I was wondering what the syntax was in PHP to update a row in a PostgreSQL database. I have made a login page that checks a UserName and Password from a database, then it goes to a page where it displays all the user info from the database for that user name. I am trying to allow the user to change some of the columns, like password, name, etc. So I added another page that has fields for each of the columns I want to change.
This is the code I have for the query:
if(array_key_exists('save',$_POST))
{
$firstname=$_POST['ifirstname'];
$lastname=$_POST['ilastname'];
$email=$_POST['iemail'];
$password=$_POST['ipassword'];
$conn_string='host=#### port=#### dbname=###### user=####### password=######';
$dbconn=pg_connect($conn_string) or die('Connection failed');
$query="UPDATE project.customer SET FirstName='$firstname',
LastName='$lastname',Email='$email',Password='$password')
WHERE UserName=$1";
$result=pg_query($dbconn,$query);
$row_count= pg_num_rows($result);
pg_free_result($result);
pg_close($dbconn);
}
This is for the fields:
<div id="header">UPDATE USER INFO</div>
<form id="testform" name="testform" method="post" action="" >
<p> <label for="ifirstname">First Name:</label>
<input name="ifirstname" type="text" id="ifirstname"/>
</p>
<p> <label for="ilastname">Last Name:</label>
<input name="ilastname" type="text" id="ilastname"/>
</p>
<p> <label for="iemail">E-Mail:</label>
<input name="iemail" type="text" id="iemail"/>
</p>
<p>
<label for="ipassword">Password:</label>
<input name="ipassword" type="password" id="ipassword"/>
</p>
<p>
<label for="iconfpass">Confirm Password:</label>
<input name="iconfpass" type="password" id="iconfpass"/>
</p>
<p>
<input type="submit" name="save" value="Register"/>
</p>
</form>
I think it must be like this. Also make user to write old password when changing data for security reason. Also dont forget to filter your data before using in query to avoid sql injection attacks
$query="UPDATE project.customer
SET (FirstName,LastName,Email,Password) =
('$firstname','$lastname','$email','$password')
WHERE UserName= '$1' and Password = '$oldpassword'";
Why not just use standard SQL syntax?
Update project.customer Set
"FirstName" = '$firstname',
...
Where ...
The main difference in Postgres is that you usually quote the column names.
Related
My PHP/SQL script does not work on the new table I cloned but works perfectly fine on the table I copied the new table from using this:
SELECT * INTO slide FROM news
Here's my insert form:
<div class="the-form" style="width:100%;">
<form class="userTrans" method="post">
<input type="hidden" name="act_userTrans" value="__insertNews_">
<p>
<label for="title">Title:</label>
<input type="text" name="title" id="title">
</p>
<p>
<label for="type">News Type:</label>
<input type="text" name="type" id="type">
</p>
<p>
<label for="autor">Author:</label>
<input type="text" name="autor" id="autor">
</p>
<input type="text" name="text2" id="text2">
<p class="form-footer">
<button class="button userTrans" style="background-color: #DB6D1D;">Publish News</button>
</p>
</form>
</div>
And here's my edit form:
<div class="the-form" style="width:100%;">
<form class="userTrans" method="post">
<input type="hidden" name="act_userTrans" value="__updateNews_">
<p>
<label for="title">Title:</label>
<input type="text" name="title" id="title" value="<?=$edit[title]?>"/>
</p>
<p>
<label for="type">News Type:</label>
<input type="text" name="type" id="type" value="<?=$edit[type]?>"/>
</p>
<p>
<label for="autor">Author:</label>
<input type="text" name="autor" id="autor" value="<?=$edit[autor]?>"/>
</p>
<input type="text" name="text2" id="text2" value="">
<input type="hidden" name="id" value="<?=$edit[id]?>">
<p class="form-footer">
<button class="button userTrans" style="background-color: #DB6D1D;">Publish News</button>
</p>
</form>
</div>
Here's my process for updating & inserting my two different forms:
if($activity == "__insertNews_")
{
$title = htmlspecialchars($_POST['title']);
$autor = htmlspecialchars($_POST['autor']);
$type = (int)$_POST['type'];
if(empty($_POST['type']) || empty($_POST['autor']) || empty($_POST['title']) || empty($_POST['text2']))
{
echo response(0,'Fill up all the forms.',0);
exit();
}
//echo $_POST[text2];
$news = mssql_query("INSERT INTO DB1.dbo.news (title,text,type,autor) VALUES ('$title','$_POST[text2]','$type','$autor') ");
echo response(1,'Publishing '.$title.' success!',0);
}
if($activity == "__updateNews_")
{
$title = htmlspecialchars($_POST['title']);
$autor = htmlspecialchars($_POST['autor']);
if(empty($_POST['autor']) || empty($_POST['title']))
{
echo response(0,'Fill up all the forms.',0);
exit();
}
$news = mssql_query("UPDATE DB1.dbo.news set title='$title',autor='$autor' WHERE id='$id' ");
echo response(1,'Editing '.$title.' success!',0);
}
So using those scripts above and i was able to INSERT & UPDATE any contents on dbo.news
However, when I change DB1.dbo.news to the new table I created ( DB1.dbo.slide ) the "INSERT" won't work.
