I have built a very simple PHP form that allows a user to send an application using the following PHP code:
if($_SERVER['REQUEST_METHOD'] == 'POST')
{
$host = '###';
$username = '###';
$pass = '###';
mysql_connect($host,$username,$pass);
mysql_select_db("###");
$status = mysql_real_escape_string($_POST['status']);
$firstname = mysql_real_escape_string($_POST['firstname']);
$lastname = mysql_real_escape_string($_POST['lastname']);
$email = mysql_real_escape_string($_POST['email']);
$url = mysql_real_escape_string($_POST['url']);
$query = "INSERT INTO creathive_applications
VALUES (NULL,'$status','$firstname','$lastname','$email','$url')";
$result = mysql_query($query) or trigger_error(mysql_error().". Query: ".$query);
}
What I want to do is make sure that the same person doesn't apply TWICE so if the email address already exists in the database then it will show a message on the form saying "sorry looks like you've already applied".
Here is the HTML form, and I have added the message inside the fieldset, so need to do a) show this message if the email exits or show success message and then b) add #membership form to the url to make the view jump to form on the page so that the user will see the messages. Can any help with this? THANKS
<form action="" method="post">
<fieldset id="membershipform">
<div id="error"><p>sorry email in use</p></div>
<div id="success"><p>Thanks your application has been sent</p></div>
<ul class="clearfix">
<li id="li-status">
<span>I am a:</span>
<menu>
<li><label for="student"><input type="radio" name="status" id="student" checked="checked" value="Graduate" /> Graduate</label></li>
<li><label for="student2"><input type="radio" name="status" id="student2" value="Undergraduate" /> Undergraduate</label></li>
</menu>
</li>
<li id="li-firstname">
<label for="firstname">First Name</label> <input name="firstname" type="text" placeholder="First Name" id="firstname" title="First Name" />
</li>
<li id="li-lastname">
<label for="lastname">Last Name</label> <input name="lastname" type="text" placeholder="Last Name" id="lastname" title="Last Name" />
</li>
<li id="li-email">
<label for="email">Email address</label> <input name="email" type="text" placeholder="Email address" id="email" title="Email address" />
</li>
<li id="li-url">
<label for="url">URL</label> <input name="url" type="text" placeholder="URL of something you've made" id="url" title="URL of something you've made" />
</li>
<li id="li-buttons">
<input name="submit" type="submit" value="Send Application ►" title="Send Application" />
</li>
</ui>
</fieldset>
</form>
Do a select query before insert to validate there aren't any entries for the email already:
select from creathive_applications where email = $email
If any results come back, then display your message instead of inserting the record. You can add javascript onload code to move form to #membershipform if the email already existed.
You can alter table so that email id is primary so it will be unique.
You can check with another query
select from creathive_applications where emai='$email'
simple , you must check it agains your database .
if($_SERVER['REQUEST_METHOD'] == 'POST'){
$host = '###';
$username = '###';
$pass = '###';
mysql_connect($host,$username,$pass);
mysql_select_db("###");
$status = mysql_real_escape_string($_POST['status']);
$firstname = mysql_real_escape_string($_POST['firstname']);
$lastname = mysql_real_escape_string($_POST['lastname']);
$email = mysql_real_escape_string($_POST['email']);
$url = mysql_real_escape_string($_POST['url']);
$query_check = "SELECT COUNT(*) as existents FROM creathive_applications .... emailfiel = 'email_entered'";
switch($query_check['existents']){
case 0:
//do the insert operation
$query = "INSERT INTO creathive_applications VALUES (NULL,'$status','$firstname','$lastname','$email','$url')";
$result = mysql_query($query) or trigger_error(mysql_error().". Query: ".$query);
break;
default:
echo "no no";
}
}
Check if $email exists in your DB and if it does set $error = 1. Then if $error = 1, print the message.
