SESSION['first_name'] = $first_name;
$_SESSION['last_name'] = $last_name;
$_SESSION['email'] = $email;
Page 4:
<?php
session_start();
// other php code here
$first_name = $_SESSION['first_name'];
$last_name = $_SESSION['last_name'];
$email = $_SESSION['email'];
$date_of_birth = $_SESSION['dat_of_birth'] ;
$number =$_SESSION['number'];
$display_name = $_SESSION['display_name'];
$password = $_SESSION['password'];
?>
<?php
////// SEND TO DATABASE
/////////////////////////////////////////////////////////
// Database Constants
define("DB_SERVER", "localhost");
define("DB_USER", "root");
define("DB_PASS", "");
define("DB_NAME", "database");
// 1. Create a database connection
$connection = mysql_connect(DB_SERVER,DB_USER,DB_PASS);
if (!$connection) {
die("Database connection failed: " . mysql_error());
}
// 2. Select a database to use
$db_select = mysql_select_db(DB_NAME,$connection);
if (!$db_select) {
die("Database selection failed: " . mysql_error());
}
//////////////////////////////////////////////////////////////
$query="INSERT INTO ptb_registrations (ID,
first_name,
last_name,
email,
date_of_birth,
contact_number,
display_name,
password
)
VALUES('NULL',
'".mysql_real_escape_string($first_name)."',
'".mysql_real_escape_string($last_name)."',
'".mysql_real_escape_string($email)."',
'".mysql_real_escape_string($date_of_birth)."',
'".mysql_real_escape_string($number)."',
'".mysql_real_escape_string($display_name)."',
'".mysql_real_escape_string($password)."'
)";
mysql_query($query) or die ('Error updating database');
?>
<?php
function confirm_query($result_set) {
if (!$result_set) {
die("Database query failed: " . mysql_error());
}
}
function get_user_id() {
global $connection;
global $email;
$query = "SELECT *
FROM ptb_registrations
WHERE email = \"$email\"
";
$user_id_set = mysql_query($query, $connection);
confirm_query($user_id_set);
return $user_id_set;
}
?>
<?php
$user_id_set = get_user_id();
while ($user_id = mysql_fetch_array($user_id_set)) {
$cookie1 = "{$user_id["id"]}";
setcookie("ptb_registrations", $cookie1, time()+3600); /* expire in 1 hour */
}
?>
<?php include ('includes/send_email/reg_email.php'); ?>
<? ob_flush(); ?>
Assign session to variables :
$first_name = $_SESSION['first_name'];
mysql_* functions are deprecated use mysqli_* or PDO
You code is vulnerable to mysql_injection : use atleast mysql_real_escape_string

