I've searched this website for a solution but no result.
I'm stuck on the following problem, my code gives the Unknown Colum 'member_id' in 'where clause' error. Never heard of it before.. so I am a bit confused right now.
This is my code :
<?php
require("db.php");
$id = $_REQUEST['member_id'];
$result = mysql_query("SELECT * FROM members WHERE member_id = '$id'");
$test = mysql_fetch_array($result);
if (!$result)
{
die("Error: Data not found..");
}
$admin=$test['admin'] ;
$firstname=$test['firstname'] ;
$lastname=$test['lastname'] ;
$mail= $test['mail'] ;
$login=$test['login'] ;
$passwd=$test['passwd'] ;
if(isset($_POST['save']))
{
$admin_save = $_POST['admin'];
$firstname_save = $_POST['firstname'];
$lastname_save = $_POST['lastname'];
$mail_save = $_POST['mail'];
$login_save = $_POST['login'];
$passwd_save = md5($_POST['password']);
mysql_query("UPDATE lijst SET admin ='$admin_save',firstname ='$firstname_save',lastname ='$lastname_save', mail ='$mail_save', login ='$login_save',
passwd ='$passwd_save' WHERE member_id = '$id'")
or die(mysql_error());
echo "Saved!";
header("Location: main.php");
}
mysql_close($conn);
?>
The form :
<form method="post">
<table>
<tr>
<td>Admin</td>
<td><input type="text" name="admin" class="text w_20" value="<?php echo $admin ?>"/></td>
</tr>
<tr>
<td>Voornaam</td>
<td><input type="text" name="firstname" class="text w_20" value="<?php echo $firstname ?>"/></td>
</tr>
<tr>
<td>Achternaam</td>
<td><input type="text" name="lastname" class="text w_20" value="<?php echo $lastname ?>"/></td>
</tr>
<tr>
<td>E-mail</td>
<td><input type="text" name="mail" class="text w_20" value="<?php echo $mail ?>"/></td>
</tr>
<tr>
<td>Gebruikersnaam</td>
<td><input type="text" name="login" class="text w_20" value="<?php echo $login ?>"/></td>
</tr>
<tr>
<td>Password</td>
<td><input type="text" name="passwd" class="text w_20" value="<?php echo $passwd ?>"/></td>
</tr>
<tr>
<td> </td>
<td><input type="submit" name="save" value="update" /></td>
</tr>
</table>
</form>
The error is saying there is no field member_id in the database table lijst. Add the field or remove the condition from the WHERE clause.
Given the SQL you just posted, your table is called members not lijst. So change the query:
UPDATE members ......
Edit: your MD5 problem is because your html input is named passwd but you are targeting password in the POST array:
$passwd_save = md5($_POST['password']);
Change to:
$passwd_save = md5($_POST['passwd']);
Finally, your query is vulnerable to SQL Injection. As a quick fix, run your user input through mysql_real_escape_string(). Or even better, switch to a modern MySQL API such as PDO, and use parameterised queries.
Related
I am currently making a system for a client database management. There are four tables in mySQL for this system, which are; admin, staff, client, and project. The project table has one foreign key from the client table, which is the clientid.
Now, I have made forms for all these tables so that the user can input the data into them. Weirdly, the only form that can be updated successfully is the staff one. Both the client and project forms cannot be updated at all. It returns as successful, but the data are not altered.
Below is the staff update code.