$emailchk = mysql_query("SELECT * FROM creathive_applications WHERE email = '$email'");
if(mysql_num_rows($emailchk) > 0) {
$error = 1;
}
if isset($error) {
echo '<div id="error"><p>sorry email in use</p></div>';
}
You could do it like this:
PHP Code:
if($_SERVER['REQUEST_METHOD'] == 'POST')
{
$host = '###';
$username = '###';
$pass = '###';
$emailerror = null;
mysql_connect($host,$username,$pass);
mysql_select_db("###");
$status = mysql_real_escape_string($_POST['status']);
$firstname = mysql_real_escape_string($_POST['firstname']);
$lastname = mysql_real_escape_string($_POST['lastname']);
$email = mysql_real_escape_string($_POST['email']);
$url = mysql_real_escape_string($_POST['url']);
$emailchk = mysql_query("SELECT * FROM creathive_applications WHERE email = '$email'");
if(mysql_num_rows($emailchk) == 0) {
$query = "INSERT INTO creathive_applications VALUES (NULL,'$status','$firstname','$lastname','$email','$url')";
$result = mysql_query($query) or trigger_error(mysql_error().". Query: ".$query);
}else{
$emailerror = '<span style="color:rgb(255,0,0)">Email already taken</span>';
}
}
HTML (Must be in the same file):
<form action="" method="post">
<fieldset id="membershipform">
<div id="error"><p>sorry email in use</p></div>
<div id="success"><p>Thanks your application has been sent</p></div>
<ul class="clearfix">
<li id="li-status">
<span>I am a:</span>
<menu>
<li><label for="student"><input type="radio" name="status" id="student" checked="checked" value="Graduate" /> Graduate</label></li>
<li><label for="student2"><input type="radio" name="status" id="student2" value="Undergraduate" /> Undergraduate</label></li>
</menu>
</li>
<li id="li-firstname">
<label for="firstname">First Name</label> <input name="firstname" type="text" placeholder="First Name" id="firstname" title="First Name" />
</li>
<li id="li-lastname">
<label for="lastname">Last Name</label> <input name="lastname" type="text" placeholder="Last Name" id="lastname" title="Last Name" />
</li>
<li id="li-email">
<label for="email">Email address</label> <input name="email" type="text" placeholder="Email address" id="email" title="Email address" /> <?php echo $emailerror;?>
</li>
<li id="li-url">
<label for="url">URL</label> <input name="url" type="text" placeholder="URL of something you've made" id="url" title="URL of something you've made" />
</li>
<li id="li-buttons">
<input name="submit" type="submit" value="Send Application ►" title="Send Application" />
</li>
</ui>
</fieldset>
</form>
Related
I have a member page that lands after user signs in. From there I need to populate that page with all their data in a form format (same as the one they filled out initially) so they can edit and update/save.
<form>
<fieldset>
<legend>Edit My Account
</legend>
<div>
<label class="label" for="username">Username</label>
<input class="user" type="text" name="username" id="username" value="<?php if(isset($error)){ echo $_POST['username']; } ?>" tabindex="2" required />
</div>
<div>
<label class="label" for="email">Email</label>
<input class="email" type="email" name="email" id="email" value="<?php if(isset($error)){ echo $_POST['email']; } ?>" tabindex="3" required />
</div>
<div>
<label class="label" for="password">Password</label>
<input class="password" type="password" name="password" id="password" tabindex="4" required />
</div>
<div>
<label class="label" for="passwordConfirm">Confirm Password</label>
<input class="password" type="password" name="passwordConfirm" id="passwordConfirm" tabindex="5" required />
</div>
<div>
<input class="showbox" type="checkbox" name="terms" id="terms" tabindex="6" onFocus="this.tabIndex=1;"onBlur="this.tabIndex=6;"required />
<label for="terms">I agree to the Terms</label>
</div>
</fieldset>
<fieldset>
<div>
<input name="submit" type="submit" value="Update" />
</div>
</fieldset>
</form>
Secondly I want them to be able to delete their entire account with a "Delete My Account" button via a input type 'submit' that would appear on same member page.
<fieldset>
<form action="delete.php?" method="post">
<input type="hidden" name="id" value="<?php echo $members['memberID']; ?>">
<input type="submit" name="submit" value="Delete My Account">
</form>
</filedset>
I've been searching for days now... mostly this platform and have not found any sound solution(s).
I'm using MySQL db using PDO $stmt = $db->prepare('INSERT INTO... to create insert for new users and that all works fine.
I include a separate connection config file for db connection as well.
I created a delete.php file for the statement.
<?php require('config.php');
$id=$_SESSION['memberID'];
$stmt = $db->prepare('DELETE FROM members where memberID = $id');
?>
I'm not able to find a solution to populate the member page with logged in user data then edit and update it and/or capture the users logged in memberID to submit the delete account request using that memberID.
Some guidance would be appreciated, Thanks!
