Several issues with this code, from "oops" to "better way of doing it" to "security issue!"
1. Why the rows are not updating: You are not wrapping the strings with quotes, so those queries are failing
2. You don't know those queries are failing as you are not checking them
3. You are storing passwords as plain text which is not good at all as many people will use the same password for multiple sites, including the one for their e-mail address you are storing.
4. Your code is wide open for SQL injection.
Never trust anything that is set by the user, which is all of $_POST, $_GET, $_REQUEST, $_COOKIE, Some of $_SERVER (such as $_SERVER['PHP_SELF'], $_SERVER['HTTP_REFERER'], $_SERVER['HTTP_USER_AGENT'] to name a few) All of those variables can be manipulated by the visitor to the site.
When displaying on the page, always wrap with
htmlspecialchars($var,ENT_QUOTES)
When putting on the page as part of a URL for an HREF or SRC, wrap with
urlencode($var)
When sending to the database, either use PDO or if you are using mysql_ type functions wrap with
mysql_real_escape_string($var)
Lastly, you do not need three separate calls to the database, it can be done in one call:
Code: Select all
$SQL = sprintf('UPDATE `Member` SET `PassWord`="%s", `email`="%s", `Age`=%d WHERE `UserName`="%s"',
mysql_real_escape_string($ui),
mysql_real_escape_string($ei),
(int)$ag,
mysql_real_escape_string($user)
);
mysql_query($SQL);
On top of that there is error checking that could/should be done (are variables filled out, does query run), password should be hashed in some way (look on the SECURITY section here for many discussions on it)
-Greg