<?php
include 'database.php';
$staffid = $_GET['staffid'];
$sql = "SELECT * FROM staff WHERE staffid='$staffid'";
$result = mysqli_query($conn,$sql);
while ($row=mysqli_fetch_array($result)){
$staffname = $row['staffname'];
$staffemail = $row['staffemail'];
$staffphone = $row['staffphone'];
}
if(isset($_POST['submit'])){
$staffname = $_POST['staffname'];
$staffemail = $_POST['staffemail'];
$staffphone = $_POST['staffphone'];
$sql = "UPDATE staff SET
staffname='$staffname',staffemail='$staffemail',staffphone='$staffphone' WHERE staffid='$staffid'";
$result = mysqli_query($conn,$sql);
if($result){
echo "<table><td><tr><h4>Record has been updated successfully!<br></tr></td></h4></table>";
}
else {
echo "<h4>Record has <b>NOT</b> been updated successfully<br></h4>";
}
}
?>
<form action="" method="post">
<table class ="table1">
<tr>
<td>Staff Name:</td> <td><input type="text" name="staffname" size="50" value="<?php echo $staffname;?>"></td>
</tr>
<tr>
<td>Staff Email:</td> <td><input type="text" name="staffemail" size="50" value="<?php echo $staffemail;?>"></td>
</tr>
<tr>
<td>Staff Phone No:</td> <td><input type="text" name="staffphone" size="50" value="<?php echo $staffphone;?>"></td>
</tr>
<td><input type="submit" value="Update" name="submit"> <input type="button" value="View" name="view" onclick='location.href="viewstaff.php"'></td>
</table>
</form>
Okay now is the update code for the client table.
<?php
include 'database.php';
$clientid = $_GET['clientid'];
$sql = "SELECT * FROM client WHERE clientid='$clientid'";
$result = mysqli_query($conn,$sql) or die ("Error in query: $query. ".mysqli_error());
while ($row=mysqli_fetch_array($result)){
$clientid = $row['clientid'];
$clientname = $row['clientname'];
$clientno = $row['clientno'];
$clientemail = $row['clientemail'];
$clientadd = $row['clientadd'];
}
if(isset($_POST['submit'])){
$clientid = $row['clientid'];
$clientname = $row['clientname'];
$clientno = $row['clientno'];
$clientemail = $row['clientemail'];
$clientadd = $row['clientadd'];
$sql = "UPDATE client SET clientid='$clientid',clientname='$clientname',clientno='$clientno',clientemail='$clientemail',clientadd='$clientadd' WHERE clientid='$clientid'";
$result = mysqli_query($conn,$sql) or die ("Error in query: $query. ".mysqli_error());
if($result){
echo "<table><td><tr><h4>Record has been updated successfully!<br></tr></td></h4></table>";
}
else {
echo "<h4>Record has <b>NOT</b> been updated successfully<br></h4>";
}
}
?>
<form action="" method="post">
<table class ="table1">
<tr>
<td>Client ID:</td> <td><input type="text" name="clientid" size="50" value="<?php echo $clientid;?>"></td>
</tr>
<tr>
<td>Client Name:</td> <td><input type="text" name="clientname" size="50" value="<?php echo $clientname;?>"></td>
</tr>
<tr>
<td>Client Phone No.:</td> <td><input type="text" name="clientno" size="50" value="<?php echo $clientno;?>"></td>
</tr>
<tr>
<td>Client Email:</td> <td><input type="text" name="clientemail" size="50" value="<?php echo $clientemail;?>"></td>
</tr>
<tr>
<td>Client Address:</td> <td><input type="text" name="clientadd" size="50" value="<?php echo $clientadd;?>"></td>
</tr>
<td><input type="submit" value="Update" name="submit"> <input type="button" value="View" name="view" onclick='location.href="viewclient.php"'></td>
</table>
</form>
Maybe I'm stupid or what but I've been trying to figure out the problem for 3 hours and I'm this close to crying lol. Been reading all the threads here about updating form but still, no answer. Hope that anyone here could help me. Thank you.
The code you use for the client table update uses this code:
if(isset($_POST['submit'])){
$clientid = $row['clientid']; // $row should be $_POST
$clientname = $row['clientname']; // $row should be $_POST
$clientno = $row['clientno']; // $row should be $_POST
$clientemail = $row['clientemail']; // $row should be $_POST
$clientadd = $row['clientadd']; // $row should be $_POST
But those $rows should be $_POST, else the updated data will be the same as the previous data (since $row is the result from the query SELECT * FROM client WHERE clientid='$clientid'). You do it correctly in the staff table update code:
if(isset($_POST['submit'])){
$staffname = $_POST['staffname'];
$staffemail = $_POST['staffemail'];
$staffphone = $_POST['staffphone'];
Please note that your your script is at risk of SQL Injection Attack. Have a look at what happened to Little Bobby Tables. Even if you are escaping inputs, its not safe!. Use prepared parameterized statements instead.