Here is my login.php code
<?php
//include config
require_once('config.php');
//check if already logged in move to home page
if( $user->is_logged_in() ){ header('Location: memberpage.php'); }
//process login form if submitted
if(isset($_POST['submit'])){
$username = $_POST['username'];
$password = $_POST['password'];
if($user->login($username,$password)){
$_SESSION['username'] = $username;
header('Location: memberpage.php');
exit;
} else {
$error[] = '<h2 class="red ctr thanks">Wrong username or password or your account has not been activated.</h2>';
}
}//end if submit
?>
At first you must set id user.after login user in admin page
and next you can use of that
<?php
$userId= $_GET['id'];//get user id you can use session also
if (isset($_POST['submit'])){
$username = $_POST['username'];
$email = $_POST['email'];
$password = $_POST['password'];
$passwordConfirm = $_POST['passwordConfirm'];
$terms = $_POST['terms'];
if (($password===$passwordConfirm) and ($terms===1)){
$query = "UPDATE members SET username = :username ,email = :email,"
."password = :password WHERE id = :id";
$stmt = $db->prepare($query);
$stmt->bindParam(':username',$username, PDO::PARAM_STR);
$stmt->bindParam(':email', $email, PDO::PARAM_STR);
$stmt->bindParam(':password', $password, PDO::PARAM_STR);
$stmt->bindParam(':id',$userId, PDO::PARAM_INT);
}
}
$query = "SELECT * FROM `members` WHERE id = `$userId`"; //Get user info
$sth = $db->prepare($query);
$sth ->execute();
$result = $sth->fetchAll(PDO::FETCH_ASSOC);
if ($result) {
// output data of each row
foreach($result as $row){
$username = $row['username'];
$email = $row['email'];
$password = $row['password'];
}
}
?>
<form method="post" class="form-horizontal" action="<?php filter_input(INPUT_SERVER, 'PHP_SELF', FILTER_SANITIZE_FULL_SPECIAL_CHARS); ?>">
<fieldset>
<legend>Edit My Account
</legend>
<div>
<label class="label" for="username">Username</label>
<input class="user" type="text" name="username" id="username" value="<?php echo $username ?>" tabindex="2" required />
</div>
<div>
<label class="label" for="email">Email</label>
<input class="email" type="email" name="email" id="email" value="<?php echo $email?>" tabindex="3" required />
</div>
<div>
<label class="label" for="password">Password</label>
<input class="password" type="password" name="password" value="<?php echo $password ?>" id="password" tabindex="4" required />
</div>
<div>
<label class="label" for="passwordConfirm">Confirm Password</label>
<input class="password" type="password" name="passwordConfirm" id="passwordConfirm" tabindex="5" required />
</div>
<div>
<input class="showbox" type="checkbox" name="terms" id="terms" tabindex="6" onFocus="this.tabIndex=1;"onBlur="this.tabIndex=6;"required />
<label for="terms">I agree to the Terms</label>
</div>
</fieldset>
<fieldset>
<div>
<input name="submit" type="submit" value="Update" />
</div>
</fieldset>
</form>
I checked the answers under ( PHP Form not posting all fields 2 ) and I do have names in all form fields : .... However, It is only posting the id, the date, and the name... I am so confused.
Here is my Sign-up -html- :
<legend>Registration Form</legend><p></p>
<label> Name </label>
<input id="intext" type="text" name="name" /><p></p>
<label> Email </label>
<input id="intext" type="text" name="email" /><p></p>
<label> Zip_Code </label>
<input id="intext" type="text" name="zipcode" /><p></p>
<label> UserName </label>
<input id="intext" type="text" name="user" /><p></p>
<label> Password </label>
<input type="password" name="pass" /><p></p>
<label> Confirm Password </label>
<input type="password" name="cpass" /><p> </p>
<div class="center">Comments / Inquiry </div>
<div class="center">
<textarea id="textarea" name="comments" rows="10" cols="40"></textarea>
Here is my php function:
function NewUser() { $name = $_POST['name'];
$Name = $_POST['name'];
$Email = $_POST['email'];
$Zip_Code = $_POST['zipcode'];
$UserName = $_POST['user'];
$Password = $_POST['pass'];
$Comments = $_POST['comments'];
$query = "INSERT INTO WebsiteUsers (Name, Email, Zip_Code, UserName, Password, Comments)
VALUES ('$name','$email','$zipcode','$user','$pass','$comments')";
$data = mysql_query ($query)or die(mysql_error());
if($data) { echo "Thank you for Registering with us.";
}
}
function SignUp() { if(!empty($_POST['user'])) //checking the 'user' name which is from Sign-Up.html, is it empty or have some text
{
$query = mysql_query("SELECT * FROM WebsiteUsers WHERE UserName = '$_POST[user]' AND Password = '$_POST[pass]'") or die(mysql_error());
if(!$row = mysql_fetch_array($query) or die(mysql_error())) { newuser();
}
In your query are usign variables in lowercase but in variable declarations are with uppercase.
Can you try this code?
$query = "INSERT INTO WebsiteUsers (Name, Email, Zip_Code, UserName, Password, Comments)
VALUES ('$Name','$Email','$Zipcode','$User','$Pass','$Comments')";
please try this.
