0

I am building a page where an admin user can update a client's information. I first query the customer information and display it in a text field. Then I can enter in whatever new information I want for that client. When I execute the update command in sql, it brings me to the page that says the update was successful but when i look back in the database, the customer information has not changed.

Edit-client.php (page that displays customer information)

<?php


//Function to sanitize values received from the form. Prevents SQL injection
function clean($str) {
    $str = @trim($str);
    if(get_magic_quotes_gpc()) {
        $str = stripslashes($str);
    }
    return mysql_real_escape_string($str);
}

//define username variable and sanitize
$username = clean($_POST['username']);

//Run query for selected user and store in an array
$result = mysql_query("select * from members where username='".$username."'");
$row = mysql_fetch_array($result);

//display all clients information in a form to edit
echo '<h1>'.$username.'</h1>';
echo '<form name="update-client" action="update-client.php" />';
echo '<table>';
echo '<tr><td>';
echo '<input type="hidden" name="member_id" value="'.$row['member_id'].'"';
echo '</td></tr>';
echo '<tr><td>';
echo 'Username: <input name="username" type="text" value="'.$username.'" />';
echo '</td></tr>';
echo '<tr><td>';
echo 'Password: <input name="password" type="text" value="'.$row['password'].'" />';
echo '</td></tr>';
echo '<tr><td>';
echo 'Business Name: <input name="bizname" type="text" value="'.$row['bizname'].'" />';
echo '</td></tr>';
echo '<tr><td>';
echo 'Phone: <input name="phone" type="text" value="'.$row['phone'].'" />';
echo '</td></tr>';
echo '<tr><td>';
echo 'Email: <input name="email" type="text" value="'.$row['email'].'" />';
echo '</td></tr>';
echo '<tr><td>';
echo 'Website Address: <input name="url" type="text" value="'.$row['url'].'" />';
echo '</td></tr>';
echo '<tr><td>';
echo 'Contact: <input name="contact" type="text" value="'.$row['contact'].'" />';
echo '</td></tr>';
echo '<tr><td>';
echo 'Notes: <input name="notes" type="text" value="'.$row['notes'].'" />';
echo '</td></tr>';
echo '<tr><td>';
echo 'Sales Representative: <input name="sales_rep" type="text" value="'.$row['sales_rep'].'" />';
echo '</td></tr>';
echo '<tr><td>';
echo '<input name="submit" type="submit" value="Edit" />';
echo '</td></tr>';
echo '</table>';
echo '</form>';


?>

update-client.php 

<?php


//Function to sanitize values received from the form. Prevents SQL injection
function clean($str) {
    $str = @trim($str);
    if(get_magic_quotes_gpc()) {
        $str = stripslashes($str);
    }
    return mysql_real_escape_string($str);
}

//define variables
$member_id = $_POST['member_id'];
$username = $_POST['username'];
$password = $_POST['password'];
$bizname = $_POST['bizname'];
$phone = $_POST['phone'];
$email = $_POST['email'];
$url = $_POST['url'];
$contact = $_POST['contact'];
$notes = $_POST['notes'];
$sales_rep = $_POST['sales_rep'];
$member_type = $_POST['member_type'];

//encrypt the password
$password = md5($password);

//Check for duplicate username
if($username != '') {
    $qry_uname = "SELECT * FROM members WHERE username='".$username."'";
    $result = mysql_query($qry_uname);
    if($result) {
        if(mysql_num_rows($result) > 0) {
            $errmsg_arr[] = 'Username already in use';
            $errflag = true;
        }
        @mysql_free_result($result);
    }
    else {
        die("Query failed1");
    }
}

//update customers information
$qry = "update members set username='".$username."',password='".$password."',bizname='".$bizname."',phone='".$phone."',email='".$email."',url='".$url."',contact='".$contact."',notes='".$notes."',sales_rep='".$sales_rep."',member_type='".$member_type."' where member_id='".$member_id."'";

//Check whether the query was successful or not
/*if(mysql_query($qry)) {
    header("location: update-success.php");
exit();
    }
else {
    die("Query failed2");
    }*/

echo $qry;

?>

Is there a problem with my code? I am using an apache server

ZeLoubs
  • 215
  • 7
  • 19
  • First off, your clean function is terrifying. (See http://stackoverflow.com/a/7810880/362536) It will work for you in this context, but be careful with it. I strongly recommend using prepared queries. Second, don't hide errors with `@`. – Brad Jun 19 '12 at 20:34
  • welcome to SO. please use appropriate tag. `sql` tag should be `mysql` tag. Please keep this in mind for next time. Enjoy time on SO. – Fahim Parkar Jun 19 '12 at 20:46
  • echo $qry returns: update members set username='',password='d41d8cd98f00b204e9800998ecf8427e',bizname='',phone='',email='',url='',contact='',notes='',sales_rep='',member_type='' where member_id='' – ZeLoubs Jun 19 '12 at 20:48
  • I'm not sure. I enter text into each field but it doesn't seem to recognize it except the password field – ZeLoubs Jun 19 '12 at 20:52
  • @ZeLoubs : What does clean() do?? Could you please remove clean from `clean($_POST['_______']);` – Fahim Parkar Jun 19 '12 at 20:58
  • @FahimParkar, I removed the clean() on each variable and I am still getting the same results – ZeLoubs Jun 19 '12 at 21:03
  • @ZeLoubs : last try : Can you echo all variables BEFORE `$password = md5($password);` and let me know what you get there?? `echo $member_id` – Fahim Parkar Jun 19 '12 at 21:04
  • Nothing displays when I echo all variables... – ZeLoubs Jun 19 '12 at 21:10
  • @ZeLoubs : something is ODD. I cant smell right now.. my EYES are YAWNING. Sleep time... – Fahim Parkar Jun 19 '12 at 21:19
  • @FahimParkar: well thanks for your help anyway – ZeLoubs Jun 19 '12 at 21:25

1 Answers1

0

//Check for duplicate username

Check with username and an ID, because username already exists if not changed.