0

I am able to retrieve the date of birth from the database and populate it in a option tag after the user has entered the date of birth. However, if the user updates anything else in the form the option value starts updating the database with the wrong date of birth. It seems that it's counting backwards for some reason. How to do I resolve this matter?

if($_POST){
$dob = date('Y-m-d',strtotime($_POST['year']."-". $_POST['month']."-".$_POST['day'])); 

$retur = $userObj->updateProfile($dob);
}

public function updateProfile($dob){
$db = db_mysql::getInstance();
$qr = $db->query("UPDATE ".USERS." SET dob = $dob WHERE id = '".$udata."'") or die(mysql_error()); 

    return $udata;
 }
<label>Date of Birth:</label>
<select style="background-color: #D6CFD4;" name="month">
 <option value="{date('F',strtotime($udata.dob))}">{date('F',strtotime($udata.dob))}</option>
 <option value="01">January</option>
 <option value="02">Febuary</option>
<select style="background-color: #D6CFD4;" name="day">
 <option value="{date('d',strtotime($udata.dob))}">{date('d',strtotime($udata.dob))}</option>
 <option value="01">01</option>
 <option value="02">02</option>
<select style="background-color: #D6CFD4;" name="year">
 <option value="{date('Y',strtotime($udata.dob))}">{date('Y',strtotime($udata.dob))}</option>
 <option value="2012">2012</option>
 <option value="2011">2011</option>
Claude Grecea
  • 543
  • 1
  • 9
  • 19

1 Answers1

0

Your query is not very clear with the data you provided but here goes:

$dob is a string from what I understand, in the format YYYY-MM-DD. updateProfile appears to be OK but I don't know where the $udata comes from. If what you posted is the full function, then $udata is always empty and you return empty back.

As for the template, I don't know how you generate the HTML for the option buttons. It does seem however that you could be overwriting existing options i.e. what if for the month select the user is born in February. The first line will be duplicate with the third:

<option value="{date('F',strtotime($udata.dob))}">{date('F',strtotime($udata.dob))}</option>
<option value="01">January</option>
<option value="02">Febuary</option>

A couple of suggestions:

It doesn't appear that you are checking input. No matter how secure you think your app is, there is always someone that might find a way to interfere with it. Using $_POST['year'] etc. without sanitizing them or even casting them as integers is not ideal.

You are not using bound parameters which is a must to ensure you are not vulnurable to SQL Injection attacks. It might be far fetched but if somehow the updateProfile receives this as $dob:

$dob = "1;DROP users; --"

then you are in trouble.

Final suggestion is to check your select statements. I would do this:

<select style="background-color: #D6CFD4;" name="day">
    <?php 
        for ($i = 1; $i < 32; $i++) {
            $dob_day  = (int) date('d', strtotime($udata.dob));
            $selected = ($i == $dob_day) ? " selected='selected'" : '';

            echo "<option value='{$i}'{$selected}>{$i}</option>";
        }
    ?>
</select>

You can repeat the process for the month and the year. This process though will not create necessarily a valid date. For instance what if someone selects 31 for the day and 02 for the month i.e. February.

Final suggestion is (if possible) to use a datetime control which would effectively do all the hard work for you. All you will have to do is just pass the dob string to it and when the user is updating their dob, it will post back data that your app can easily parse, and more importantly the dates will always be valid i.e. no 31st of February possibility at least from the UI. Example

HTH.

Community
  • 1
  • 1
Nikolaos Dimopoulos
  • 11,495
  • 6
  • 39
  • 67
  • OP is passing the three part parts through strtotime and then reformatted via date(). it's not exactly efficient, but it will produce some kind of legitimate date, even if it's `1970-01-01` because the strtotime barfed and return a boolean false/zero. – Marc B Sep 07 '12 at 20:01