Related

Update values of form fields in db through My account/profile page

i am using below code for customer Registration & Login , it's working fine.
db connection
<?php
class Database
{
private $host = "localhost";
private $db_name = "dbname";
private $username = "root";
private $password = "helpme";
public $conn;
public function dbConnection()
{
$this->conn = null;
try
{
$this->conn = new PDO("mysql:host=" . $this->host . ";dbname=" . $this->db_name, $this->username, $this->password);
$this->conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
}
catch(PDOException $exception)
{
echo "Connection error: " . $exception->getMessage();
}
return $this->conn;
}
}
?>
register
<?php
session_start();
require_once 'class.user.php';
$reg_user = new USER();
if($reg_user->is_logged_in()!="")
{
$reg_user->redirect('home.php');
}
if(isset($_POST['btn-signup']))
{
$uname = trim($_POST['txtuname']);
$email = trim($_POST['txtemail']);
$upass = trim($_POST['txtpass']);
$cpass = trim($_POST['txtcpass']);
$phone = trim($_POST['phone']);
$street_address = trim($_POST['street_address']);
$street_address_2 = trim($_POST['street_address_2']);
$city = trim($_POST['city']);
$state = trim($_POST['state']);
$zip_code = trim($_POST['zip_code']);
$country = trim($_POST['country']);
$code = md5(uniqid(rand()));
$stmt = $reg_user->runQuery("SELECT * FROM tbl_users WHERE userEmail=:email_id");
$stmt->execute(array(":email_id"=>$email));
$row = $stmt->fetch(PDO::FETCH_ASSOC);
if($stmt->rowCount() > 0)
{
$msg = "
<div class='alert alert-error'>
<button class='close' data-dismiss='alert'>×</button>
<strong>Sorry !</strong> email allready exists , Please Try another one
</div>
";
}
if($upass != $cpass){
$msg = "passwords doesn't match";
}
else
{
if($reg_user->register($uname,$email,$upass, $code, $phone, $street_address, $street_address_2 , $city , $state , $zip_code , $country ))
{
$id = $reg_user->lasdID();
$key = base64_encode($id);
$id = $key;
$message = "
Hello $uname,
<br /><br />
Welcome to designer!<br/>
To complete your registration please , just click following link<br/>
<br /><br />
<a href='http://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]'.'verify.php?id=$id&code=$code'>Click HERE to Activate :)</a>
<br /><br />
Thanks,";
$subject = "Confirm Registration";
$reg_user->send_mail($email,$message,$subject);
$msg = "
<div class='alert alert-success'>
<button class='close' data-dismiss='alert'>×</button>
<strong>Success!</strong> We've sent an email to $email.
Please click on the confirmation link in the email to create your account.
</div>
";
}
else
{
echo "sorry , Query could no execute...";
}
}
}
?>
<!DOCTYPE html>
<html>
<head>
</head>
<body id="login">
<div class="container">
<?php if(isset($msg)) echo $msg; ?>
<form class="form-signin" method="post">
<h2 class="form-signin-heading">Sign Up</h2><hr />
<input type="text" class="input-block-level" placeholder="Username" name="txtuname" required />
<input type="email" class="input-block-level" placeholder="Email address" name="txtemail" required />
<input id="pass1" type="password" class="input-block-level" placeholder="Password" name="txtpass" required />
<input id="pass2" type="password" class="input-block-level" placeholder="confirm Password" name="txtcpass" required />
<input type="text" class="input-block-level" placeholder="Telephone" name="phone" />
<input type="text" class="input-block-level" placeholder="Street Address" name="street_address" />
<input type="text" class="input-block-level" placeholder="Stree Address 2" name="street_address_2" />
<input type="text" class="input-block-level" placeholder="city" name="city" />
<input type="text" class="input-block-level" placeholder="state" name="state" />
<input type="text" class="input-block-level" placeholder="zip code" name="zip_code" />
<input type="text" class="input-block-level" placeholder="country" name="country" />
<hr />
<input class="btn btn-large btn-primary" name="btn-signup" type="submit" id="btnSubmit" value="Sign Up" onclick="return comparePasswords()" />
Sign In
</form>
</div> <!-- /container -->
<script src="vendors/jquery-1.9.1.min.js"></script>
<script src="bootstrap/js/bootstrap.min.js"></script>
</body>
</html>
class.user.php
<?php
require_once 'dbconfig.php';
class USER
{
private $conn;
public function __construct()
{
$database = new Database();
$db = $database->dbConnection();
$this->conn = $db;
}
public function runQuery($sql)
{
$stmt = $this->conn->prepare($sql);
return $stmt;
}
public function lasdID()
{
$stmt = $this->conn->lastInsertId();
return $stmt;
}
public function register($uname,$email,$upass, $code, $phone, $street_address, $street_address_2 , $city , $state , $zip_code , $country)
{
try
{
$password = md5($upass);
$stmt = $this->conn->prepare("INSERT INTO tbl_users(userName,userEmail,userPass, tokenCode, phone, street_address, street_address_2 , city , state , zip_code , country)
VALUES(:user_name, :user_mail, :user_pass, :active_code, :phone , :street_address, :street_address_2 , :city , :state , :zip_code , :country)");
$stmt->bindparam(":user_name",$uname);
$stmt->bindparam(":user_mail",$email);
$stmt->bindparam(":user_pass",$password);
$stmt->bindparam(":active_code",$code);
$stmt->bindparam(":phone",$phone);
$stmt->bindparam(":street_address",$street_address);
$stmt->bindparam(":street_address_2",$street_address_2);
$stmt->bindparam(":city",$city);
$stmt->bindparam(":state",$state);
$stmt->bindparam(":zip_code",$zip_code);
$stmt->bindparam(":country",$country);
$stmt->execute();
return $stmt;
}
catch(PDOException $ex)
{
echo $ex->getMessage();
}
}
public function login($email,$upass)
{
try
{
$stmt = $this->conn->prepare("SELECT * FROM tbl_users WHERE userEmail=:email_id");
$stmt->execute(array(":email_id"=>$email));
$userRow=$stmt->fetch(PDO::FETCH_ASSOC);
if($stmt->rowCount() == 1)
{
if($userRow['userStatus']=="Y")
{
if($userRow['userPass']==md5($upass))
{
$_SESSION['userSession'] = $userRow['userID'];
return true;
}
else
{
header("Location: index.php?error");
exit;
}
}
else
{
header("Location: index.php?inactive");
exit;
}
}
else
{
header("Location: index.php?error");
exit;
}
}
catch(PDOException $ex)
{
echo $ex->getMessage();
}
}
public function is_logged_in()
{
if(isset($_SESSION['userSession']))
{
return true;
}
}
public function redirect($url)
{
header("Location: $url");
}
}
home.php [ customer will redirect to this home/profile page after login]
<?php
//Initializing variable
session_start();
require_once 'class.user.php';
$user_home = new USER();
if(!$user_home->is_logged_in())
{
$user_home->redirect('index.php');
}
$stmt = $user_home->runQuery("SELECT * FROM tbl_users WHERE userID=:uid");
$stmt->execute(array(":uid"=>$_SESSION['userSession']));
$row = $stmt->fetch(PDO::FETCH_ASSOC);
?>
in registration page we have name, email, city, zip....etc.
i need to provide an option for customer to update those fields in profile page.
once customer login, he will be redirect to profile/home page, in that page
I want to display all form fields and provide a "edit" button and once he click on that button, he should be able to update the values of name, email....etc.
i tried by adding below code, but not working for me.
class.user.php
public function update($uname,$email,$phone) {
try {
$stmt = $this->_db->prepare('UPDATE tbl_users SET userName = ?, userEmail = ?, phone = ? WHERE userID = ? ');
$stmt->execute(array($uname,$email,$phone,$_SESSION['userID']));
return $stmt->fetch();
} catch(PDOException $e) {
echo '<p class="bg-danger">'.$e->getMessage().'</p>';
}
}
home or profile [home.php ]
$FORM['uname'] = "";
$FORM['txtuname'] = "";
if (isset($_POST['submit'])) {
// new data
$uname = $_POST['txtuname'];
$email = $_POST['txtemail'];
$phone = $_POST['phone'];
$uid = (isset($_GET['userID']) ? intval($_GET['userID']) : -1);
// query
if ($uid->update($uname,$email,$phone,$userID)); {
redirect('home.php');
}
}
<form action="home.php" method="POST">
Name<br>
<input type="text" name="txtuname" value="<?php echo $_SESSION['txtuname'] ?>" /><br>
Email<br>
<input type="text" name="txtemail" value="<?php echo $_SESSION['email'] ?>" /><br>
Phone<br>
<input type="text" name="phone" value="<?php echo $_SESSION['phone'] ?>" /><br>
<input type="submit" name="submit" value="Save" />
</form>
its giving error : Fatal error: Call to a member function update() on a non-object in line
if ($uid->update($uname,$email,$phone,$userID)); {

