0
<?php
    session_start();

    if (isset($_POST['userid']) && isset($_POST['password']))
    {
    // if the user has just tried to log in
    $userid = $_POST['userid'];
    $password = $_POST['password'];

    $db_conn = new mysqli('localhost', 'user', 'passwd', 'dbname');

    if (mysqli_connect_errno()) {
    echo 'Connection to database failed:'.mysqli_connect_error();
    exit();
    }

    $query = 'select * from users '
           ."where userid like'$userid' "
           ." and password like sha1('$password')";

    $result = $db_conn->query($query);


    if ($result->num_rows >0 )
    {
     // if they are in the database register the user id
     $_SESSION['valid_user'] = $userid;    
    }
    $db_conn->close();
    }
    ?>
    <?

     $db_conn = new mysqli('localhost', 'user', 'passwd', 'dbname');

    if (mysqli_connect_errno()) {
    echo 'Connection to database failed:'.mysqli_connect_error();
    exit();
    }


    if (isset($_POST['submit'])) {
    if (empty($_POST['name']) || empty ($_POST['dob']) || empty ($_POST['contact'])|| empty          ($_POST['address'])|| empty ($_POST['email'])) {
    echo "All records to be filled in";
    exit;}
    }
    $name = $_POST['name'];
    $dob = $_POST['dob'];
    $contact = $_POST['contact'];
    $address = $_POST['address'];
    $email = $_POST['email'];

    $userid = $_SESSION['valid_user'];
    $sql = "UPDATE users SET name=$name, dob=$dob, contact=$contact, address=$address, email=$email
    WHERE userid ='$userid'";
      $result = $db_conn->query($sql);
    if (!$result) 
        echo "Your query failed.";
    else
        echo "User Information Updated ";

?>
<meta http-equiv="refresh" content="5;URL=members.php" />

I got your query failed when I run it. Anyone have any clue why my database dont get updated?

I'm pretty sure my sql works. Is there any mistake in my coding?

Niko
  • 26,516
  • 9
  • 93
  • 110
Lionel Koh Wei Hao
  • 9
  • Did you check the mysql error returned ? – David Ansermot Oct 30 '14 at 09:02
  • 2
    Why aren't you using MySQLi prepared statements? – Daniel Gelling Oct 30 '14 at 09:03
  • Try to echo your queries and copy/paste it in your db query tool, you will find what's wrong on your own ! And by the way, don't use like without a good reason, use = instead. – Logar Oct 30 '14 at 09:03
  • What debugging have you done? Have you seen what error the query returns? – ʰᵈˑ Oct 30 '14 at 09:03
  • `"UPDATE users SET name='$name', dob='$dob', contact='$contact', address='$address', email='$email' WHERE userid ='$userid'";` (possible target of sql injection) – turtle Oct 30 '14 at 09:06
  • 1
    Small note, but both including the credentials directly in your code and then pasting them into Stackoverflow are both pretty bad ideas. – Paddy Oct 30 '14 at 09:06
  • I think there is a buggy field, look for some field definition missing the attribute name – Lakhan Oct 30 '14 at 09:15

2 Answers2

2

Your query is okay, except that you're not using prepared statements.

The issue lies in your variables. echo them and see what's in them.

Since we don't have access to your database it's hard for us to verify if something else might be wrong with your query. You could for example create an SQL Fiddle.

Something else you should read up on: SQL Injection

Prepared statements look like this:

<?php
$mysqli = new mysqli("localhost", "my_user", "my_password", "world");

/* check connection */
if (mysqli_connect_errno()) {
    printf("Connect failed: %s\n", mysqli_connect_error());
    exit();
}

$city = "Amersfoort";

/* create a prepared statement */
if ($stmt = $mysqli->prepare("SELECT District FROM City WHERE Name=?")) {

    /* bind parameters for markers */
    $stmt->bind_param("s", $city);

    /* execute query */
    $stmt->execute();

    /* bind result variables */
    $stmt->bind_result($district);

    /* fetch value */
    $stmt->fetch();

    printf("%s is in district %s\n", $city, $district);

    /* close statement */
    $stmt->close();
}

/* close connection */
$mysqli->close();
?>
Community
  • 1
  • 1
deW1
  • 5,562
  • 10
  • 38
  • 54
-1

Looks like your exist statement is wrong.. 

 if (isset($_POST['submit'])) 
 {
    if (empty($_POST['name']) || empty ($_POST['dob']) || empty ($_POST['contact'])|| empty          ($_POST['address'])|| empty ($_POST['email'])) 
    {
        echo "All records to be filled in";
        **exit**;
    }
 }
deW1
  • 5,562
  • 10
  • 38
  • 54
Pawandeep Batra
  • 1
  • 2