I am assuming that you do not have issue implementing $conn, the connection to database, selecting db
sign-up.php
<form action="script.php" method="POST">
<legend>Registration Form</legend>
<label> Name </label>
<input id="intext" type="text" name="name" />
<label> Email </label>
<input id="intext" type="text" name="email" />
<label> Zip_Code </label>
<input id="intext" type="text" name="zipcode" />
<label> UserName </label>
<input id="intext" type="text" name="user" />
<label> Password </label>
<input type="password" name="pass" />
<label> Confirm Password </label>
<input type="password" name="cpass" />
<div class="center"><p>Comments / Inquiry </p>
<textarea id="textarea" name="comments" rows="10" cols="40"></textarea>
</div>
</form>
script.php
<?php
function newUser($conn)
{
$name = $_POST['name'];
$email = $_POST['email'];
$zipcode = $_POST['zipcode'];
$username = $_POST['user'];
$password = $_POST['pass'];
$password2 = $_POST['cpass'];
$comments = $_POST['comments'];
if($password== $password2)
{
$query = "INSERT INTO WebsiteUsers VALUES ('".$name."','".$email."','".$zipcode."','".$username."','".$password."','".$comments."')";
if(mysql_query($query,$conn))
echo 'signup successful';
else
echo 'error inserting new user';
}
else
echo 'Password missmatched';
}
function signUp($conn)
{
if(!empty($_POST['user']))
{
$username = $_POST['user'];
$password = $_POST['pass'];
$query = "SELECT * FROM WebsiteUsers WHERE UserName = '".$username."' AND Password = '".$password."';";
$result = mysql_query($query,$conn);
if(mysql_num_rows($result)<1)
newUser($conn);
}
else
echo 'form not submitted';
}
// now calling the signUp()
$conn= mysql_connect("","","") or die("Error connecting database"); // host, user, pass to connect db
mysql_select_db(""); // select database
signUp($conn);
?>
This is just cleanup of your code. Hope this will help to solve your problem. My implementation would be completely different than this one.
And one more thing, please use mysqli_* or PDO as mysql_* is depreciated
I am wondering which one are errors. I've tried to check mysql and nothing inserted into my database.
First of all, my HTML code are like this
<form action="registerAction" method="POST">
<p class="titleRegister"> Login Details </p>
<!-- login details -->
<p> <label for="emailAddress" class="inputField" > Email Address : </label> </p>
<p> <input id="emailAddress" class="registerField" name="ename" required="required" type="text" placeholder="Your email address"/> </p>
<p> <label for="password" class="inputField" > Password : </label> </p>
<p> <input id="password" class="registerField" name="pwd" required="required" type="password" placeholder="Your password"/> </p>
<p> <label for="password" class="inputField" > Confirmation Password : </label> </p>
<p> <input id="password" class="registerField" name="mpwd" required="required" type="password" placeholder="Confirmation password" onBlur="pwdCompare()"/> </p>
<!-- personal details -->
<p class="titleRegister"> Personal Details </p>
<!-- hidden to insert db -->
<input name="registerID" type="hidden"/>
<input name="pic" type="hidden"/>
<p>
<label for="socialTitle" class="inputField" > Title : </label>
<div class="radio">
<input type="radio" name="sTitle" value="mr"> Mr
<input type="radio" name="sTitle" value="mrs"> Mrs
<input type="radio" name="sTitle" value="ms"> Ms
</div>
</p>
<p> <label for="firstName" class="inputField" > First Name : </label> </p>
<p> <input id="firstName" class="registerField" name="fname" required="required" type="text" placeholder="Your first name"/> </p>
<p> <label for="lastName" class="inputField" > Last Name : </label> </p>
<p> <input id="lastName" class="registerField" name="lname" required="required" type="text" placeholder="Your last name"/></p>
<p> <label for="mainAddress" class="inputField" > Main Address : </label> </p>
<p> <input id="mainAddress" class="registerField" name="address" required="required" type="text" placeholder="Your main address"/> </p>
<p> <label for="countryName" class="inputField" > Country : </label> </p>
<?php
include 'dbconnect.php';
echo "<select class=\"selectCSS\" name=\"country\">";
$country = "SELECT DISTINCT * FROM geo_country ORDER BY country";
$showCountry = mysqli_query($mysqli, $country);
while($countryRow = mysqli_fetch_assoc($showCountry))
{
$country = htmlspecialchars ($countryRow['country']);
$countryCode = $countryRow['countryCode'];
echo "<option value=\"$country\">$country</option>\n";
}
echo "</select>";
?>
<p> <label for="cityName" class="inputField" > City : </label> </p>
<?php
include 'dbconnect.php';
echo "<select class=\"selectCSS\" name=\"city\">";
$city = "SELECT DISTINCT * FROM geo_country INNER JOIN geo_city ORDER BY city WHERE geo_country.countryCode = geo_city.countryCode";
$showCities = mysqli_query($mysqli, $city);
while($cityRow = mysqli_fetch_assoc($showCities))
{
$city = htmlspecialchars ($cityRow['city']);
$countryCode = $cityRow['countryCode'];
echo "<option value=\"$city\">$city</option>\n";
}
echo "</select>";
?>
<p> <label for="postalCode" class="inputField" > Postal Code : </label> </p>
<p> <input id="postalCode" class="registerField" name="pcode" required="required" type="text" placeholder="Your postal code"/> </p>
<p> <input class="registerButton" type="submit" value="REGISTER"> </p>
</form>
