1

I'm sorry to ask such a narrow question, but I have this code in PHP and it is supposed to update a user's account. There is no error being returned and my IDE cannot identify the problem either. The problem is now that the code is not updating the database. I hope I can get some help on the subject.

Here is my PHP code:

<?php

    session_start();

    $con = mysqli_connect("mysql.serversfree.com", "u190182631_embo", "17011998embo", "u190182631_login");

    $username = $_POST['user_name']; 
    $last = $_POST['lname'];
    $first = $_POST['fname'];
    $address = $_POST['address'];
    $email = $_POST['email'];
    $year = $_POST['year'];

    if ($_SERVER["REQUEST_METHOD"] == "POST") {
        if (mysqli_connect_errno()) {
            echo "Failed to connect to MySQL: " . mysqli_connect_error();
        }

        mysqli_query($con,"UPDATE users SET last_name = '$last' 
        WHERE user_name = $_SESSION[user_name]");
        mysqli_close($con);
    }   
?>

Any my HTML form if that is needed:

<form method="post" action="update.php">
     Username: <input type="text" name="user_name" value="<?php echo $_SESSION['user_name']?>"><br><br>
     Email: <input type="text" name="email" value="<?php echo $_SESSION['user_email']?>"><br><br>
     Last Name: <input type="text" name="lname" value="<?php echo $_SESSION['last_name']?>"><br><br>
     First Name: <input type="text" name="fname" value="<?php echo $_SESSION['first_name']?>"><br><br>
     Street Address: <input type="text" name="address" value="<?php echo $_SESSION['address']?>"><br><br>
     Year Graduated: <input type="text" name="year" value="<?php echo $_SESSION['year']?>"><br><br>
     <input type="submit" value="Update Information"><br>
 </form>
 <form method="link" action="manage.php">
         <input type = "submit" value = "Cancel"><br> 
 </form>

Any help would be great!

Ahmed Siouani
  • 13,701
  • 12
  • 61
  • 72
  • Change `user_name = $_SESSION[user_name]` to `user_name = '$_SESSION[user_name]'` or `user_name = '$_SESSION['user_name']'` (if anything) --- missing quotes. – Funk Forty Niner Dec 26 '13 at 22:02
  • Your code is vulnerable to SQL injection - consider revising it. http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1 –  Dec 26 '13 at 22:02
  • How are you checking? Sometimes the database write happens and the person doesn't check properly. – Dan Bracuk Dec 26 '13 at 22:02
  • @Fred-ii-, would the missing quotes not throw an error? The question states that none is thrown. – Dan Bracuk Dec 26 '13 at 22:03
  • It would if the OP would be checking for it. Is only using error reporting on DB connection. @DanBracuk – Funk Forty Niner Dec 26 '13 at 22:04
  • @Fred-ii- yes that does return an error, the entire thing is already encased in quotes, adding those quotes throws back unexpected T_ENCAPSED_AND_WHITESPACE –  Dec 26 '13 at 22:05
  • I don't work with php, but in ColdFusion and .net, unhandled database errors cause loud noises and billowing smoke. – Dan Bracuk Dec 26 '13 at 22:06
  • Then either try my suggestion or Tareq's answer below. @picardisbetterthankirk which stands to work. – Funk Forty Niner Dec 26 '13 at 22:06
  • Is `session_start();` inside your form also? And you should make it a habit to close with semi-colons, as in `` etc. – Funk Forty Niner Dec 26 '13 at 22:10
  • @Fred-ii- I tried what you suggested and it throws back Unknown column 'admin' in 'where clause'. –  Dec 26 '13 at 22:12
  • Make your life easier and your code more secure: http://stackoverflow.com/questions/728229/parameters-in-mysqli –  Dec 26 '13 at 22:13
  • Well, it's a start. At least it's now looking for something that doesn't exist. You need to start using `var_dump();` on your elements. I.e.: `var_dump($_SESSION);` and `var_dump($_SESSION['user_name');` etc. – Funk Forty Niner Dec 26 '13 at 22:15
  • And if you were logged in as `admin` (which kind of makes sense) then that too is a start to pinpoint "WHY" it's looking for that. – Funk Forty Niner Dec 26 '13 at 22:18
  • I'm sorry, I'm new to PHP, what is var_dump()? –  Dec 26 '13 at 22:20
  • var_dump — Dumps information about a variable. It's an invaluable tool in PHP => http://www.php.net/var_dump @picardisbetterthankirk – Funk Forty Niner Dec 27 '13 at 00:01
  • By the way, I tested your code, and all you needed to do was to add `$_SESSION['user_name'] = $_POST['user_name'];` on top of `$username = $_POST['user_name'];` which worked for me. Yet, you found your solution, and that's what counts. ;-) @picardisbetterthankirk – Funk Forty Niner Dec 27 '13 at 00:15

