1

I'm at this all day and have a feeling it may be something very simple. I am trying to give my users the option to update some of the entries in their user profile, without having to fill in everything everytime.

I'll post my code below but basically I am getting NO response at the minute.

My HTML form is as follows;

<table width="500" border="0" cellpadding="3" cellspacing="1">
    <tr>
        <form method="post" action="edit.php">
            <div data-role="fieldcontain">
                <td width="200">Name:</td>
                <td width="450"><input type="text" name="inputName" value="" /> </td>
    </tr>
    <tr>
        <td width="200">Password:</td>
        <td width="450"><input type="password" name="inputPassword" value="" /></td>
    </tr>
    <tr>
        <td width="200">Date of Birth:</td>
        <td width="450"><input type="date" name="inputDOB" value="" /></td>
    </tr>
    <tr>
        <td width="200">Core Competencies:</td>
        <td width="450">
            <input type="checkbox" name="coreComp[]" value="Honesty" />Honesty<br />
            <input type="checkbox" name="coreComp[]" value="Loyalty" />Loyalty<br />
            <input type="checkbox" name="coreComp[]" value="Trust" />Trust<br />
            <input type="checkbox" name="coreComp[]" value="Empathy" />Empathy<br />
            <input type="checkbox" name="coreComp[]" value="Respect" />Respect</td>
    </tr>
    <tr>
        <td colspan="2">
            <button data-theme="b" id="submit" type="submit">Submit</button>
        </td>
    </tr>
    <tr>
        <td colspan="2">
            <h3 id="notification"></h3>
        </td>
        </div>
        </form>
    </tr>
</table>

And my PHP currently looks like this;

<?php

session_start();
include 'includes/Connect.php';

$name = $_POST['inputName'];
$password = $_POST['inputPassword'];
$dob = $_POST['inputDOB'];
$aCC = implode( ',' , $_POST['coreComp'] );

$encrypt_password=md5($password);
$username=$_SESSION['myusername'];

if(!empty($name))
{
    mysql_query("UPDATE Profile SET `Name`='$name' WHERE Username='$username'" or die(mysql_error());
                echo("You have successfully updated your Name");
}
if(!empty($password))
{
    mysql_query("UPDATE Profile SET Password='$encrypt_password' WHERE Username='$username'" or die(mysql_error());
                echo("You have successfully updated your Password");
}
if(!empty($dob))
{
    mysql_query("UPDATE Profile SET DOB='$dob' WHERE Username='$username'" or die(mysql_error());
                echo("You have successfully updated your Date of Birth");
}
if(!empty($aCC))
{
    mysql_query("UPDATE Profile SET CC='$aCC' WHERE Username='$username'" or die(mysql_error());
                echo("You have successfully updated your Core Values");
}

   mysql_close(); 

?>
elixenide
  • 44,308
  • 16
  • 74
  • 100
Phughes
  • 77
  • 2
  • 12
  • I'm assuming `Connect.php` has your DB info. Make sure that they're correct – Idris Feb 26 '14 at 17:37
  • 1
    And also for the passwords, `MD5` isn't a good choice anymore. Read about it here http://stackoverflow.com/questions/770900/is-md5-less-secure-than-sha-et-al-in-a-practical-sense – Idris Feb 26 '14 at 17:38
  • Yes the Connect.php has all connection information and is working. – Phughes Feb 26 '14 at 17:40
  • 2
    Define *"I am getting NO response at the minute"* – Funk Forty Niner Feb 26 '14 at 17:42
  • 2
    **The mysql_* functions are deprecated, and you are wide open to SQL injection. You need to use MySQLi or PDO and use prepared statements.** Also, your HTML has all sorts of problems, like a `div` and a `form` that start inside one `tr` and end in another. This isn't why your code fails, but I would strongly suggest cleaning up your code. – elixenide Feb 26 '14 at 17:43

1 Answers1

3

You have a series of syntax errors. This is incorrect, because it is missing a ):

mysql_query("UPDATE Profile SET `Name`='$name' WHERE Username='$username'" or die(mysql_error());

You need to close the parenthesis ()) after the query string, but before or die...:

mysql_query("UPDATE Profile SET `Name`='$name' WHERE Username='$username'") or die(mysql_error());

Corrected code:

if(!empty($name))
{
    mysql_query("UPDATE Profile SET `Name`='$name' WHERE Username='$username'") or die(mysql_error());
                echo("You have successfully updated your Name");
}
if(!empty($password))
{
    mysql_query("UPDATE Profile SET Password='$encrypt_password' WHERE Username='$username'") or die(mysql_error());
                echo("You have successfully updated your Password");
}
if(!empty($dob))
{
    mysql_query("UPDATE Profile SET DOB='$dob' WHERE Username='$username'") or die(mysql_error());
                echo("You have successfully updated your Date of Birth");
}
if(!empty($aCC))
{
    mysql_query("UPDATE Profile SET CC='$aCC' WHERE Username='$username'") or die(mysql_error());
                echo("You have successfully updated your Core Values");
}

Also, as I pointed out in the comments above, the mysql_* functions are deprecated, and you are wide open to SQL injection. You need to use MySQLi or PDO and use prepared statements. Your HTML also has all sorts of problems, like a div and a form that start inside one tr and end in another. This isn't why your code fails, but I would strongly suggest cleaning up your code.

elixenide
  • 44,308
  • 16
  • 74
  • 100
  • Thank you Ed. I knew it was something so simple but I was looking at it too long to notice. And thanks for all the advice too. I will sort all that out. – Phughes Feb 26 '14 at 17:50