I am trying to do "search user by name button" to search the user's database, is show "Result Error" cannot get the user details. I don't know which part got problem. Please help me. Every help would be appreciated. Here is my code.
manageruser.php
<?php
include("include/config.php");
$name = "";
$username = "";
$password = "";
$ic = "";
$contact = "";
$email = "";
$nationality = "";
$program = "";
$firstintake = "";
function getPosts()
{
$posts = array();
$posts[0] = $_POST['name'];
$posts[1] = $_POST['username'];
$posts[2] = $_POST['password'];
$posts[3] = $_POST['ic'];
$posts[4] = $_POST['contact'];
$posts[5] = $_POST['email'];
$posts[6] = $_POST['nationality'];
$posts[7] = $_POST['program'];
$posts[8] = $_POST['firstintake'];
return $posts;
}
// Search
if(isset($_POST['search']))
{
$data = getPosts();
$search_Query = "SELECT * FROM user WHERE u_name = $data[0]";
$search_Result = mysqli_query($link, $search_Query);
if($search_Result)
{
if(mysqli_num_rows($search_Result))
{
while($row = mysqli_fetch_array($search_Result))
{
$name = $row['u_name'];
$username = $row['u_unm'];
$password = $row['u_pwd'];
$ic = $row['u_ic'];
$contact = $row['u_contact'];
$email = $row['u_email'];
$nationality = $row['u_national'];
$program = $row['u_program'];
$firstintake = $row['u_fintake'];
}
}
else
{
echo "No Data For This Name";
}
}
else
{
echo "Result Error";
}
}
?>
<fieldset>
<legend>Manage User</legend>
<form name="ManForm" method="post" action="manageuser.php">
<table>
<tr>
<td>Name:</td>
<td><input id="name" name="name" type="text" class="input" pattern="[A-Z\s]+"
title="Please enter capital letters" value="<?php echo $name; ?>">
<span>(Full name) *must capital letters</span></td>
</tr>
<tr>
<td>Username:</td>
<td><input id="username" name="username" type="text" class="input" value="<?php echo $username; ?>"></td>
</tr>
<tr>
<td>Password:</td>
<td><input id="password" name="password" type="password" class="input" value="<?php echo $password; ?>"></td>
</tr>
<tr>
<td>Identity card /Passport number:</td>
<td><input id="ic" name="ic" type="text" class="input" value="<?php echo $ic; ?>"></td>
</tr>
<tr>
<td>Contact number:</td>
<td><input id="contact" name="contact" type="text" class="input" value="<?php echo $contact; ?>"></td>
</tr>
<tr>
<td>Email:</td>
<td><input id="email" name="email" type="text" class="input" value="<?php echo $email; ?>"></td>
</tr>
<tr>
<td>Nationality:</td>
<td><input id="nationality" name="nationality" type="text" class="input" value="<?php echo $nationality; ?>"></td>
</tr>
<tr>
<td>Program:</td>
<td><input id="program" name="program" type="text" class="input" value="<?php echo $program; ?>"></td>
</tr>
<tr>
<td>First intake:</td>
<td><input id="firstintake" name="firstintake" type="text" class="input" value="<?php echo $firstintake; ?>"></td>
</tr>
</table>
<div>
<input type="submit" name="search" value=" Search User By Name">
<input type="submit" name="update" value=" Update User Details">
<input type="submit" name="delete" value=" Delete User ">
</div>
</form>
</fieldset>
config.php
<?php
$link= mysqli_connect("localhost","root","","course_registration_system");
?>
The problem here is that you are running your query wrong way.
To run your query you should be using a prepared statement.
It is very important to understand that simply adding quotes around a variable is not enough and will eventually lead to innumerable problems, from syntax errors to SQL injections. On the other hand, due to the very nature of prepared statements, it's a bullet-proof solution that makes it impossible to introduce any problem through a data variable.
So, for every query you run, if at least one variable is going to be used, you have to substitute it with a placeholder, then prepare your query, and then execute it, passing variables separately.