and my php action come here:
<?php
include 'dbconnect.php';
if ($_POST['pwd']!= $_POST['mpwd']) {
echo("Oops! Password did not match! Try again. ");
}
$register_ID = $_POST['registerID'];
$socialTitle = $_POST['sTitle'];
$firstName = ucfirst(strtoupper($_POST['fname']));
$lastName = ucfirst(strtoupper($_POST['lname']));
$emailAddress = htmlspecialchars($_POST['ename']);
$mainAddress = htmlspecialchars($_POST['address']);
$registerCity = $_POST['city'];
$registerCountry = $_POST['country'];
$postalCode = htmlspecialchars($_POST['pcode']);
$profilePic = $_POST['pic'];
$registerPassword = $_POST['pwd'];
$check = "SELECT * FROM register_user where emailAddress = '$emailAddress'";
$checkTitle = mysqli_query($mysqli,$check);
if (mysqli_num_rows($checkTitle) > 0) {
header("Location: register?error=The name of email has already been taken");
} else {
$insertSQL =
"INSERT INTO register_user ('registerID', 'socialTitle', 'firstName', 'lastName', 'emailAddress', 'mainAddress', 'registerCity', 'registerCountry', 'postalCode', 'profilePic', 'registerPassword')
VALUES ('$register_ID', '$socialTitle', '$firstName', '$lastName', '$emailAddress', '$mainAddress', '$registerCity', '$registerCountry', '$postalCode', '$profilePic', '$registerPassword')";
$queryResult = mysqli_query($mysqli,$insertSQL);
if($queryResult) {
echo "SUCCESS";
echo "<p> Name : $emailAddress </p>";
echo "<p> Detail : $fname </p>";
echo "<p> BACK </p>";
}
}
?>
The results are nothing come out on the new html page and neither in DB. Can you check it out please? Thanks.
You're using the wrong identifiers for your columns, being (single) quotes '.
('registerID', 'socialTitle', 'firstName', 'lastName', 'emailAddress', 'mainAddress', 'registerCity', 'registerCountry', 'postalCode', 'profilePic', 'registerPassword')
change that to:
(registerID, socialTitle, firstName, lastName, emailAddress, mainAddress, registerCity, registerCountry, postalCode, profilePic, registerPassword)
or use backticks.
(`registerID`, `socialTitle`, `firstName`, `lastName`, `emailAddress`, `mainAddress`, `registerCity`, `registerCountry`, `postalCode`, `profilePic`, `registerPassword`)
Using or die(mysqli_error($mysqli)) to mysqli_query() would have shown you the error.
Plus, unless the form action is an index file in a folder called registerAction or a mod rewrite:
it would need to be
<form action="registerAction.php" method="POST">
so, check that. Just an insight.
I would also like to note that your present code is open to SQL injection.
Use prepared statements, or PDO with prepared statements, they are much safer.
Not 100% sure about it, but try changing your html.
This:
<form action="registerAction" method="POST">
To:
<form action="registerAction.php" method="POST">
Assuming registerAction is the name of you php file..
I've defined a user settings page in my website, and there are several forms that appears on that page, I'v written a query for these fields to be updated upon clicking on "submit" button, but some how I end up having this error below;
User Could Not Be Updated Because:You have an error in your SQL
syntax; check the manual that corresponds to your MySQL server version
for the right syntax to use near
'SHA1(5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8)', ' WHERE id =' at
line 1
this is profile settings page codes for the form:
<?php
$uid = $_SESSION['user_id'];
$query = mysqli_query($dbc, "SELECT * FROM users WHERE id = $uid ")or die(mysql_error());
$arr = mysqli_fetch_assoc($query);
?>
<form action="?page=profileset&id=<?php echo $arr['id']; ?>" method="post" role="form">
<label for="first">First Name</label>
<input class="form-control" type="text" name="first" id="first" value="<?php echo $arr['first']; ?>" placeholder="First Name" autocomplete="off">
</div>
<div class="from-group">
<label for="last">Last Name</label>
<input class="form-control" type="text" name="last" id="last" value="<?php echo $arr['last']; ?>" placeholder="Last Name" autocomplete="off">
</div>
<br>
<div class="from-group">
<label for="email">Email Address</label>
<input class="form-control" type="text" name="email" id="email" value="<?php echo $arr['email']; ?>" placeholder="Email Address" autocomplete="off">
</div>
<div class="from-group">
<label for="password">Password</label>
<input class="form-control" type="password" name="password" id="password" value="<?php echo $arr['password']; ?>" placeholder="Password" autocomplete="off">
</div>
<button id="profile-btn-change" type="submit" class="btn">Submit Changes</button>
<input type="hidden" name="submitted" value="1">
</form>
and this is the query which updates this form;
if(isset($_POST['submitted']) == 1){
$first = mysqli_real_escape_string($dbc, $_POST['first']);
$last = mysqli_real_escape_string($dbc, $_POST['last']);
$password = SHA1($_POST['password']);
$action = 'Updated';
$q = "UPDATE users SET first = '".$first."', last = '".$last."', email = '".$_POST['email']."', password = '".$password."' WHERE id = '".$_POST['id']."'";
$r = mysqli_query($dbc, $q);
if($r){
$message = '<p class="alert alert-success">User Was '.$action.'!</p>';
} else {
$message = '<p class="alert alert-danger">User Could Not Be '.$action.' Because:'.mysqli_error($dbc);
}
}
any consideration is appreciated
You are repeating the password = part in the UPDATE query.
