-2

I need some help with the code for updating the "Email" column in my database. the ID column is "UserID" and the Email column is "Email".

<form method="POST" action="Index.php" name="UpdateEmail"><div class="input-group">
 <?php
if(isset($_POST['submit'])){

    $Email = $_POST['Email'];
    $EmailID = $_POST['IDhiddenField'];

                mysql_query("UPDATE user SET UserID=$EmailID, Email=$Email WHERE UserID=$EmailID, Email=$Email");


?>      




<?php } ?>


  <input class="form-control" placeholder="Enter Email Address Here to Update" type="email" name="Email" required>
  <span class="input-group-btn">
    <button class="btn btn-default" type="submit">Update Email</button>
    <input name="IDhiddenField" type="hidden" id="IDhiddenField" value="<?php
$my_id = $_SESSION['user_id'];
$id = getuser($my_id, 'UserID'); 
echo "$id";
?>">
  </span>
</div>
  <input type="hidden" name="MM_update" value="UpdateEmail">

</form>
Andrew Gage
  • 17
  • 3
  • 3
    Welcome to SO. What is your concrete question? BTW your code is extremely volunerable for sql injections. Try to use PDO. – B001ᛦ Apr 24 '15 at 16:07
  • Please, [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). They are no longer maintained and are [officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). Learn about [prepared statements](http://en.wikipedia.org/wiki/Prepared_statement) instead, and use [PDO](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Apr 24 '15 at 16:08
  • If you are going to update the rows with the exact same values that match the conditions, you don't need to bother to do anything :-) Apart from that, you should really switch to PDO or mysql and prepared statements to close the sql injection hole you have now. – jeroen Apr 24 '15 at 16:09
  • 1
    nothing will fire up inside your conditional statement; there's a reason. Plus, you're not checking for obvious syntax errors. – Funk Forty Niner Apr 24 '15 at 16:15
  • @Fred-ii- I didn't even get that far :-) – jeroen Apr 24 '15 at 16:17
  • @jeroen that's usually the first thing I look at, when it comes to conditionals ;-) – Funk Forty Niner Apr 24 '15 at 16:18
  • @Fred-ii- The sql already stuck out like a sore thumb for me... – jeroen Apr 24 '15 at 16:20
  • 1
    @jeroen same here. so many syntax errors. I could easily use that to stitch up my torn up jeans with! Plus, not to mention whether or not they've started the session. I'm not touching this one. I've better things to use my 10 foot pole with. – Funk Forty Niner Apr 24 '15 at 16:21
  • @jeroen what does Marc call this type of code again? Cargo something? lol – Funk Forty Niner Apr 24 '15 at 16:25
  • @Fred-ii- Hmmmmm, doesn't ring a bell, the same Marc of *enjoy having your server pwned*? – jeroen Apr 24 '15 at 16:27
  • @jeroen yep the same Marc. *cargo cult programming* as he calls it. So many unknowns in this question, it's making my pitbull frown and wanting to run away. Ok, I don't have one but if I did, he would. ;-) – Funk Forty Niner Apr 24 '15 at 16:29
  • @Fred-ii- Pretty cool description, I wonder if it actually means anything as well :-) – jeroen Apr 24 '15 at 16:32
  • 1
    @jeroen I think I know what he means by that. Something along the lines of, if one gathers all sorts of crazy people around a circle of fire, they're bound to cause trouble in thinking they will achieve the same goal; being trouble while going nowhere. Something along those lines lol *least, that's my take on it.* - I guess it takes one Canuck to figure out another Canuck's thinking. – Funk Forty Niner Apr 24 '15 at 16:35

1 Answers1

1

As they said, you should use PDO, here is a class you can use to do it : http://pastebin.com/bJcth8rz

You have to make a myPDO.include.php where you set the configuration of your database and include it on each page.

$statement = $myPDO::getInstance()->prepare(<<<SQL
    UPDATE user SET Email=:email WHERE UserID=:userID
SQL
);

$email = $_POST['Email'];

$statement->execute(array(":email" => $email,
                          ":userID" => getuser($_SESSION['user_id'],'UserID')));

This request will do what you want to BUT.

Be sure you start your session :

session_start();

When you use sessions, you will have access to it on other pages, you don't have to transfer it by your form with hidden input which can be manipulated by the users !

By the way, I don't understand why do you have an email_ID field, to my mind, your table should be composed by :

User
idUser (int)
Email (varchar)
...

But i can't get how an email id can be useful here

xNeyte
  • 612
  • 4
  • 18
  • this still won't fire up; look at OP's code again *very carefully*. – Funk Forty Niner Apr 24 '15 at 16:17
  • 1
    By the way, the OP would need `":userID" => getuser($_SESSION['user_id'], 'UserID')` if he ever gets to that line. – jeroen Apr 24 '15 at 16:25
  • Yeah indeed, but I can't get why the id stored in the $_SESSION isn't the real userID ? – xNeyte Apr 24 '15 at 16:34
  • do you know what a conditional statement does and what a POST array looks for? well, have a look at their code again, and *very carefully* as I previously stated ;-) Plus, we don't even know which MySQL API the OP is actually using to connect with, or whether the OP even knows what to do with your answer. It's the method to use for sure and safer, but I highly doubt the OP knows what to use to connect with it. – Funk Forty Niner Apr 24 '15 at 16:39
  • Well, I added myPDO class in my post. Mmh I guess I don't know how a POST array looks for, I just know how to access to the data. : – xNeyte Apr 24 '15 at 16:50
  • Inspect/analyze this `if(isset($_POST['submit']))` – Funk Forty Niner Apr 24 '15 at 16:59