First of all, you have to alter your query, adding placeholders in place of variables. Say your query will become like this
"SELECT * FROM user WHERE u_name = ?"
then you will have to prepare it, bind variables, and execute
So you should be doing like this
$stmt = $link->prepare("SELECT * FROM user WHERE u_name = ?");
$stmt->bind_param("s", $data[0]);
$stmt->execute();
$result = $stmt->get_result();
while($row = $result->fetch_array())
{
Use quote around your search string in query or try this instead -
$search_Query = "SELECT * FROM user WHERE u_name = '" .$data[0]."'";
I am trying to create a sign up sheet for an assignment but i am having difficulty as i have to allow for admin rights so i decide to create a column called administrator in my table as a boolean ie true or false. on my sign up sheet i wish to use a checkbox if its checked they are an administrator if not then they are not.
how can i make the check box = 1 or 0 to the mysql statment?
here is the code for sign up:
<form method="POST" action="new-user 2.php">
<td>Full Name</td><td>
<input type="text" name="name"></td>
</tr>
<tr>
<td>Email</td>
<td>
<input type="text" name="email"></td>
</tr>
<tr>
<td>UserName</td>
<td>
<input type="text" name="user">
</td> </tr>
<tr>
<td>Password</td>
<td>
<input type="password" name="pass">
</td>
</tr>
<tr>
<td>Confirm Password </td>
<td><input type="password" name="cpass">
</td>
</tr>
</tr>
<tr>
<td>Administrator </td>
<td><input type="checkbox" name="cbox" />
</td>
</tr>
<tr>
<td>
<input id="button" type="submit" name="submit" value="Register">
</td>
</tr>
</form>
</table>
</fieldset>
</div>
</div>
</body>
</html>
<?php
if(isset($_POST['cbox']))
{
$administrator ='1';
}
else
{
$administrator ='0';
}
?>
Thank you
Update:
The new user2.php code is as follows:
require_once('connection.php');
function NewUser()
{
#$salt = 'sadfh9832asd34rf28asjvddap';
#$crypt = crypt ($salt .$password);
$fullname = $_POST['name'];
$userName = $_POST['user'];
$email = $_POST['email'];
$administrator =$_POST['administrator'];
#$password = crypt($_POST['pass']);
$password = md5($_POST['pass']);
echo "<hr>".$_POST['pass'] . "=[$password]<hr>";
#$password = stripslashes($password);
#$password = mysql_real_escape_string($password);
$query = "INSERT INTO `WebsiteUsers`(`fullname`, `userName`, `email`, `pass`, `administrator`) VALUES ('$fullname','$userName','$email','$password', 'administrator')";
$data = mysql_query ($query)or die(mysql_error());
echo "<hr>$query<hr>";
if($data)
{
echo "YOUR REGISTRATION IS COMPLETED...";
}
}
function SignUp()
{
if(!empty($_POST['user'])) //checking the 'user' name which is from Sign-Up.html, is it empty or have some text
{ $query = mysql_query("SELECT * FROM WebsiteUsers WHERE userName = '$_POST[user]'
AND pass = '$_POST[pass]'") or die(mysql_error());
if(!$row = mysql_fetch_array($query) or die(mysql_error()))
{
newuser();
}
else
{
echo "SORRY...YOU ARE ALREADY A REGISTERED USER..."; }
}
}
if(isset($_POST['submit']))
{
SignUp();
}
#header("location:index.html");
?>
<?php
$cookie_name = "cookieuser";
$cookie_value = $fullname;
setcookie($cookie_name, $cookie_value, time() + (86400 * 30), "/"); // 86400 = 1 day
?>
Give a value to the checkbox like this
<input type="checkbox" name="cbox" value="1" />
Then check if that value is assigned to the $_POST variable like this.
if($_POST['cbox'] == '1')
Complete code is listed below. I have done some modifications.
<form method="POST" action="new-user 2.php">
<td>Full Name</td><td>
<input type="text" name="name"></td>
</tr>
<tr>
<td>Email</td>
<td>
<input type="text" name="email"></td>
</tr>
<tr>
<td>UserName</td>
<td>
<input type="text" name="user">
</td> </tr>
<tr>
<td>Password</td>
<td>
<input type="password" name="pass">
</td>
</tr>
<tr>
<td>Confirm Password </td>
<td><input type="password" name="cpass">
</td>
</tr>
</tr>
<tr>
<td>Administrator </td>
<td><input type="checkbox" name="cbox" value="1" />
</td>
</tr>
<tr>
<td>
<input id="button" type="submit" name="submit" value="Register">
</td>
</tr>
</form>
</table>
</fieldset>
</div>
</div>
</body>
</html>
<?php
if(isset($_POST['cbox']))
{
if($_POST['cbox'] == '1'){
$administrator ='1';
}else{
$administrator ='0';
}
}else
{
$administrator ='0';
}
?>
Per your form elemenet, <form method="POST" action="new-user 2.php"> this script is submitting to new-user 2.php. If this page is new-user 2.php then $administrator will be 1 or 0 (as a string).