4 Answers4

1

Try this - it will also help against SQL injection attacks:

$db = new mysqli("mysql.serversfree.com", "u190182631_embo", "17011998embo", "u190182631_login");

$username = $_POST['user_name']; 
$last = $_POST['lname'];
$first = $_POST['fname'];
$address = $_POST['address'];
$email = $_POST['email'];
$year = $_POST['year'];


if ($_SERVER["REQUEST_METHOD"] == "POST")
{
    if (mysqli_connect_errno())
    {
        echo "Failed to connect to MySQL: " . mysqli_connect_error();
    }

    $stmt = $db->prepare("UPDATE users SET last_name = ? AND WHERE user_name = ?;");
    $stmt->bind_param("ss", $last, $_SESSION['user_name']);
    $stmt->execute();
    $stmt->close();
}
  • Thanks but, it doesn't help... But, I do appreciate the clarification on prepared statements, I'm new to PHP and prepared statements have confused me for a while. –  Dec 26 '13 at 22:39
  • 1
    Nevermind, I messed up your code (i put "s" instead of "ss"). Thank you sooo much for your help. You saved me so much work. –  Dec 26 '13 at 22:51
1

The big problem here is that you don't know how to debug the problem yourself, nor what information to include in a request for help.

There is no error being returned

How do you know? you don't check for any error from the query. Consider:

$upd="UPDATE users SET last_name = '$last' 
    WHERE user_name = $_SESSION[user_name]";
if (!mysqli_query($con,$upd)) {
   print "query failed: $upd \n\n<br />" . mysqli_error();
}

You've shown a fragment of the code used to generate the form - but not what actually got sent to to the browser,

As Fred -ii- says, it seems very strange that $_SESSION[user_name] is not quoted in your SQL.

symcbean
  • 47,736
  • 6
  • 59
  • 94
  • If you read on in the comments, you would have seen that I did append my code to include mysqli_error(). Even though I am fairly new to PHP, I did spend the better part of half a day trying to figure out the problem and trouble shoot myself... –  Dec 26 '13 at 22:40
  • 1
    @picardisbetterthankirk - You need to be patient with those giving you help as I an guarantee they are being patient with you. –  Dec 26 '13 at 22:44
  • I'm sorry, I really did not mean that in a negative tone, I am thankful for all the help I can get, I'm just a bit exasperated is all... –  Dec 26 '13 at 22:46
  • The OP just needed to add `$_SESSION['user_name'] = $_POST['user_name'];` --- Thanks for the mention btw, cheers. @symcbean – Funk Forty Niner Dec 27 '13 at 00:16
0

try this 

mysqli_query($con,"UPDATE users SET last_name = '$last' WHERE user_name = {$_SESSION['user_name']}");
Tariq Albajjali
  • 327
  • 1
  • 6
  • 16
0

Update this line of code:

mysqli_query($con,"UPDATE users SET last_name = '$last' 
WHERE user_name = $_SESSION[user_name]");

with the new one:

mysqli_query($con,"UPDATE users SET last_name = '$last' 
WHERE user_name = $_SESSION['user_name']");

Hope it will work!

Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
Asraful Haque
  • 1,109
  • 7
  • 17
  • Sorry, returns error. if you already have quotes around the query, you don't need quotes around user_name. –  Dec 26 '13 at 22:35