do
$password = sha1($_POST[password]);
instead of
$password = " password = 'SHA1($_POST[password])', ";
update
make sure you try the update query like
$q = "UPDATE users SET first = '".$first."', last = '".$last."', email = '".$_POST['email']."', password = '".$password."' WHERE id = '".$_POST['id']."'";
and try to sanitize the variables while you use them.
I have a working registration and login system. I am trying to create a form where a user can add product registration info (via mysql update). I can't seem to get the db to actually update the fields. What am I missing here?!?
<?php
define('INCLUDE_CHECK',true);
require 'connect.php';
require 'functions.php';
// Those two files can be included only if INCLUDE_CHECK is defined
session_name('tzLogin');
// Starting the session
session_set_cookie_params(2*7*24*60*60);
// Making the cookie live for 2 weeks
session_start();
if($_SESSION['id'] && !isset($_COOKIE['tzRemember']) && !$_SESSION['rememberMe'])
{
// If you are logged in, but you don't have the tzRemember cookie (browser restart)
// and you have not checked the rememberMe checkbox:
$_SESSION = array();
session_destroy();
// Destroy the session
}
if(isset($_GET['logoff']))
{
$_SESSION = array();
session_destroy();
header("Location: index_login3.php");
exit;
}
if($_POST['submit']=='Login')
{
// Checking whether the Login form has been submitted
$err = array();
// Will hold our errors
if(!$_POST['username'] || !$_POST['password'])
$err[] = 'All the fields must be filled in!';
if(!count($err))
{
$_POST['username'] = mysql_real_escape_string($_POST['username']);
$_POST['password'] = mysql_real_escape_string($_POST['password']);
$_POST['rememberMe'] = (int)$_POST['rememberMe'];
// Escaping all input data
$row = mysql_fetch_assoc(mysql_query("SELECT * FROM electrix_users WHERE usr='{$_POST['username']}' AND pass='".md5($_POST['password'])."'"));
if($row['usr'])
{
// If everything is OK login
$_SESSION['usr']=$row['usr'];
$_SESSION['id'] = $row['id'];
$_SESSION['email'] = $row['email'];
$_SESSION['first'] = $row['first'];
$_SESSION['last'] = $row['last'];
$_SESSION['address1'] = $row['address1'];
$_SESSION['address2'] = $row['address2'];
$_SESSION['city'] = $row['city'];
$_SESSION['state'] = $row['state'];
$_SESSION['zip'] = $row['zip'];
$_SESSION['country'] = $row['country'];
$_SESSION['product1'] = $row['product1'];
$_SESSION['serial1'] = $row['serial1'];
$_SESSION['product2'] = $row['product2'];
$_SESSION['serial2'] = $row['serial2'];
$_SESSION['product3'] = $row['product3'];
$_SESSION['serial3'] = $row['serial3'];
$_SESSION['rememberMe'] = $_POST['rememberMe'];
// Store some data in the session
setcookie('tzRemember',$_POST['rememberMe']);
}
else $err[]='Wrong username and/or password!';
}
if($err)
$_SESSION['msg']['login-err'] = implode('<br />',$err);
// Save the error messages in the session
header("Location: index_login3.php");
exit;
}
else if($_POST['submit']=='Register')
{
// If the Register form has been submitted
$err = array();
if(strlen($_POST['username'])<4 || strlen($_POST['username'])>32)
{
$err[]='Your username must be between 3 and 32 characters!';
}
if(preg_match('/[^a-z0-9\-\_\.]+/i',$_POST['username']))
{
$err[]='Your username contains invalid characters!';
}
if(!checkEmail($_POST['email']))
{
$err[]='Your email is not valid!';
}
if(!count($err))
{
// If there are no errors
$pass = substr(md5($_SERVER['REMOTE_ADDR'].microtime().rand(1,100000)),0,6);
// Generate a random password
$_POST['email'] = mysql_real_escape_string($_POST['email']);
$_POST['username'] = mysql_real_escape_string($_POST['username']);
$_POST['first'] = mysql_real_escape_string($_POST['first']);
$_POST['last'] = mysql_real_escape_string($_POST['last']);
$_POST['address1'] = mysql_real_escape_string($_POST['address1']);
$_POST['address2'] = mysql_real_escape_string($_POST['address2']);
$_POST['city'] = mysql_real_escape_string($_POST['city']);
$_POST['state'] = mysql_real_escape_string($_POST['state']);
