0

I'm trying to make a profile page with a few related blanks e.g username, city, country & address. Currently I'm only working on the username. My question is, how do I update the username on the database according to the logged in user's ID. For starter, I have an ID column for every user, their first name, last name, and email. Currently my WHERE clause in the query says WHERE id = 1 and that is why it stores whatever username I input, in row 1. I want to know, how can I store the username according to the logged in user's ID. And yes, only a logged in user can access the profile page I'm working on.

This is my action.php:

<?php
session_start(); //---> start session
require('db.php');
ini_set('display_errors', 1); ini_set('log_errors',1); error_reporting(E_ALL); mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);

$con = mysqli_connect('localhost', 'id1753243_venom', 'roushan123', 'id1753243_gameware_01');
if(!$con)
{
    echo 'Not connected to the server';
}

$id = $_SESSION['id'];

if(isset($_POST['username']))
{
    $username = $_POST['username'];
   $sql = "UPDATE users SET username='".mysqli_real_escape_string($con,$username)."' WHERE id = '.$id.'";
    $insert = mysqli_query($con,$sql);
    $_SESSION['username'] = $username; //---> this will store username into session variable
}

if(!$insert)
{
    echo 'Not inserted';
}
else
{
    echo 'Inserted';
}
header("refresh:2; url=user.php");
?>

The above WHERE clause doesn't seem to work either. I'm hopping someone here can help me solve my problem as it's really important for me to do so. Thanks in advance!

hakre
  • 193,403
  • 52
  • 435
  • 836
Roushan Drifter
  • 13
  • 1
  • 6
  • Take a closer look at `'.$id.'"`. – Qirel Jul 01 '17 at 14:00
  • You're already using an API that supports **prepared statements** with bounded variable input, you should utilize parameterized queries with placeholders (prepared statements) to protect your database against [SQL-injection](http://stackoverflow.com/q/60174/)! Get started with [`mysqli::prepare()`](http://php.net/mysqli.prepare) and [`mysqli_stmt::bind_param()`](http://php.net/mysqli-stmt.bind-param). – Qirel Jul 01 '17 at 14:01
  • Or (edit:And): Use prepared statements to actually prevent these and similar errors, for example: https://stackoverflow.com/q/18316501/367456 which in the answer also shows how to do proper error checking if a query fails. - the overall flow logic in your code is OK, it's just the way you write it it is hard to debug and prone to errors. – hakre Jul 01 '17 at 14:01
  • id = '".$id."' Still wouldn't work @Qirel – Roushan Drifter Jul 01 '17 at 14:06
  • @RoushanDrifter You misunderstood my comment. `WHERE id = '.$id.'"` is what you currently have, and that's wrong - it's not concated, so those dots are excessive. It should be `WHERE id = '$id'"`. (Or even without singlequotes if its an integer). But that problem would be solved anyways if you're using prepared statements. – Qirel Jul 01 '17 at 14:09
  • That being said, it still doesn't update the username field according to the user ID.. – Roushan Drifter Jul 01 '17 at 14:26

0 Answers0