$uid is not an user object, so you can not call update on it.
You should first retrieve the user object identified by its id from the database und then call update on it.
Additionally, you've got an error in class.user.php:
$stmt = $this->_db->prepare('UPDATE tbl_users SET userName = ?, userEmail = ?, phone = ? WHERE userID = ? ');
should be:
$stmt = $this->conn->prepare('UPDATE tbl_users SET userName = ?, userEmail = ?, phone = ? WHERE userID = ? ');
then in home.php you could do something like this:
$user_home = new USER();
// query
if ($user_home->update($uname,$email,$phone,$uid)); {
$user_home->redirect('home.php');
}
Another issue is, that you assign the users id to $_SESSION['userSession'] so you have to change your update function in your class.user.php:
public function update($uname,$email,$phone) {
try {
$stmt = $this->conn->prepare('UPDATE tbl_users SET userName = ?, userEmail = ?, phone = ? WHERE userID = ? ');
$stmt->execute(array($uname,$email,$phone,$_SESSION['userSession']));
return $stmt->fetch();
} catch(PDOException $e) {
echo '<p class="bg-danger">'.$e->getMessage().'</p>';
}
}
And finally (because you are currently not saving the users email etc. in the session) the form on the bottom of home.php should look rather like this (now including an edit button):
<script>function toggle() { var can = document.getElementsByName("submit"); for (i = 0; i < can.length; i++) { can[i].style.display = can[i].style.display === 'none' ? 'block' : 'none'; }}</script>
<form action="home.php" method="POST">
Name<br>
<input type="text" name="txtuname" value="<?php echo $row['userName'] ?>" /><br>
Email<br>
<input type="text" name="txtemail" value="<?php echo $row['userEmail'] ?>" /><br>
Phone<br>
<input type="text" name="phone" value="<?php echo $row['phone'] ?>" /><br>
<input id="sub" type="submit" name="submit" value="Save" style="display:none" />
</form>
<button name="submit" onclick="toggle()">Edit</button>
</html>