If this page is not new-user 2.php then this check:
<?php
if(isset($_POST['cbox']))
{
$administrator ='1';
}
else
{
$administrator ='0';
}
?>
will not run, because the PHP only executes on page load; it is not available once the page has loaded.
$_POST['cbox'] is either going to have the value of on or not be set.
You can see all values being submitted by outputting the POST after the form is submitted with this, print_r($_POST);.
If this is new-user 2.php then please update your question to where the usage of $administrator can be seen.
Per your update code the issue is you are checking the wrong form element. Your form element is cbox, not administrator. You also are open to SQL injections with this code and are using the deprecated driver, mysql_. You should switch up to mysqli or pdo.
On to your code... Your NewUser function should be updated to:
function NewUser()
{
#$salt = 'sadfh9832asd34rf28asjvddap';
#$crypt = crypt ($salt .$password);
$fullname = mysql_real_escape_string($_POST['name']);
$userName = mysql_real_escape_string($_POST['user']);
$email = mysql_real_escape_string($_POST['email']);
$administrator = isset($_POST['cbox']) ? 1 : 0;
#$password = crypt($_POST['pass']);
$password = md5($_POST['pass']);
echo "<hr>".$_POST['pass'] . "=[$password]<hr>";
#$password = stripslashes($password);
#$password = mysql_real_escape_string($password);
$query = "INSERT INTO `WebsiteUsers`(`fullname`, `userName`, `email`, `pass`, `administrator`) VALUES ('$fullname','$userName','$email','$password', $administrator)";
$data = mysql_query ($query)or die(mysql_error());
echo "<hr>$query<hr>";
if($data)
{
echo "YOUR REGISTRATION IS COMPLETED...";
}
}
Note the escaping and $administrator = isset($_POST['cbox']) ? 1 : 0;.
i have this code in PHP and a database sql.. the situation is .. if i type the 1, 2 or 3 (productID) .. the textbox will be populated and field with database values.. but when i run the program.. fortunately it has no errors.. but when i type the id or 1 and click the submit button.. it doesnt get the neccessary values.. sorry for this im a complete newbie and im practicing PHP for a while now.. any help will do.. thank you..
<?php
session_start();
include_once 'dbconnect.php';
if(!isset($_SESSION['user'])){
header("Location: index.php");
}
$res = mysql_query("SELECT * FROM users WHERE user_id=".$_SESSION['user']);
$userRow = mysql_fetch_array($res);
?>
<?php
require('dbconnect.php');
$id = (isset($_REQUEST['productID']));
$result = mysql_query("SELECT * FROM tblstore WHERE productID = '$id'");
$sql = mysql_fetch_array($result);
if(!$result){
die("Error: Data not found");
} else {
$brandname = $sql['brandname'];
$price = $sql['price'];
$stocks = $sql['stocks'];
}
?>
<html>
<body>
<p>
hi' <?php echo $userRow['username']; ?> Sign Out
</p>
<form method="post">
<table align="center">
<tr>
<td>Search Apparel:</td>
<td><input type="text" name="search" name="productID" /></td>
</tr>
<tr>
<td>Brandname:</td>
<td><input type="text" name="brandname" value="<?php echo $brandname; ?>"/ </td>
</tr>
<tr>
<td>Price:</td>
<td><input type="text" name="price" value="<?php echo $price; ?>"/></td>
</tr>
<tr>
<td>Stocks:</td>
<td><input type="text" name="stocks" value="<?php echo $stocks; ?>"/></td>
</tr>
<tr>
<td> </td>
<td><input type="submit" name="submit" value="Search" /></td>
</tr>
</table>
</form>
</body>
</html>
your getting the id incorrectly, you have:
<?php
$_REQUEST['productID']=8; //for testing
$id = (isset($_REQUEST['productID']));
if you check it you will find the output is true\false as returned by isset
var_dump($id); //true
what you should use is:
<?php
if(isset($_REQUEST['productID'])){ //maybe also check its a number and or valid range
$id=$_REQUEST['productID'];
}
I have an update page where I check the title of the employee whether he is a doctor or a nurse. If the employee is a doctor/nurse an HTML form will be shown, if not a doctor/nurse, patient information will only be displayed and cannot be edited. But my code somehow skips the part where I wanted to display the form even if I am logged in as a doctor/nurse. Can you please help me with this....
