My script outputs a MySQL error but only on one form.
I didn't try anything else really. I couldn't get my head around the problem since the connection works fine for signup and login forms.
<?php
//Connection.php
error_reporting(E_PARSE | E_ERROR );
$server = "localhost";
$username ="root";
$password = "";
$db="mydb";
$conn = mysqli_connect($server, $username, $password, $db);
//check connection
if(!$conn){
die("connection failed: " . mysqli_connect_error());
}else{
echo "<script> console.log('connected'); </script>";
}
if($_SESSION['LoggedInEmail']){
session_start();
}
?>
<?php
include('header.php');
include('connection.php');
$name=$surname=$email=$hashedPassword='';
if(session_status() != PHP_SESSION_NONE){
session_start();
$cookieEmail = $_COOKIE['email'];
$query = "SELECT name, surname, password, email FROM users WHERE email = '$cookieEmail'";
$result = mysqli_query($conn, $query);
if(mysqli_num_rows($result) > 0){
while($row = mysqli_fetch_assoc($result)){
$name = $row['name'];
$surname = $row['surname'];
$email = $row['email'];
$hashedPassword = $row['password'];
$_SESSION['LoggedInName']=$name;
$_SESSION['LoggedInSurname']=$surname;
$_SESSION['LoggedInEmail']=$email;
}
}else{
$logginError = "<div class='alert alert-danger'>Wrong username/password combination</div>";
echo "<script> console.log('Wrong username/password combination'); </script>";
}
$tempName=$tempSurname=$tempPassword=$tempNewPass=$updateError='';
if(isset($_POST['update'])){
$tempName = ValiForm($_POST['name']);
$tempSurname = ValiForm($_POST['surname']);
$tempPassword = ValiForm($_POST['password']);
$tempNewPass = ValiForm($_POST['newPassword']);
if($tempName!= '' && $tempSurname!= '' && $tempPassword != '' && $tempNewPass != ''){
if(password_verify($tempPassword, $hashedPassword)){
$tempNewPass = password_hash($tempNewPass, PASSWORD_DEFAULT);
$query = "UPDATE name, surname, email, password SET name='$tempName', surname='$tempSurname', email = '$email', password='$tempNewPass' WHERE email='$email'";
$result = mysql_query($conn,$query);
if(mysqli_query($conn, $result)){
echo "<div class='alert alert-success'>New record in database</div>";
header("Location: index.php");
echo "<script> console.log(' combination'); </script>";
}else{
echo "Error: ". $query . "<br>" . mysqli_error($conn);
echo "<script> console.log('Wrong username/password combination'); </script>";
}
}else{
echo "<script> console.log('Wrong username/password combination'); </script>";
}
}else{
echo "<script> console.log('Wrong username/password combination'); </script>";
}
}
}else{
session_destroy();
header('Location: '. 'index.php');
die();
}
?>
I get this error outputted from echo "Error: ". $query . "<br>" . mysqli_error($conn);:
Error: UPDATE name, surname, email, password SET name='Henrique123', surname='Araujo123', email = 'forthelolz@outlook.pt', password='$2y$10$SvAjR91lC0FPxkrzRf7LuOK3I66WftiAK1iCW7c0yWFjETlCfoCc6' WHERE email='forthelolz@outlook.pt'
Your syntax for the UPDATE is wrong.
$query = "UPDATE name, surname, email, password SET name='$tempName', surname='$tempSurname', email = '$email', password='$tempNewPass' WHERE email='$email'";
It should be like:
$query = "UPDATE table_name SET column1='value1', column2='value2' WHERE columnX='valueX'";
For the code you provided the query would look like this:
$query = "UPDATE users SET name='$tempName', surname='$tempSurname', password='$tempNewPass' WHERE email='$email'";
You have another flaw in your code when testing if the update-query was successful.
$result = mysql_query($conn,$query);
if(mysqli_query($conn, $result)){
Should be something like:
$result = mysqli_query($conn, $query);
if ($result) {
Notice: As noted in the comments... your code is vulnerable. You should really read about SQL-injections and how to prevent them!