I tried to add data using the same form & processing script, the "INSERT" won't work on dbo.slide but when I test it on dbo.news I'm able to insert data. I also tested UPDATE, and it's working on both dbo.slide and dbo.news.
Now I'm wondering, why is it that the SAME script for INSERT is working on other table but it does not work on the new one (dbo.slide). It's literally confusing because I did not change any codes, I just changed the table I'm inserting the data into and the INSERT function stopped working.
What's the best way to debug this and find out what is causing this issue?
mssql_query function no longer exist in newer php versions. i suggest you to work with PDO because one of it advantage for you is, reduce the commonly used insert and update operations and it's safe against malicious attacks and through SQL injection
But now, can't help you without DB1.dbo.slide columns and DB1.dbo.slide columns and your DB1.dbo.slide insert query.
So for main help, check DB1.dbo.slide columns and compare their with DB1.dbo.news. then rewrite your SQL query according to DB1.dbo.slide columns.
If your insert query worked for DB1.dbo.news, be sure your insert query for DB1.dbo.slide is not correct
SOLVED! I deleted all the cloned database and used the CREATE TABLE statement to recreate everything including primary keys, constraint, etc and now its working!
It seems that i shouldn't be using this to clone tables
SELECT * INTO slide FROM news
Thank you everyone for taking the time to reply, really appreciate it!
I have HTML registration form when I submit the form the PHP code appears and data not insert to database i made my database using phpMyAdmin, what should I do?
Here my PHP code:
<?php
$con=mysqli_connect('localhost','root','');
$db=mysqli_select_db($con,'research_sys');
if ($con) {
echo "good";
}else {
die('error');
}
if(isset($_POST['submit'])){
$Fname = mysqli_real_escape_string($con,$_POST["Fname"]);
$Lname = mysqli_real_escape_string($con,$_POST["Lname"]);
$email = mysqli_real_escape_string($con,$_POST['email']);
$password = mysqli_real_escape_string($con,$_POST['password']);
$sql = mysqli_query($con,"INSERT INTO `research_sys`.`researcher` (Re_fname,Re_lname,Re_mobile,Re_password) values ('$Fname','$Lname','$email','$password ')");
if (mysqli_query($sql)){
echo "insert";
} else {
echo "error" .$sql ."<br>". mysqli_error($con);
}
}
?>
here my registration HTML code
<form method="post" action="connect.php">
<legend class="center">Register </legend>
<br>
<div>
<input type="text" name="Fname" placeholder="First Name"/>
</div>
<div>
<input type="text" name="Lname" placeholder="Last Name"/>
</div>
<div>
<input type="text" name="email" placeholder="Email"/>
</div>
<div>
<input type="password" name="password" placeholder="Password"/>
</div>
<div>
<input type="password" name="con_password" placeholder="Password confirm"/>
</div>
<input type="submit" name="submit" value="submit"/>
</form>
Look at the following:
$sql = mysqli_query($con,"INSERT INTO `research_sys`.`researcher`
^^^^^^^^^^^^ function
(Re_fname,Re_lname,Re_mobile,Re_password)
values ('$Fname','$Lname','$email','$password ')");
^ space
if (mysqli_query($sql)){
^^^^^^^^^^^^ function
You're using that mysqli_query() function twice, remove one and just do:
if ($sql){...}
and mysqli_error($con) should have thrown you an error about it.
If it didn't throw an error, then that may suggest you're using this as file:/// as opposed to http://localhost.
Edit:
"i have html registration form whin i submit the form the php code apears"
That's because of what I wrote above before quoting you. You need to run this off a webserver with php/mysql installed and running properly and as http://localhost.
Also, remove the space in this '$password '. That space counts as a character.
Double-check your column names also. There seems to be something that doesn't match (Re_fname,Re_lname,Re_mobile,Re_password) the Re_mobile and you're referencing an email '$email' in VALUES.
You also seem to store plain text passwords; don't, it's not safe if you intend on going live with this. Use password_hash() and a prepared statement.
Footnotes:
$con=mysqli_connect('localhost','root','');
$db=mysqli_select_db($con,'research_sys');
You can shorten that to using all 4 arguments in mysqli_connect():
$con=mysqli_connect('localhost','root', '', 'research_sys');
So I'm trying to create this form and every time I try to create a dummy user it creates an empy one in the database.