Based on your code, $uid is an integer, either -1 or the userID GET parameter.
Probably you wanted something like
$user_home->update( ..., $uid );
instead, assuming $user_home = new USER(); is missing. Or maybe any other instance of USER has to be created
$another = new USER();
...
$another->update( ..., $uid );

Why are you storing all your user info in a Session. User id or user name should be passed in a get variable. You then validate it that it exist if it doesn't no need to keep going kill the script. Redirect to error page or something. Also user should only be allowed to edit if user_id from the session equals get user_id, that means that user visiting current page. Is the owner so he can modify it. The value in your form should be the results from the database. Also you have no email or text input validation. Like a check that makes sure its a real email. A check to make sure text is only letters and numbers when form is submitted.
As far as your error, Where did you declare your object? I don't see it.
it has to be something like this.
$user_home = new USER();
then you can call update like so
$uid = $user_home->update($uname,$email,$phone,$userID);
you have an error here
public function update($uname,$email,$phone) { try { $stmt = $this->_db->prepare('UPDATE tbl_users SET userName = ?, userEmail = ?, phone = ? WHERE userID = ? '); $stmt->execute(array($uname,$email,$phone,$_SESSION['userID'‌​])); return $stmt->fetch(); } catch(PDOException $e) { echo '<p class="bg-danger">'.$e->getMessage().'</p>'; } }
remove the _ from db like this
$stmt = $this->db->prepare('UPDATE tbl_users SET userName = ?, userEmail = ?, phone = ? WHERE userID = ? '

I think i have a quick workaround for your problem, based on the example you have provided and the fact that you might not need to re-write too much code. This is your home.php page
<?php
//Initializing variable
session_start();
require_once 'class.user.php';
$user_home = new USER();
if(!$user_home->is_logged_in())
{
$user_home->redirect('index.php');
}
$stmt = $user_home->runQuery("SELECT * FROM tbl_users WHERE userID=:uid");
$stmt->execute(array(":uid"=>$_SESSION['userSession']));
$row = $stmt->fetch(PDO::FETCH_ASSOC);
?>
Rewrite it like this
<?php
//Initializing variable
session_start();
require_once 'class.user.php';
$user_home = new USER();
// Fetch user from database based on user id
$stmt = $user_home->runQuery("SELECT * FROM tbl_users WHERE userID=:uid");
$stmt->execute(array(":uid"=>$_SESSION['userSession']));
$row = $stmt->fetch(PDO::FETCH_ASSOC);
// $row will provide the old values stored in database if you want them to be displayed as initial values inside your input fields
if(!$user_home->is_logged_in())
{
$user_home->redirect('index.php');
} else {
// adding this here ensures that the $user_home object exists
require_once("profile.php");
}
?>
Then your profile.php page can be like this simple example.
if (isset($_POST['submit'])) {
// new data
$uname = $_POST['txtuname'];
$email = $_POST['txtemail'];
$phone = $_POST['phone'];
$userID= $row['userID'];
// query
$user_home->update($uname,$email,$phone,$userID));
}
<form action="" method="POST">
Name<br>
<input type="text" name="txtuname" value="<?php echo $row['userName'] ?>" /><br>
Email<br>
<input type="text" name="txtemail" value="<?php echo $row['userEmail'] ?>" /><br>
Phone<br>
<input type="text" name="phone" value="<?php echo $row['userPhone'] ?>" /><br>
<input type="submit" name="submit" value="Save" />
</form>

