Updating user details from form input

Question

Trying to update the logged in users details using a form. The details are already in the form when the page loads so if the user wants to change thier mobile number for example they delete the current number, insert the new number and click update.

I get this message when I click update " Unknown column 'Adrian93' in 'where clause' " Adrian93 is the username

<?php
require('dbConnection.php');
require('checklogin.php');

if(isset($_POST['update']))
{
    $firstName = $_POST['firstName'];
    $lastName = $_POST['lastName'];
    $DOB = $_POST['dob'];
    $natInsNo = $_POST['natInsNo'];
    $address = $_POST['address'];
    $email = $_POST['email'];
    $mobile = $_POST['mobile'];
    $password = $_POST['password'];

    $query = "UPDATE users SET firstName='$firstName', lastName='$lastName', DOB='$DOB', natInsNo='$natInsNo', address='$address', email='$email', mobile='$mobile', password='$password' WHERE username = {$_SESSION['username']}";

    $results = mysqli_query($conn, $query) or die (mysqli_error($conn));

}



?>

See also [SQL injection / prepared statements](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php/60496#60496) — Pinke Helga, Mar 30 '19 at 14:39
Probably has to do with your squirly brackets. I'd set `$username = $_SESSION['username']` before your query then just do `WHERE username='$username'` Also be careful for SQL injections, I'd use prepared statements in you're case as you're taking form inputs and directly placing them in your quey. — Ralph, Mar 30 '19 at 14:40
Prepared parameterized statements will set quotes automatically. So this can be handled as duplicate. — Pinke Helga, Mar 30 '19 at 14:41
Possible duplicate of [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) — Pinke Helga, Mar 30 '19 at 14:42

score 0 · Accepted Answer · edited Mar 31 '19 at 18:43

Ralphs comment "Probably has to do with your squirly brackets. I'd set $username = $_SESSION['username'] before your query then just do WHERE username='$username' Also be careful for SQL injections, I'd use prepared statements in you're case as you're taking form inputs and directly placing them in your query" solved the query. Runs now without any errors.

<?php
require('checklogin.php');

if(isset($_POST['update']))
{
    $firstName = $_POST['firstName'];
    $lastName = $_POST['lastName'];
    $DOB = $_POST['dob'];
    $natInsNo = $_POST['natInsNo'];
    $address = $_POST['address'];
    $email = $_POST['email'];
    $mobile = $_POST['mobile'];
    $password = $_POST['password'];
    $username = $_SESSION['username'];

    $query = "UPDATE users SET firstName='$firstName', lastName='$lastName', DOB='$DOB', natInsNo='$natInsNo', address='$address', email='$email', mobile='$mobile', password='$password' WHERE username = '$username'";

    $results = mysqli_query($conn, $query) or die (mysqli_error($conn));    
}
?>

Updating user details from form input

1 Answers1