Here's the php code create.php:
<?php
session_start();
include ('connection.php');
$username = $_POST['usernamesignup'];
$email = $_POST['emailsignup'];
$password = $_POST['passwordsignup'];
mysql_query("INSERT INTO users (usernamesignup, passwordsignup, emailsignup)
VALUES ('$username', '$password', '$email')")or die (mysql_error());
header('Location: login.html');
mysql_close($db);
?>
And here's the part of the form Login.html:
<form action="create.php" autocomplete="on">
<h1> Sign up </h1>
<p><label for="usernamesignup" class="uname" data-icon="u">Your username</label>
<input id="usernamesignup" name="usernamesignup" required="required" type="text" placeholder="mysuperusername690" /></p>
<p><label for="emailsignup" class="youmail" data-icon="e" > Your email</label>
<input id="emailsignup" name="emailsignup" required="required" type="email" placeholder="mysupermail#mail.com"/></p>
<p><label for="passwordsignup" class="youpasswd" data-icon="p">Your password </label>
<input id="passwordsignup" name="passwordsignup" required="required" type="password" placeholder="eg. X8df!90EO"/></p>
<p><label for="passwordsignup_confirm" class="youpasswd" data-icon="p">Please confirm your password </label>
<input id="passwordsignup_confirm" name="passwordsignup_confirm" required="required" type="password" placeholder="eg. X8df!90EO"/></p>
<p class="signin button"><input type="submit" value="Sign up"/></p>
<p class="change_link">Already a member? Go and log in </p>
</form>
Any help would be greatly appreciated.
EDIT: The adding of method:"post" did the trick. Thank you very much to all of you for your fast response and the very valid advises on security and on how I should change to a more current form instead of what I used here.
You need to specify the form method to POST in your case. Try
<form action="create.php" autocomplete="on" method="POST">
You have to check if the values sent by your form are not null or with an empty string. And please be very careful your code is vulnerable to sql injections and hash your password in sha512 or something like that.
have a look to this function : http://php.net/manual/en/function.empty.php
and try to add this in your form :
<form action="create.php" autocomplete="on" method="post">
try adding this to your form tag
method='post'
Default method for form is GET, and you're trying to get your values from POST, so they're empty...
You should do:
$password = $_GET['password'];
// etc.
Or, if you don't know:
$password = $_REQUEST['password'];
// etc.
I recommend you to use a mysqli class. I've used this one myself in smaller projects: https://github.com/ajillion/PHP-MySQLi-Database-Class
You're missing "form validation" in your code. This prevents empty and malicious form submits if you integrate validation properly into your forms and backend code
A simple example of how to make sure data was entered in the specific fields, try this:
<?php
if (empty($_POST['usernamesignup']), empty($_POST['...']))
{
echo 'Not all required data was submitted';
}
else
{
// Process the form, all data was received
}
4. Have you considered using a php framework? Try something like Codeigniter or Laravel if you want something more advanced and usable.
Please consider including <form action="create.php" autocomplete="on" method="POST">
Please I beg you, Don't store raw password in database just use an encryption method.
And use PDO instead of mysql_*
see here: http://net.tutsplus.com/tutorials/php/why-you-should-be-using-phps-pdo-for-database-access/
I have done my research but have found nothing specific enough to my problem
I have an HTML form, asking for data, then a php script that is suppose to put the data in a mysql database
When i try it on my localhost, i dont get any errors
but when i check on phpmyadmin, there is no new data
the html:
<html>
<head>
<form action="insert.php" method="post">
ID: <input type="text" name="ID"><br>
Family ID: <input type="text" name="Family_ID"><br>
First Name: <input type="text" name="First_Name"><br>
Last Name: <input type="text" name="Last_Name"><br>
Gender: <input type="text" name="Gender"><br>
Birthday: <input type="text" name="Birthday"><br>
Birthplace: <input type="text" name="Birthplace"><br>
Father ID: <input type="text" name="Father_ID"><br>
Mother ID: <input type="text" name="Mother_ID"><br>
Maiden Name: <input type="text" name="Maiden_Name"><br>
Mariage ID: <input type="text" name="Mariage_ID"><br>
Deathdate: <input type="text" name="Deathdate"><br>
Deathplace: <input type="text" name="Deathplace"><br>
Grave Location: <input type="text" name="Grave_Location"><br>
Email: <input type="text" name="Email"><br>
Phone: <input type="text" name="Phone"><br>