Sign up function working on one script but not another

I have a sign up function on a script and I've copied it over to a new project and changed the variables - form inputs, table/database names etc. and the script won't do anything.
Signup.php
<form class="form" action="register.php" method="POST" enctype="application/x-www-form-urlencoded">
<input type="text" value="" placeholder="Username" id="username" name="username" />
<input type="text" value="" placeholder="Email" id="Email" name="Email" />
<input type="password" value="" placeholder="Password" id="password" name="password" />
<input type="submit" id="signin" name="submit" />
</form>
Register.php
<?php
include('connectivity.php');
if (mysqli_connect_errno())
{
echo "Failed to connect to mysqli: " . mysqli_connect_error();
}
else
{
}
function newUser()
{
include ('connectivity.php');
$username = $_POST['username'];
$username_escaped = mysqli_real_escape_string ($db, $username);
$email = $_POST['email'];
$email_escaped = mysqli_real_escape_string ($db, $email);
$password = sha1($_POST['password']);
$password_escaped = mysqli_real_escape_string ($db, $password);
$query = "INSERT INTO users (username, email, password) VALUES ('$username_escaped', $email_escaped', '$password_escaped')";
include('connectivity.php');
$data = mysqli_query ($db, $query)or die(mysqli_error($db));
if($data)
{
}
}
function SignUp()
{
if(!empty($_POST['email']))
{
include('connectivity.php');
$query = mysqli_query ($db, "SELECT * FROM users WHERE email = '$_POST[email]'")
or die(mysqli_error());
if(!$row = mysqli_fetch_array($query))
{
newUser();
echo ("<SCRIPT LANGUAGE='JavaScript'>
window.alert('User Registration Successful')
window.location.href='login.php';
</SCRIPT>");
}
else
{
echo ("<SCRIPT LANGUAGE='JavaScript'>
window.alert('You are already a registered user!')
window.location.href='homepage.html';
</SCRIPT>");
}
}
}
if(isset($_POST['submit']))
{
SignUp();
}
?>
The form when submitted just goes to the blank php page (register.php) - no window alert messages pop up and no redirection occurs.
This script works perfectly on my other form, can anybody see why it doesn't work on this form?
Cheers for reading!

$_post['email'] Doesnt exists because you have set the name attribute to "Email"
Edit:
I forgot to mention the essence of my answer. the name and $_POST are case sensitive, so "email" != "Email"

try this:
$query = mysqli_query ($db, "SELECT * FROM users WHERE email = '$email'") or die(mysqli_error($db));

how to check whether old password entered is present or not in db

I m having a login page where user enters id and password.To reset the password i have to check whether the entered password is present or not whether it matches with the id i have entered.How to validate it.I m unable to validate it. If user enters any password it displays the record is updated. How to validate it. Here is the code
login.php
<label type="text" name="id" maxlength="50" size="20">ID</label><br />
<input type="text" name="id" placeholder="ID" class="input" size="20"/><br /></div>
<div class="formItem">
<label type="text" name="uid" maxlength="50" size="20">Password</label><br />
<input type="password" name="uid" placeholder="ID" class="input" size="20"/><br /></div>
<span class="field">(* Required field)</span><br /><br />
<input type="submit" name="login1" value="LOGIN" class="button"><br /><br /><br /><br />
</form>
</div>
</body>
</html>
<?php
$username = "root";
$password = "";
$hostname = "localhost";
$db = "abc";
//connection to the database
$dbhandle = mysql_connect($hostname, $username, $password) or die("Unable to connect to MySQL");
mysql_select_db($db,$dbhandle) or die('cannot select db');
if(isset($_POST['login1']))
{
$id= $_POST['id'];
$uid= $_POST['uid'];
$query= "select * from resume where id='$id'
AND uid='$uid'";
$run= mysql_query($query);
if(mysql_num_rows($run)>0){
echo "<script>window.open('resetp.php','_self')</script>";
}
else {
echo "<script>alert('Login details are incorrect!')</script>";
}
}
?>
resetp.php
<label type="text" name="uid" maxlength="50" size="20">Old Password</label><br />
<input type="text" name="uid" placeholder="id" class="input" size="20"/><br /></div>
<div class="formItem">
<label type="text" name="uid" maxlength="50" size="20">New Password</label><br />
<input type="password" name="pass" placeholder="pass" class="input" size="20"/><br /></div>
<div class="formItem">
<label type="text" name="cpas" maxlength="50" size="20">Confirm Password</label><br />
<input type="password" name="cpas" placeholder="" class="input" size="20"/><br /></div>
<div class="formItem">
<input type="submit" name="login1" value="RESET" class="formButton"><br /><br /><br /><br /></div>
</form>
<?php
$username = "root";
$password = "";
$hostname = "localhost";
$db = "resume1";
//connection to the database
$dbhandle = mysql_connect($hostname, $username, $password) or die("Unable to connect to MySQL");
mysql_select_db($db,$dbhandle) or die('cannot select db');
if(isset($_POST['login1']))
{
$pass= $_POST['pass'];
$uid= $_POST['uid'];
$cpas=$_POST['cpas'];
$query = "Update `resume` SET uid='".$_POST['pass']."' where uid='".$_POST['uid']."'";
$run = mysql_query($query);
if($query)
{
echo "<script>alert('Record updated')</script>";
}
else
{
echo "<script>alert('no')</script>";
}
}
?>
How can i validated it