<?php
$a=$_SESSION['employeeID'];
$title="SELECT title FROM employee WHERE employeeID = '$a'";
if($title == 'nurse' OR $title == 'doctor')
{
echo '<form method="post" id="customForm" action="add_assessment.php">
<table>
<input type="hidden" name="res_id" value="' . $_GET['res_id'] . '" />
<tr>
<td><label for="name"><font style="color:white">Symptoms</font><font style="color:gray"></font></label>
<input id="name" name="symptoms" type="text" /></td>
<td><label for="name"><font style="color:white">Respiratory Rate</font></label>
<input id="name" name="respiratoryRate" type="text" /></td>
<td><label for="name"><font style="color:white">Temperature</font> <font style="color:gray"></font></label>
<input id="name" name="temperature" type="text" /></td>
</tr>
<tr>
<td><label for="name"><font style="color:white">Blood Pressure</font></label>
<input id="name" input name="bloodPressure" type="text" class="input2"/></td>
<td><label for="name"><font style="color:white">Pulse Rate</font></label>
<input id="name" input name="pulseRate" type="text" /></td>
</tr>
<tr>
<td><label for="name"><font style="color:white">Chief Complaint</font></label>
<input id="name" input name="complaint" type="text" class="input2"/></td>
</tr>
<tr>
<td> </td>
<td> </td>
<td><input id="send" name="send" type="submit" value="Submit" /></td>
</tr>
</table>
</form>';
}
else
{
$host="localhost";
$username="root";
$password=""; // password
$db_name="rhu"; // Database name
$tbl_name="assessment"; // Table name
mysql_connect("$host", "$username", "$password");
mysql_select_db("$db_name");
$id = $_GET['res_id'];
$sql = mysql_query("SELECT * FROM assessment WHERE patientID='$id'");
while($row = mysql_fetch_array($sql))
{
echo "<p>ID: ".$id."</p>";
echo "<p>Assessment ID: ".$row['assessmentID']."</p>";
echo "<p>Symptoms: ".$row['symptoms']."</p>";
echo "<p>Respiratory Rate: ".$row['respiratoryRate']."</p>";
echo "<p>Temperature: ".$row['temperature']."</p>";
echo "<p>Blood Pressure: ".$row['bloodPressure']."</p>";
echo "<p>Pulse Rate: ".$row['pulseRate']."</p>";
echo "<p>Complaints: ".$row['complaint']."</p>";
echo "<p>Date: ".$row['date']."</p>";
echo "<br>";
}
}
?>
In its current state, you are simply assigning a string to the variable $title. You are literally saying that $title is the string "SELECT title FROM employee WHERE employeeID = '$a'"; therefore it is skipping the if($title == 'nurse' OR $title == 'doctor').
You are also not executing a MySQL query, try this first
$a=$_SESSION['employeeID'];
$sql = mysql_query("SELECT title FROM employee WHERE employeeID = '"$a"'");
while($row = mysql_fetch_array($sql)){
$title = $row['title'];
if($title == 'nurse' OR $title == 'doctor')
{
echo....
You should also note that mysql_* is deprecated and will be phased out of PHP as a solution in the future. To future-proof your code, consider using mysqli or PDO transactions.
You can try like this--
$sql = mysql_query("SELECT title FROM employee WHERE employeeID = '$a'");
while($row = mysql_fetch_array($sql)){
$title = $row['title'];
if($title == 'nurse' OR $title == 'doctor')
{
...continue you coding