Updating rows in a mysql table

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
anthonyw17
Forum Newbie
Posts: 1
Joined: Sat Jan 19, 2013 2:28 am

Updating rows in a mysql table

Post by anthonyw17 »

Hey I im trying to udpate the rows PassWord, email, Age in my membersys table of my mysql database. With the code im using its only saving the age and nothing else.

Also the the new info is coming from a form using the POST method

Code: Select all

<?php
session_start();

$con = mysql_connect("localhost","MyUser","MySecretPass");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db("membersys", $con);

$ui = $_POST['username'];
$pi = $_POST['password'];
$ei = $_POST['email'];
$ag = $_POST['age'];
$user =  $_SESSION['UserName'];

mysql_query("UPDATE Member SET PassWord=$ui WHERE UserName='$user'");
mysql_query("UPDATE Member SET email=$ei WHERE UserName='$user'");
mysql_query("UPDATE Member SET Age=$ag WHERE UserName='$user'");

Header("Location: acc_content.php?account=updated");

mysql_close($con);
?>
Any Ideas?
User avatar
twinedev
Forum Regular
Posts: 984
Joined: Tue Sep 28, 2010 11:41 am
Location: Columbus, Ohio

Re: Updating rows in a mysql table

Post by twinedev »

Several issues with this code, from "oops" to "better way of doing it" to "security issue!"

1. Why the rows are not updating: You are not wrapping the strings with quotes, so those queries are failing
2. You don't know those queries are failing as you are not checking them
3. You are storing passwords as plain text which is not good at all as many people will use the same password for multiple sites, including the one for their e-mail address you are storing.
4. Your code is wide open for SQL injection.

Never trust anything that is set by the user, which is all of $_POST, $_GET, $_REQUEST, $_COOKIE, Some of $_SERVER (such as $_SERVER['PHP_SELF'], $_SERVER['HTTP_REFERER'], $_SERVER['HTTP_USER_AGENT'] to name a few) All of those variables can be manipulated by the visitor to the site.

When displaying on the page, always wrap with htmlspecialchars($var,ENT_QUOTES)
When putting on the page as part of a URL for an HREF or SRC, wrap with urlencode($var)
When sending to the database, either use PDO or if you are using mysql_ type functions wrap with mysql_real_escape_string($var)

Lastly, you do not need three separate calls to the database, it can be done in one call:

Code: Select all

$SQL = sprintf('UPDATE `Member` SET `PassWord`="%s", `email`="%s", `Age`=%d WHERE `UserName`="%s"',
         mysql_real_escape_string($ui),
         mysql_real_escape_string($ei),
         (int)$ag,
         mysql_real_escape_string($user)
       );
mysql_query($SQL);
On top of that there is error checking that could/should be done (are variables filled out, does query run), password should be hashed in some way (look on the SECURITY section here for many discussions on it)

-Greg
Post Reply