$_POST['zip'] = mysql_real_escape_string($_POST['zip']);
$_POST['country'] = mysql_real_escape_string($_POST['country']);
// Escape the input data
mysql_query(" INSERT INTO electrix_users(usr,pass,email,first,last,address1,address2,city,state,zip,country,regIP,dt)
VALUES(
'".$_POST['username']."',
'".md5($pass)."',
'".$_POST['email']."',
'".$_POST['first']."',
'".$_POST['last']."',
'".$_POST['address1']."',
'".$_POST['address2']."',
'".$_POST['city']."',
'".$_POST['state']."',
'".$_POST['zip']."',
'".$_POST['country']."',
'".$_SERVER['REMOTE_ADDR']."',
NOW()
)");
if(mysql_affected_rows($link)==1)
{
send_mail( 'noreply#electrixpro.com',
$_POST['email'],
'Your New Electrix User Password',
'Thank you for registering at www.electrixpro.com. Your password is: '.$pass);
$_SESSION['msg']['reg-success']='We sent you an email with your new password!';
}
else $err[]='This username is already taken!';
}
if(count($err))
{
$_SESSION['msg']['reg-err'] = implode('<br />',$err);
}
header("Location: index_login3.php");
exit;
}
if($_POST['submit']=='Update')
{
{
mysql_query(" UPDATE electrix_users(product1,serial1,product2,serial2,product3,serial3) WHERE usr='{$_POST['username']}'
VALUES(
'".$_POST['product1']."',
'".$_POST['serial1']."',
'".$_POST['product2']."',
'".$_POST['serial2']."',
'".$_POST['product3']."',
'".$_POST['serial3']."',
)");
if(mysql_affected_rows($link)==1)
{
$_SESSION['msg']['upd-success']='Thank you for registering your Electrix product';
}
else $err[]='So Sad!';
}
if(count($err))
{
$_SESSION['msg']['upd-err'] = implode('<br />',$err);
}
header("Location: index_login3.php");
exit;
}
if($_SESSION['msg'])
{
// The script below shows the sliding panel on page load
$script = '
<script type="text/javascript">
$(function(){
$("div#panel").show();
$("#toggle a").toggle();
});
</script>';
}
?>
Here are the forms:
<!-- Panel -->
<div id="toppanel">
<div id="panel">
<div class="content clearfix">
<div class="left">
<h1>My Electrix Account </h1>
<p class="grey">View and edit your contact information and product registrations</p>
</div>
<?php
if(!$_SESSION['id']):
?>
<div class="left">
<!-- Login Form -->
<form class="clearfix" action="" method="post">
<h1>Member Login</h1>
<?php
if($_SESSION['msg']['login-err'])
{
echo '<div class="err">'.$_SESSION['msg']['login-err'].'</div>';
unset($_SESSION['msg']['login-err']);
}
?>
<label class="grey" for="username">Username:</label>
<input class="field" type="text" name="username" id="username" value="" size="23" />
<label class="grey" for="password">Password:</label>
<input class="field" type="password" name="password" id="password" size="23" />
<label><input name="rememberMe" id="rememberMe" type="checkbox" checked="checked" value="1" /> Remember me</label>
<div class="clear"></div>
<input type="submit" name="submit" value="Login" class="bt_login" />
</form>
</div>
<div class="left right">
<!-- Register Form -->
<form action="" method="post">
<h1>Not a member yet? Sign Up!</h1>
<?php
if($_SESSION['msg']['reg-err'])
{
echo '<div class="err">'.$_SESSION['msg']['reg-err'].'</div>';
unset($_SESSION['msg']['reg-err']);
}
if($_SESSION['msg']['reg-success'])
{
echo '<div class="success">'.$_SESSION['msg']['reg-success'].'</div>';
unset($_SESSION['msg']['reg-success']);
}
?>
<label class="grey" for="username">Username*:</label>
<input class="field" type="text" name="username" id="username" value="" size="23" />
<label class="grey" for="email">Email*:</label>
<input class="field" type="text" name="email" id="email" size="23" />
<label class="grey" for="first">First Name:</label>
<input class="field" type="text" name="first" id="first" size="23" />
<label class="grey" for="last">Last Name:</label>
<input class="field" type="text" name="last" id="last" size="23" />
<label class="grey" for="address1">Address line 1:</label>
<input class="field" type="text" name="address1" id="address1" size="23" />
<label class="grey" for="address2">Address line 2:</label>
