0

I'm trying to make a page so users can update their username, email, and password. I have made this script, not sure if it should work or not. When I click update it doesn't make any changes to the account. Not sure what it is. I left the HTML stuff out.

<?php
session_start();
require 'core/init.php';
$uname = $_GET['username'];
$username = $_SESSION['username'];
if(isset($_POST['update'])) {
    $uname = $_GET['username'];
    if(!empty($_POST['username'])) {
        $updateuname = $db->prepare("UPDATE users SET username = :username WHERE username='".$uname."'");
        $updateuname->bindValue(':username', $_POST['username'], PDO::PARAM_STR);
        $updateuname->execute();
        if(!empty($_POST['email'])) {
            $updateemail = $db->prepare("UPDATE users SET email = :email WHERE username='".$uname."'");
            $updateemail->bindValue(':email', $_POST['email'], PDO::PARAM_STR);
            $updateemail->execute();
            if(!empty($_POST['password'])) {
                if(empty($_POST['password_c'])) {
                    echo 'You must enter your password in both boxes!';
                } else {
                    if($_POST['password'] == $_POST['password_c']) {
                        $updatepassword = $db->prepare("UPDATE users SET password = :password WHERE username='".$uname."'");
                        $updatepassword->bindValue(':password', $_POST['password'], PDO::PARAM_STR);
                        $updatepassword->execute();
                    } else {
                        echo 'Passwords did not match';
                    }
                }
            }
        }
    }
    echo 'Details updated!';
}
?>
Shad
  • 64
  • 8
  • possible duplicate of [How to squeeze error message out of PDO?](http://stackoverflow.com/questions/3726505/how-to-squeeze-error-message-out-of-pdo) – Pekka Jan 25 '14 at 02:43
  • Are you using GET or POST to get the variables?? – dev7 Jan 25 '14 at 02:44
  • 4
    The code doesn't make sense to me: you have a `$_GET["uname"]` and a `$_POST["uname"]` at the same time? Really? (Also both values should be bound, not concatenated into the string, that is a SQL injection vulnerability) – Pekka Jan 25 '14 at 02:45
  • 3
    Honestly... you use prepared statements with placeholders, and then **STILL** directly insert user-provided data, so still leaving you with a gaping-wide open [SQL injection attack](http://bobby-tables.com) vector? That is utterly **WRONG** – Marc B Jan 25 '14 at 02:49
  • 1
    Not to mention storing passwords in plain text (*tsk tsk*). This is totally going "against the grain" of what security should be. – Funk Forty Niner Jan 25 '14 at 02:54

0 Answers0