Try this:
This line
<label type="text" name="uid" maxlength="50" size="20">New Password</label><br />
should be
<label type="text" name="pass" maxlength="50" size="20">New Password</label><br />

I guess couldn't understand your requirement.
Why don't you validate like you are doing in login.php
$query= "select * from resume where id='$id'
AND uid='$uid'";
$run= mysql_query($query);.................

the PHP script should be at the beginning, not at the end of the code. Begin with the <?php .... ?> and then follow the <HTML> ... </HTML> otherwise the result is returned even before the script is processed.
There are a lot of security issues with your code. You can try this.
<?php
require 'db.php';
$username = isset($_POST['username']) ? htmlspecialchars(trim($_POST['username']), ENT_QUOTES, 'UTF-8') : '';
$password = isset($_POST['password']) ? htmlspecialchars($_POST['password'], ENT_QUOTES, 'UTF-8') : '';
$error = array();
$error_found = 0;
if(isset($_POST['submit']) && ($_POST['submit'] == 'Reset'))
{
//check for errors.
//check if username field is empty.
if(empty($username))
{
$error[] = 'Please provide your user-name.';
}
//check if password field is empty.
if(empty($password))
{
$error[] = 'Please provide a password.';
}
//if errors exist, put errors found as true.
if(!empty($error))
{
$error_found = 1;
}
//else no errors are found.
else
{
//proceed to reset.
//connecting to database.
$db = mysql_connect(MYSQL_HOST, MYSQL_USER, MYSQL_PASSWORD) or die('Unable to connect, check your connection parameters. ');
mysql_select_db(MYSQL_DB, $db) or die('Could not select database, check availability. ' . mysql_error($db));
//querying the database. Checking if user-name password combination exists.
$query = 'SELECT username FROM resume WHERE username = "' . mysql_real_escape_string($username, $db) .
'" AND password = PASSWORD("' . mysql_real_escape_string($password, $db) . '")';
$result = mysql_query($query, $db) or die(mysql_error($db));
//checking if result is true.
if(mysql_num_rows($result) > 0)
{
//the result is true and so you can now reset your password.
}
else
{
$error[] = 'The username password combination you provided does not exist.';
$error_found = 1;
}
}
}
//HTML
?>
<!DOCTYPE HTML>
<html>
<head><title> ... </title></head>
<body>
<!--Your html code here -->
<?php
//if errors are found, then errors are shown here.
if($error_found == 1)
{
echo '<fieldset><center>';
echo '<ul>';
foreach($error as $e)
{
echo '<li>' . $e . '</li>';
}
echo '</ul>';
echo '</center></fieldset>';
}
?>
<form action="nameOfThisScript.php" method="POST">
Username:<input id="username" type="text" name="username" required />
Password:<input id="password" type="password" name="password" required />
<button id="Reset" type="submit" name="submit" value="Reset">Reset</button>
</form>
</body>
</html>
create a script named db.php in the same folder as this script and put the code
<?php
define('MYSQL_HOST', 'localhost');
define('MYSQL_USER', 'root');
define('MYSQL_PASSWORD', '');
define('MYSQL_DB', 'resume1');
?>
Hope this helps.