Address: <input type="text" name="Adress"><br>
Bio: <input type="text" name="Bio"><br>
Studies: <input type="text" name="Travail"><br>
Travail: <input type="text" name="Travail"><br>
Photo: <input type="text" name="Photo"><br>
Fete: <input type="text" name="Fete"><br>
<input type="Submit">
</form>
</head>
<body>
</body>
</html>
the php:
$username='root';
$password='121395';
$database='genealogy';
mysql_connect("localhost",$username,$password);
#mysql_select_db($database) or die( 'Unable to select database');
echo "Connected to MySQL";
$ID=mysql_real_escape_string($_POST['ID']);
$Family_ID=mysql_real_escape_string($_POST['Family_ID']);
$First_Name=mysql_real_escape_string($_POST['First_Name']);
$Last_Name=mysql_real_escape_string($_POST['Last_Name']);
$Gender=mysql_real_escape_string($_POST['Gender']);
$Birthday=mysql_real_escape_string($_POST['Birthday']);
$Birthplace=mysql_real_escape_string($_POST['Birthplace']);
$Father_ID=mysql_real_escape_string($_POST['Father_ID']);
$Mother_ID=mysql_real_escape_string($_POST['Mother_ID']);
$Maiden_Name=mysql_real_escape_string($_POST['Maiden_Name']);
$Mariage_ID=mysql_real_escape_string($_POST['Mariage_ID']);
$Deathdate=mysql_real_escape_string($_POST['Deathdate']);
$Deathplace=mysql_real_escape_string($_POST['Deathplace']);
$Grave_Location=mysql_real_escape_string($_POST['Grave_Location']);
$Email=mysql_real_escape_string($_POST['Email']);
$Phone=mysql_real_escape_string($_POST['Phone']);
$Address=mysql_real_escape_string($_POST['Adress']);
$Bio=mysql_real_escape_string($_POST['Bio']);
$Travail=mysql_real_escape_string($_POST['Travail']);
$Photo=mysql_real_escape_string($_POST['Photo']);
$Fete=mysql_real_escape_string($_POST['Fete']);
$query = "INSERT INTO bouan (ID, Family_ID, First_Name, Last_Name, Gender, Birthday,
Birthplace, Father_ID, Mother_ID, Maiden_Name, Mariage_ID,Deathdate, Deatchplace,
Grave_Location, Email, Phone, Adress, Bio, Travail, Photo, Fete) VALUES
('$ID','$Family_ID','$First_Name','$Last_Name','$Gender','$Birthday','$Birthplace',
'$Father_ID','$Mother_ID','$Maiden_Name','$Mariage_ID','$Deathdate','$Deathplace',
'$Grave_Location','$Email','$Phone','$Address','$Bio','$Travail','$Photo','$Fete')";
mysql_query($query) or die ("Error updating database");
mysql_error();
mysql_close();
All i get in return is:
Connected to MySQLError updating database
whats wrong? (i HAVE done my research, over 2 days fyi)
im sorry that im new to this, cant help it
You should probably
provide mysql_query with the real query
sanitize data before feeding it to sql
use {$_POST['whatever']} when you want to embed it into a string
check the return value of mysql_query
learn a thing or two.
Your first approach looks fine, but for security reasons fetch the posted variables like below $ID=mysql_real_escape_string($_POST['ID']);
mysql_real_escape_string() method will remove the unwanted characters and makes it secure.
At the end try to print the query which you are executing using echo or print statement.
echo $query;
Execute the result on your phpmyadmin. Phpmyadmin will let you know what are the errors in your mysql query and following those instructions you can change your query.
Debugging can be done by printing the results after each line execution wherever you feel something is going wrong.
Use mysql_error() to receive last error. Also I see potential bug in your query:
'`$ID`','`$Family_ID`','`$First_Name`' -- you may try to remove ` sign
try to do these 2 things, first add value attribute to your all input elements
e.g)
<input type="text" name="Family_ID" value="">
because it will not get into $_POST variable if you send blank value in the text box with no value attribute
try to add filed names so that you can track map with values and remove
`
from your field and value.
i have made user-register.tpl.php file. And i have set many text field in that.
But now i need that....
i want to store the users information to the database. bcz i have created the customized registration page, so i need that my text field values should be store in the database.
like this.......
Username: <input type="text" name="myuser" id="myuser" />
Now i want to store the username, which will entered in this myuser text filed.
NitishPanchjanya Corporation
<form action="index.php" method="post" name="acc_info_form">
Username: <input type="text" name="myuser" id="myuser" /><br/>
First Name: <input type="text" name="name" id="name" /><br/>
<input type="submit" value="Save"/>
</form>
index.php
//Here you have to write database connection and then
<?PHP if ( $_POST){ ?>
mysql_query("INSERT INTO users (myuser, name) VALUES('".$_POST['myuser']."',".$_POST['name']."' )") or die(mysql_error());
<?PHP } ?>