<input class="field" type="text" name="address2" id="address2" size="23" />
<label class="grey" for="city">City:</label>
<input class="field" type="text" name="city" id="city" size="23" />
<label class="grey" for="state">State/Province:</label>
<input class="field" type="text" name="state" id="state" size="23" />
<label class="grey" for="zip">Zip/Postal Code:</label>
<input class="field" type="text" name="zip" id="zip" size="23" />
<label class="grey" for="country">Country:</label>
<input class="field" type="text" name="country" id="country" size="23" />
<p>
<label>A password will be e-mailed to you.</label>
<input type="submit" name="submit" value="Register" class="bt_register" />
</p>
</form>
</div>
<?php
else:
?>
<div class="left">
<h1>User Information</h1>
<p>
<?php echo $_SESSION['first']; ?>
<?php echo $_SESSION['last']; ?><br />
<?php echo $_SESSION['address1']; ?>
<?php echo $_SESSION['address2']; ?><br />
<?php echo $_SESSION['city']; ?>,
<?php echo $_SESSION['state']; ?>
<?php echo $_SESSION['zip']; ?><br />
<?php echo $_SESSION['country']; ?>
</p>
<p>Email: <?php echo $_SESSION['email']; ?></p>
<p>Downloads</p>
Log off
</div>
<div class="left right">
<!-- Product Registration Form -->
<form class="clearfix" action="" method="post">
<h1>Product Registration</h1>
<?php
if($_SESSION['msg']['upd-err'])
{
echo '<div class="err">'.$_SESSION['msg']['upd-err'].'</div>';
unset($_SESSION['msg']['upd-err']);
}
if($_SESSION['msg']['upd-success'])
{
echo '<div class="success">'.$_SESSION['msg']['upd-success'].'</div>';
unset($_SESSION['msg']['upd-success']);
}
?>
<label class="grey" for="product1">Product 1:</label>
<input class="field" type="text" name="product1" id="product1" value="<?php echo $_SESSION['product1']; ?>" size="23" />
<label class="grey" for="serial1">Serial 1:</label>
<input class="field" type="text" name="serial1" id="serial1" value="<?php echo $_SESSION['serial1']; ?>" size="23" />
<label class="grey" for="product2">Product 2:</label>
<input class="field" type="text" name="product2" id="product2" value="<?php echo $_SESSION['product2']; ?>" size="23" />
<label class="grey" for="serial2">Serial 2:</label>
<input class="field" type="text" name="serial2" id="serial2" value="<?php echo $_SESSION['serial2']; ?>" size="23" />
<label class="grey" for="product3">Product 3:</label>
<input class="field" type="text" name="product3" id="product3" value="<?php echo $_SESSION['product3']; ?>" size="23" />
<label class="grey" for="serial3">Serial 3:</label>
<input class="field" type="text" name="serial3" id="serial3" value="<?php echo $_SESSION['serial3']; ?>" size="23" />
<div class="clear"></div>
<input type="submit" name="submit" value="Update" class="bt_login" />
</form>
</div>
<?php
endif;
?>
</div>
</div> <!-- /login -->
<!-- The tab on top -->
<div class="tab">
<ul class="login">
<li class="left"> </li>
<li>Hello <?php echo $_SESSION['usr'] ? $_SESSION['usr'] : 'Guest';?>!</li>
<li class="sep">|</li>
<li id="toggle">
<a id="open" class="open" href="#"><?php echo $_SESSION['id']?'Open Panel':'Log In | Register';?></a>
<a id="close" style="display: none;" class="close" href="#">Close Panel</a>
</li>
<li class="right"> </li>
</ul>
</div> <!-- / top -->
</div> <!--panel -->
Your update query is way off. You need to do it in the form of
UPDATE `tablename`
SET col1=`value`,col2=`val2`
WHERE wherecol=`whereval`
change your query and see if that helps.
your query should be
UPDATE electrix_users
SET
product1= $_POST['product1'],
serial1 = $_POST['serial1'],
product2 = $_POST['product2'],
serial2 = $_POST['serial2'],
product3 = $_POST['product3'],
serial3 = $_POST['serial3']
WHERE usr=$_POST['username']
However you should always clean for sql injection on any user entered data. I did not do this in the example as this is something you should do in your own way. This example is given to you as an example and does not prevent any kind of sql injection as it stands now.
ALWAYS DO WHAT YOU CAN TO PREVENT SQL INJECTION!