0

I dont what is the wrong about this, theres no error but its not working about the update query. I dont know if its the latest code or old code. Please tell me how can I fix this. Thanks, here's the code. The first code is the server.php

here's the structure: 

    <?php 

        session_start();

         $username = "";
         $password = "";
         $lastname = "";
         $firstname = "";
         $id = 0;
         $edit_state = false;


        //connect to the database
        $db = mysqli_connect('localhost', 'root', '', 'login');

        // button is clicked
        if (isset($_POST['save'])) {
            $username = $_POST['text_username'];
            $password = $_POST['text_password'];
            $lastname = $_POST['text_lastname'];
            $firstname = $_POST['text_firstname'];
            //adding data in to database
            $query = "INSERT INTO users (username, password, lastname, firstname) values ('$username', '$password', '$lastname', '$firstname')";
            mysqli_query($db, $query);
            $_SESSION['msg'] = "Account Saved!";
            header('location: acc-settings.php');
        }


        //update records in the database
        if (isset($_POST['update'])) {
            $username = mysqli_real_escape_string($_POST['text_username']);
            $password = mysqli_real_escape_string($_POST['password']);
            $lastname = mysqli_real_escape_string($_POST['lastname']);
            $firstname = mysqli_real_escape_string($_POST['firstname']);
            $id = mysqli_real_escape_string($_POST['id']);

            mysqli_query($db, "UPDATE users SET username = '$username', password = '$password', lastname = '$lastname', firstname = '$firstname' where id='$id'");
            $_SESSION['msg'] = "Account Updated!";
            header('location: acc-settings.php');
        }
        //retrieve records
        $results = mysqli_query($db, "SELECT * FROM users"); ?>

this is the acc-settings.php

    <?php include 'server.php';

        //fetching the record
        if (isset($_GET['edit'])) {
            $id = $_GET['edit'];

            $rec = mysqli_query($db, "SELECT * FROM users where id=$id");
            $record = mysqli_fetch_array($rec);
            $username = $record['username'];
            $password = $record['password'];
            $lastname = $record['lastname'];
            $firstname = $record['firstname'];
            $id = $record['id'];
        }

             ?>

    <!DOCTYPE html>
    <html>
    <head>
        <title>Account Settings</title>
        <link rel="stylesheet" type="text/css" href="css/acc-style.css">
    </head>
    <body>

            <?php if (isset($_SESSION['msg'])): ?>
            <div class="msg">
                <?php 
                echo $_SESSION['msg']; 
                unset($_SESSION['msg']);
                 ?>
            </div>

            <?php endif ?>
    <table>
        <thead>
            <tr>
                <th>Username</th>
                <th>Password</th>
                <th>Lastname</th>
                <th>Firstname</th>

                <th colspan="2">Action</th>
            </tr>
        </thead>
        <tbody>
            <?php while ($row = mysqli_fetch_array($results)) { ?>
                    <tr>
                    <td><?php echo $row['username']; ?></td>
                    <td><?php echo $row['password']; ?></td>
                    <td><?php echo $row['lastname']; ?></td>
                    <td><?php echo $row['firstname']; ?></td>
                    <td>
                        <a href="acc-settings.php?edit=<?php echo $row['id']; ?>">Edit</a>
                    </td>
                    <td>
                        <a href="#">Delete</a>
                    </td>
                    </tr>
            <?php } ?>



     </tbody>
   </table>
   <form method="post" action="#">
    <input type="hidden" name="text_id" value="<?php echo $id; ?>">
    <div class="input-group">
        <label>Username</label>
        <input type="text" name="text_username" value="<?php echo 
   $username; ?>">
    </div>
    <div class="input-group">
        <label>Password</label>
        <input type="text" name="text_password" value="<?php echo 
    $password; ?>">
    </div>
    <div class="input-group">
        <label>Lastname</label>
        <input type="text" name="text_lastname" value="<?php echo 
    $lastname; ?>">`enter code here`
    </div>
    <div class="input-group">
        <label>Firstname</label>
        <input type="text" name="text_firstname" value="<?php echo 
    $firstname; ?>">
    </div>
    <div class="input-group">
    <?php if ($edit_state == true): ?>
        <button type="submit" name="save" class="btn">Save</button>
    <?php else: ?>
        <button type="submit" name="update" class="btn">Update</button>
    <?php endif ?>
    </div>
 </form>

 </body>
 </html>

Please tell me what is the wrong of this code :( if the problem is not understandable please comment down. Thankyou so much!

RiggsFolly
  • 93,638
  • 21
  • 103
  • 149
Dave
  • 9
  • 1
  • 6
  • Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) – RiggsFolly Jul 29 '17 at 19:36
  • Add a check on the update statement. There should be an error – Rotimi Jul 29 '17 at 19:38
  • @RiggsFolly how can I apply that code in my code? ;( – Dave Jul 29 '17 at 19:40
  • @Akintunde i already check it in w3schools but its correct I dont know what wrong – Dave Jul 29 '17 at 19:41
  • The where clause in the update query has the id in quotes, but it is an integer. Cast the variable to integer (you really should use parameterized queries instead) and remove the quotes. Not sure if that is the issue but its an issue. If the update is well formed but the where clause results in no records updated, it is not an error that would be reported by the database. – RichGoldMD Jul 29 '17 at 19:41
  • _how can I apply that code in my code?_ By reading the pages linked to in my commeny – RiggsFolly Jul 29 '17 at 19:43
  • You should be using $_POST['text_id'] no $_POST['id'] – RichGoldMD Jul 29 '17 at 19:43

1 Answers1

1

I see mismatch in names of form inputs and $_POST keys. For example

<input type="hidden" name="text_id" value="<?php echo $id; ?>">

name="text_id", but $_POST['id'] using, not $_POST['text_id']

Many other fields have same problem.

Ivan Bolnikh
  • 742
  • 9
  • 19
  • im sorry but I forgot to change, but I know that syntax. But its not working also... :( – Dave Jul 29 '17 at 19:45
  • wait, what is the right syntax about that? The name of the textbot or the row in my database? Thankyou :) – Dave Jul 29 '17 at 19:54