How to update data in mysql after you logged in

Question

After the person logged in to the session, i want to update his bio. Its a small project for about 20 people so I am not worried about sql injection.

There is two pages, the first being the signup/login. and the other one being the profile. i want to update the bio on the profile page. after i click the update button, it redirects to the correct page but ther is no change in the database.

 //This is the signup server side  

$db = mysqli_connect('localhost', 'root', '', 'pt');

if (isset($_POST['reg_user'])) {
$firstname = mysqli_real_escape_string($db, $_POST['firstname']);
$lastname = mysqli_real_escape_string($db, $_POST['lastname']);
$username = mysqli_real_escape_string($db, $_POST['username']);
$email = mysqli_real_escape_string($db, $_POST['email']);
$password_1 =  $_POST['password_1'];
$password_2 = $_POST['password_2'];
$sex = mysqli_real_escape_string($db, $_POST['sex']);


  if ($sex == "Select Sex:") {
array_push($errors, "select male or female");
  }

 $user_check_query = "SELECT * FROM users WHERE username='$username' OR 
 email='$email' LIMIT 1";
 $result = mysqli_query($db, $user_check_query);
 $user = mysqli_fetch_assoc($result);

 if ($user) {
 if ($user['username'] === $username) {
 array_push($errors, "Username already exists");
}

if ($user['email'] === $email) {
array_push($errors, "email already exists");
}
}

if (count($errors) == 0) {
$password = md5($password_1);

$query = "INSERT INTO users (firstname, lastname, username, email, 
 password, sex, bio)
 VALUES('$firstname', '$lastname','$username', '$email', '$password', 
 '$sex','')";

mysqli_query($db, $query);
$_SESSION['username'] = $username;
header('location: profile.php');
  }
  }

   //here is the code on the profile side.
 ?>
  <?php
  session_start();


 if (isset($_SESSION['username'])) {

if (isset($_POST['update_user'])) {
$bio = mysqli_real_escape_string($db, $_POST['bio']);
$query = "UPDATE users SET bio='$bio' WHERE username=$username";;
      header('location: profileclient.php');
    }
    }
?>
 <form method="post" action="profileclient.php">
 <div class="input-group">
 <input    type="text" name="bio">
 </div>
 <div class="input-group">
 <button type="submit" class="button" name="update_user"> update! 
 </button>
  </div>
 </form>

`Its a small project for about 20 people so I am not worried about sql injection.` Famous last words. Every project tends to grow. And even if it doesn't; most attacks happen from the _inside_. You must *always* use parameterized queries, no exceptions. Even if it's not a targetted attack, you don't wan't your application crashing on someone named `D'Artagnan` — RobIII, Jul 12 '19 at 07:52
_small project for about 20 people so I am not worried about sql injection..._ Would it be okay if you loose the data of even those only 20 users? — B001ᛦ, Jul 12 '19 at 07:53
_how do i execute the data?..._ How are you doing this with your `SELECT` and `INSERT` queries? ;) — B001ᛦ, Jul 12 '19 at 07:57
Your problem is SQL injection. The solution is to use prepared statements. — Dharman, Jul 12 '19 at 08:20

score 0 · Accepted Answer · answered Jul 12 '19 at 10:39

Your code has multiple problems. Let me list them out.

Never store passwords in clear text or using MD5/SHA1! Only store password hashes created using PHP's password_hash(), which you can then verify using password_verify(). Take a look at this post: How to use password_hash and learn more about bcrypt & password hashing in PHP

Warning: You are wide open to SQL Injections and should really use parameterized prepared statements instead of manually building your queries. They are provided by PDO or by MySQLi. Never trust any kind of input, especially that which comes from the client side. Even when your queries are executed only by trusted users, you are still in risk of corrupting your data.

Always exit() after header('Location: ...');

It looks like you have forgot to start your session in the sign-up file. Add session_start().

You need to enable error reporting for mysqli. Use mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);

Here is your code fixed:

<?php

session_start();

//This is the signup server side

mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
$db = mysqli_connect('localhost', 'root', '', 'pt');

if (isset($_POST['reg_user'])) {
    $firstname = $_POST['firstname'];
    $lastname = $_POST['lastname'];
    $username = $_POST['username'];
    $email = $_POST['email'];
    $password_1 = $_POST['password_1'];
    $password_2 = $_POST['password_2'];
    $sex = $_POST['sex'];

    if ($sex == "Select Sex:") {
        array_push($errors, "select male or female");
    }

    $user_check_query = "SELECT * FROM users WHERE username=? OR email=? LIMIT 1";
    $stmt = mysqli_prepare($db, $user_check_query);
    mysqli_stmt_bind_param($stmt, 'ss', $username, $email);
    mysqli_stmt_execute($stmt);
    $result = mysqli_stmt_get_result($stmt);
    $user = mysqli_fetch_assoc($result);

    if ($user) {
        if ($user['username'] === $username) {
            array_push($errors, "Username already exists");
        }

        if ($user['email'] === $email) {
            array_push($errors, "email already exists");
        }
    }

    if (!$errors) {
        $password_hashed = password_hash($password_1, PASSWORD_DEFAULT);

        $query = "INSERT INTO users (firstname, lastname, username, email, password, sex, bio)
            VALUES(?, ?, ?, ?, ?, ?,'')";
        $stmt = mysqli_prepare($db, $query);
        mysqli_stmt_bind_param($stmt, 'ssssss', $firstname, $lastname, $username, $email, $password_hashed, $sex);
        mysqli_stmt_execute($stmt);

        $_SESSION['username'] = $username;
        exit(header('location: profile.php'));
    }
}

//here is the code on the profile side.
?>
<?php
session_start();

if (isset($_SESSION['username'])) {
    if (isset($_POST['update_user'])) {
        $query = "UPDATE users SET bio=? WHERE username=?";
        $stmt = mysqli_prepare($db, $query);
        mysqli_stmt_bind_param($stmt, 'ss', $_POST['bio'], $_SESSION['username']);
        mysqli_stmt_execute($stmt);
        exit(header('location: profileclient.php'));
    }
}
?>
<form method="post" action="profileclient.php">
<div class="input-group">
<input    type="text" name="bio">
</div>
<div class="input-group">
<button type="submit" class="button" name="update_user"> update! 
</button>
</div>
</form>

great thank you. How can I use a login form using prepared statements? — Tiaan, Jul 15 '19 at 13:16

score -1 · Answer 2 · answered Jul 12 '19 at 07:56

-1

Try using 'id' attribute in your input tag alongside the 'name' attribute

answered Jul 12 '19 at 07:56

Ifejesu

1
2

This does not provide an answer to the question. – Dharman Jul 12 '19 at 11:22

score -1 · Answer 3 · answered Jul 12 '19 at 09:01

Try this code in your profile section

<?php
    session_start();
    if (isset($_SESSION['username'])) {
        if (isset($_POST['update_user'])) {
            $bio = mysqli->escape_string($_POST['bio']);
            $query = "UPDATE users SET bio='$bio' WHERE username='$username'" or die(mysqli_error());
            $result = $db->query($query);
            header('location: profileclient.php');
        }
    }
?>

<form method="post" action="profileclient.php">
    <div class="input-group">
        <input    type="text" name="bio" id="name">
    </div>
    <div class="input-group">
        <button type="submit" class="button" name="update_user"> update! </button>
   </div>
</form>

This does not provide an answer to the question and is suggesting incorrect code. — Dharman, Jul 12 '19 at 11:22

How to update data in mysql after you logged in

3 Answers3