PHP not writing data in MYSQL

This is a school project and this particular page is to register a new user it does not display errors but it does not fill the MYSQL data base the connection for the database is in another page and I used the require function functions.php is where I am writing the connection function please help :(
<?php
include_once("menu.php");
?>
<form action="login.php" method="POST">
<?php
if ((isset($_POST['username']))&& (isset($_POST['password'])) && (isset($_POST['password2'])) && (isset($_POST['email'])))
{
$username = $_POST['username'];
$password = $_POST['password'];
$password2 = $_POST['password2'];
$email = $_POST['email'];
if ($password == $password2)
{
require_once("functions.php");
$connection = connectToMySQL();
$Query = "SELECT count(*) FROM tbl_users WHERE username='$username'";
$Result = mysqli_query($connection,$Query)
or die("Error in the query :". mysqli_error($connection));
$row = mysqli_fetch_row($Result);
$counter = $row[0];
if ($counter > 0)
{
echo "Username alredy exsist with the movie assosiation website<br/>";
echo "<input type=\"submit\" class=\"button\" value=\"Back\"/>";
}
else
{
$insertQuery = "INSERT INTO 'tbl_users'(username,password,email,role) VALUES ('$username',sha1('$password'),'$email','registered')";
$insertResult = mysqli_query($connection,$insertQuery)
or die("Error in the query :". mysqli_error($connection));
echo "account created !! <br />";
echo "<input type=\"button\" class=\"button\" value=\"Log In\" onclick=\"location.href='login.php'\"> ";
}
}
}
else
{
?>
<label>
<span>Username:</span>
<input id="username" type="text" name="username" placeholder="enter your Username" required />
</label></br>
<label>
<span>Password</span>
<input id="password" type="password" name="password" placeholder="enter your Password" required />
</label></br>
<label>
<span>Re-Enter Password</span>
<input id="password2" type="password" name="password2" placeholder="re-enter your Password" required />
</label></br>
<label>
<span>Email</span>
<input id="email" type="email" name="email" placeholder="enter email" required />
</label></br>
<label>
<span> </span>
<input id="submit" class="button" type="submit" name="submit" value="Submit"/>
</label>
</form>
<?php
}
?>
<?php
require_once("footer.php")
?>

remove single quote from your table name
try this
$insertQuery = "INSERT INTO `tbl_users`(username,password,email,role) VALUES ('$username',sha1('$password'),'$email','registered')";
instead of
$insertQuery = "INSERT INTO 'tbl_users'(username,password,email,role) VALUES ('$username',sha1('$password'),'$email','registered')";

Error in your sql statement.
Try this.
$insertQuery = "INSERT INTO tbl_users (username,password,email,role) VALUES ('{$username}',sha1('{$password}'),'{$email}','registered')";
or this
$insertQuery = "INSERT INTO tbl_users (username,password,email,role) VALUES ('".$username."',sha1('".$password."'),'".$email."','registered')";

mysqli connect and select from database error

I recently started using mysqli_ to connect to my database because of the concern of sql injection and lack of security. I'm trying to reconfigure my login page with mysqli from mysql but the page just won't load and I'm not sure why. Thanks in advance for any help.
Here is my code:
<?php
$mysqli = new mysqli("localhost", "username", "password", "db");
if($mysqli->connect_errno > 0){
die('Unable to connect to database [' . $mysqli->connect_error . ']');
}
if (!isset($_SESSION['email'])) {
$e = trim($_REQUEST['email']);
$email = mysqli->real_escape_string($e);
$p = trim($_REQUEST['password']);
$password = mysqli->real_escape_string($p);
if ($result = $mysqli->query("SELECT email, password" .
" FROM users" .
" WHERE email = '".$email."' AND password = '".$password."'")) {
printf("Select returned %d rows.\n", $result->num_rows);
if ($result->num_rows == 1) {
$row = $result->fetch_array(MYSQLI_NUM);
$user_id = $ow['user_id'];
//No more setcookie
$_SESSION['user_id'] = $user_id;
$_SESSION['email'] = $email;
}
/* free result set */
$result->close();
}
}
?>
<html>
<head>
<title>Login</title>
</head>
<body>
<form id="signin_form"
action="<?php echo $_SERVER['PHP_SELF']; ?>"
method="POST">
<div class="signin_box">
<label for="email">Email or Username:</label><br>
<input type="text" name="email" id="email" size="30" />
<br />
<label for="password">Password:</label>
<input type="password" name="password" id="password" size="30" />
<br />
<span class="signin_submit">
<input type="submit" value="Sign In" class="signin_submit" />
</span>
</div>
</form>
</body>
</html>

Here
$email = mysqli->real_escape_string($e);
You forgot $
$email = $mysqli->real_escape_string($e);
and
$password = mysqli->real_escape_string($p);
to
$password = $mysqli->real_escape_string($p);

Categories