0

I am trying to show user information using a small PHP script, called myinfo.php. The relevant part of which is shown below:

    while($return = mysql_fetch_assoc($result)) {
    echo "<form action=UpdateInfo.php method=post>";
    echo "<p id=greeting> Hi ".$return['FirstName'].", below is all of your personal information: </p>";
    echo '<p> First Name: <input type="text" name="firstname" value= "'.$return['FirstName'].'"/></p>';
    echo '<p> Surname: <input type="text" name="surname" value= "'.$return['Surname'].'" /></p>';
    echo '<p> House Number: <input type="number" name="housenumber" value= "'.$return['HouseNumber'].'"/></p>';
    echo '<p> Address Line One: <input type=text name="addressone" value= "'.$return['AddressLineOne'].'" /></p>';
    echo '<p> Address Line Two: <input type=text name="addresstwo" value= "'.$return['AddressLineTwo'].'" /></p>';
    echo '<p> County: <input type=text name="county" value= "'.$return['County'].'" /></p>';
    echo '<p> Phone Number: <input type=number name="phonenumber" value= "' .$return['PhoneNumber'].'" /></p>';
    echo '<p> Email: <input type=email name="email" value= "'.$return['Email'].'" /></p>';
    echo '<p> Username: <input type=text name="username" value= "'.$return['Username'].'" /></p>';
    echo '<p> Password: <input type=password name="password" value= "'.$return['Password'].'" /></p>';
    echo '<p> User Type: <input type="text" name="usertype" value= "'.$return['UserType'].'" /></p>';
    echo '<input id="submit" type="submit" value="Update Info" />';
    echo "</form>";
}

The input values are all pre filled with the users own information so the user can edit the input values and then click on the "update info" submit button in order to update his/her info. Once this button is clicked the user is sent to the "updateinfo.php" page where they have to confirm the change in information and are shown the changes they are about to make, as shown below:

    echo '<p id="confirmation">Are you sure you wish to make the following changes to your personal information?</p>';
    echo '<form action="CompleteUpdate.php" method="post">';   
    echo "<p>First Name: " . $_POST["firstname"] . "</p>";
    echo "<p>Surname: " . $_POST["surname"] . "</p>";
    echo "<p>House Number: " . $_POST["housenumber"] . "</p>";
    echo "<p>Address Line One: " . $_POST["addressone"] . "</p>";
    echo "<p>Address Line Two: " . $_POST["addresstwo"] . "</p>";
    echo "<p>County: " . $_POST["county"] . "</p>";
    echo "<p>Phone Number: " . $_POST["phonenumber"] . "</p>";
    echo "<p>Email: " . $_POST["email"] . "</p>";
    echo "<p>Username: " . $_POST["username"] . "</p>";
    echo "<p>Password: " . $_POST["password"] . "</p>";
    echo "<p>Usertype: " . $_POST["usertype"] . "</p>";
    echo '<input id="submit" type="submit" value="Update Info" /></form>';
    echo '<form action="CancelUpdate.php"><input id="submit" type="submit" value="Cancel" /></form>';

Here the user now clicks the "update info" button or decides to cancel the update. If the update info button is clicked the following PHP script is invoked:

    $sql=("UPDATE completeinfo SET FirstName='$_POST[firstname]', Surname='$_POST[surname]', AddressLineOne='$_POST[addresslineone]', AddressLineTwo='$_POST[addresslinetwo]', County='$_POST[county]', Email='$_POST[email]', Username='$_POST[username]', Password=SHA1('$_POST[password]'), UserType='$_POST[usertype]' WHERE Username='".$_SESSION['username']."'");

The problem I am having is that the update query instead of replacing the old values with the new ones, represented by the $_POST values, it now leaves them completely blank. The query knows exactly where to edit in my database so I must presume the "where" clause is working but for some reason $_POST is not fetching the correct values in the query, even though it works perfectly well in the previous PHP scripts. Any ideas how to solve this problem would be greatly appreciated. Thanks

user3298004
  • 185
  • 2
  • 3
  • 10

2 Answers2

1

First of all, you should avoid using mysql_ functions (instead, see PDO or mysqli)
This way, you will be able to secure your queries.

Anyway, your query here should look like this:

$sql = "UPDATE completeinfo SET FirstName='".$_POST['firstname']."',
        Surname='".$_POST['surname']."', AddressLineOne='".$_POST['addresslineone']."',
        AddressLineTwo='".$_POST['addresslinetwo']."', County='".$_POST['county']."',
        Email='".$_POST['email']."', Username='".$_POST['username']."',
        Password=SHA1('".$_POST['password']."'), UserType='".$_POST['usertype']."'
        WHERE Username='".$_SESSION['username']."'";

Don't go crazy with single/double quotes. It's only a good way to concatenate

Also, on updateinfo.php, don't display POST data like you do. Instead, store them in input fields (type hidden). This way, data will be send to the page where you're executing sql query

Justin Iurman
  • 18,954
  • 3
  • 35
  • 54
1

On UpdateInfo.php page you are creating an empty form with just send button. Echoing $_post values to the page is not enough to pass the values to the next step which is CompleteUpdate.php. You need either create hidden field for each value (filled up with current value) or you could use readonly textfields filled up with current values (then you don't have to echo values separately)

user3324951
  • 11
  • 1
  • could you explain your comment please, I thought on the UpdateInfo.php page I created two forms. I know one of which is empty and is just a button but as this button cancels the update operation that is all that is needed. The other form which passes the values to CompleteUpdate.php is not empty is it? Unless I have made a mistake and made it so. Thanks for the help as I'm new to PHP. – user3298004 Feb 18 '14 at 19:45