PHP, MySQL Update Table

Question

I've tried to setup a script that when a form submits information to the PHP file, it will update the MySQL table. But I've tried to make it not update the database if the Post is blank/null. But it's not updating the table.

<?php
$name = $_POST['name'];
$email = $_POST['email'];
$password = $_POST['password'];
$nickname = $_POST['nickname'];
$user = $_POST['user'];

$enc_pass = md5($password);

$con=mysqli_connect("","","","");
// Check connection
if (mysqli_connect_errno())
  {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
  }
if (!isset($name)){
mysqli_query($con,'UPDATE members SET name="$name"
WHERE username="$user"');
}
if(!$email == ""){
mysqli_query($con,'UPDATE members SET username="$email"
WHERE username="$user"');
}
if(!$password == ""){
mysqli_query($con,'UPDATE members SET password="$enc_pass"
WHERE username="$user"');
}
if(!$nickname == ""){
mysqli_query($con,'UPDATE members SET nickname="$nickname"
WHERE username="$user"');
}
mysqli_close($con);
?>

I've removed the MySQL credentials for safety. Can anyone help me with this?

Regards TameTimmah

You are not doing any error checking so you will never know if one of your queries fails. See e.g. [Catching Mysqli Errors](http://stackoverflow.com/q/19193911) — Pekka, Jan 31 '14 at 21:19
Also I hope you aren't serious about using MD5 for the passwords. — Idris, Jan 31 '14 at 21:21
You have to check if the form was submitted if(isset($_POST['submit'])){ REST OF YOUR CODE HERE }; — Ant, Jan 31 '14 at 21:23
Food for thought: The code you're using; `md5` is old and you may (eventually) get hacked. You really need to use prepared statements with this. [**Read this**](http://stackoverflow.com/q/60174/1415724) and [**this too**](https://www.owasp.org/index.php/Top_10_2013-Top_10) — Funk Forty Niner, Jan 31 '14 at 22:26

score 3 · Accepted Answer · answered Jan 31 '14 at 21:27

I think some of your logic is incorrect. For example:

if (!isset($name)) {
    mysqli_query($con,'UPDATE members SET name="$name" WHERE username="$user"');
}

That's saying "if $name isn't set to anything, update the name in the database". $name is always going to be set to something, because you're initialising it at the beginning. I think what you need is more along the lines of:

if ($name != '')) {
    mysqli_query($con,'UPDATE members SET name="$name" WHERE username="$user"');
}

However, bear in mind that you aren't validating the POSTed data, so you're pront to SQL injection attacks. Always treat submitted data as untrustworthy and cleanse it before doing anything in the database, e.g.:

$name = mysqli_real_escape_string($_POST['name'];

score 1 · Answer 2 · answered Jan 31 '14 at 21:23

your code is much wrong , but i corrected some . try this

   if (isset($name) and $name != ''){
       mysqli_query($con,'UPDATE members SET name="'.$name.'"
                          WHERE username="'.$user.'"');
                    }
   if($email != ""){
       mysqli_query($con,'UPDATE members SET username="'.$email.'"
                          WHERE username="'.$user.'"');
                   }
   if($password != ""){
       mysqli_query($con,'UPDATE members SET password="'.$enc_pass.'"
                          WHERE username="'.$user.'"');
                   }
   if($nickname != ""){
       mysqli_query($con,'UPDATE members SET nickname="'.$nickname.'"
                          WHERE username="'.$user.'"');
                   }

PHP, MySQL Update Table

2 Answers2