I have a user data profile that I want to update when a user has filled out a form. When the update query is run values are being passed to the PHP script but not being changed in the table.
HTML of form:
echo "<br />";
echo "From this page you can change your profile details.";
echo "<br />";
echo "<br />";
echo "<form id='edit' action='../scripts/editscript.php' method='post' accept-charset='UTF-8'>";
echo "<label for='firstname'>First Name:</label>";
echo "<input type='text' id='firstname' name='firstname' />";
echo "<br />";
echo "<label for='lastname'>Last Name:</label>";
echo "<input type='text' id='lastname' name='lastname' />";
echo "<br />";
echo "<label for='username'>User Name:</label>";
echo "<input type='text' id='username' name='username' />";
echo "<br />";
echo "<label for='password'>Password:</label>";
echo "<input type='password' id='password' name='password' />";
echo "<br />";
echo "<label for='passwordconfirm'>Confirm Password:</label>";
echo "<input type='password' id='passwordconfirm' name='passwordconfirm' />";
echo "<br />";
echo "<label for='email'>E-Mail:</label>";
echo "<input type='email' id='email' name='email' />";
echo "<br />";
echo "<label for='like'>Something you like:</label>";
echo "<input type='text' id='like' name='like' />";
echo "<br />";
echo "<label for='dislike'>Something you dislike</label>";
echo "<input type='text' id='dislike' name='dislike' />";
echo "<br />";
echo "<label for='fact'>A fun fact about yourself:</label>";
echo "<input type='text' id='fact' name='fact' />";
echo "<br />";
echo "<label for='allow'>Do you want other people to see parts of your profile:</label>";
echo "<input type='radio' name='allow' value='yes' /> Yes";
echo "<input type='radio' name='allow' value='no' /> No";
echo "<br />";
echo "<br />";
echo "<input type='submit' name='submit' value='Confirm' />";
echo "</form>";
PHP script:
<?PHP
session_start();
$time = time();
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$username = $_POST['username'];
$salt = substr(base64_encode(openssl_random_pseudo_bytes(17)),0,22);
$salt = str_replace("+",".",$salt);
$salt = '$2a$08$' . $salt;
$password = crypt($_POST['password'], $salt);
$email = $_POST['email'];
$like = $_POST['like'];
$dislike = $_POST['dislike'];
$fact = $_POST['fact'];
$allow = $_POST['allow'];
$UID = $_SESSION['user']['UID'];
if ($allow == 'yes') {
$allowvalue = 1;
} else {
$allowvalue = 0;
};
$con = mysqli_connect('localhost','//db_username','//db_pass','//table');
if (mysqli_connect_errno($con)) {
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
$query = "UPDATE users SET firstname = '" . $firstname . "',
lastname = '" . $lastname . "',
username = '" . $username . "',
password = '" . $password . "',
email = '" . $email . "',
like = '" . $like . "',
dislike = '" . $dislike . "',
fact = '" . $fact . "',
allowview = " . $allowvalue . " WHERE UID = " . $UID . "";
mysqli_query($con,$query);
mysqli_close($con);
?>
I really don't get why this isn't going as expected. Any help is appreciated. :)
do a
var_dump($_SESSION['user']['UID']);
most probably the id does not match the id in the db
Prepared statements are not only good for avoiding sql infection but they will also help you organizing your code hence make your code more solid
<?php
session_start();
/*your variables*/
$time = time();
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$username = $_POST['username'];
$salt = substr(base64_encode(openssl_random_pseudo_bytes(17)),0,22);
$salt = str_replace("+",".",$salt);
$salt = '$2a$08$' . $salt;
$password = crypt($_POST['password'], $salt);
$email = $_POST['email'];
$like = $_POST['like'];
$dislike = $_POST['dislike'];
$fact = $_POST['fact'];
$allow = $_POST['allow'];
$UID = $_SESSION['user']['UID'];
if ($allow == 'yes') {
$allowvalue = 1;
} else {
$allowvalue = 0;
};
$mysqli = new mysqli("localhost", "//db_username", "//db_pass", "//table");
/* check connection */
if (mysqli_connect_errno()) {
echo ("Failed to connect to MySQL:: %s
", mysqli_connect_error());
exit();
}
/* Prepare an update statement */
$query = "UPDATE users SET firstname = ?,
lastname = ?,
username = ?,
password = ?,
email = ?,
like = ?,
dislike = ?,
fact = ?,
allowview = ? WHERE UID = ?";
$stmt = $mysqli->prepare($query);
$stmt->bind_param("ssssssssii",$firstname, $lastname, $username, $password, $email,
$like, $dislike, $fact, $allowvalue, $UID);
/* Execute the statement */
$stmt->execute();
/* close connection */
$mysqli->close();
?>
I figured out what it was. One of the columns in my database was 'like'. This is a MySQL keyword so it was messing with my query, thanks for the suggestions anyway :)