php automatic refresh after form submit

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

DonPatricio91
Forum Newbie
Posts: 18
Joined: Tue Dec 11, 2007 7:32 pm

Post by DonPatricio91 »

ok, my current code is:

Code: Select all

<?php
mysql_connect("localhost", "root", "") or die(mysql_error());
mysql_select_db("login") or die(mysql_error());
$username = $_COOKIE['ID_my_site'];


if (isset($_POST[submit]))
	{
			$sql_username_output = mysql_real_escape_string($_POST['username_output']);
			$sql_username = mysql_real_escape_string($username);
			mysql_query("UPDATE users SET username='$sql_username_output' WHERE username='$sql_username';") or die("ERROR"); 



			$sql_first_name_output = mysql_real_escape_string($_POST['first_name_output']);			
			mysql_query("UPDATE users SET first_name='$sql_first_name_output' WHERE username='$sql_username';") or die("ERROR"); 
	}





$user_myself = mysql_query ("SELECT * from users where username = '$username';") or die ("error");






echo "<form method='POST' action ='profile_edit.php'>";

	while ($output = mysql_fetch_array ($user_myself))
	{



		$html_username = htmlspecialchars($output['username'], ENT_QUOTES);
		echo "Username:&nbsp;<input type='text' value='$html_username' name='username_output'><p>";


		$html_first_name = htmlspecialchars($output['first_name'], ENT_QUOTES);
		echo "First Name:&nbsp;<input type='text' value='$html_first_name' name='first_name_output'><p>";


			
		echo "<p>";
	}



?>

<input type="submit" name="submit" value="submit">
</form>
<p>
<a href="members.php">Back</a>
Thanks so much walking me through that. Are there any more security issues which I should be aware of? I mean, I'll code more scripts which are different. So, do I have to watch out for different security issues?? Is there anything more I should be aware of? Coding is hard enough, bit now also watching for security issues seems even harder to me ...
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

We'll get the obvious stuff first. There's one more SQL injection:

Code: Select all

$user_myself = mysql_query ("SELECT * from users where username = '$username';") or die ("error");
DonPatricio91
Forum Newbie
Posts: 18
Joined: Tue Dec 11, 2007 7:32 pm

Post by DonPatricio91 »

Code: Select all

<?php
mysql_connect("localhost", "root", "") or die(mysql_error());
mysql_select_db("login") or die(mysql_error());
$username = $_COOKIE['ID_my_site'];

if (isset($_POST[submit]))
	{
			$sql_username_output = mysql_real_escape_string($_POST['username_output']);
			$sql_username = mysql_real_escape_string($username);
			mysql_query("UPDATE users SET username='$sql_username_output' WHERE username='$sql_username';") or die("ERROR"); 


			$sql_first_name_output = mysql_real_escape_string($_POST['first_name_output']);			
			mysql_query("UPDATE users SET first_name='$sql_first_name_output' WHERE username='$sql_username';") or die("ERROR"); 
	}


$user_myself = mysql_query ("SELECT * from users where username = '$username';") or die ("error");
$sql_user_myself = mysql_real_escape_string('$user_myself'); 


echo "<form method='POST' action ='profile_edit.php'>";

	while ($output = mysql_fetch_array ($sql_user_myself))
	{

		$html_username = htmlspecialchars($output['username'], ENT_QUOTES);
		echo "Username:&nbsp;<input type='text' value='$html_username' name='username_output'><p>";


		$html_first_name = htmlspecialchars($output['first_name'], ENT_QUOTES);
		echo "First Name:&nbsp;<input type='text' value='$html_first_name' name='first_name_output'><p>";


			
		echo "<p>";
	}
?>

<input type="submit" name="submit" value="submit">
</form>
<p>
<a href="members.php">Back</a>
strange, doesn't work.

Code: Select all

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in C:\xampp\htdocs\profile_edit.php on line 32
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

I'm going to punt this one back to you. Think carefully about what you just did, and how it differs from what you did previously. Also, attempt to understand what the error message is saying. If you're still stumped, I can tell you, but the ability to debug things is just as useful as being able to code.
DonPatricio91
Forum Newbie
Posts: 18
Joined: Tue Dec 11, 2007 7:32 pm

Post by DonPatricio91 »

yeah, it was really good that you didn't give me the answer, cause that made me think and i think this is right, at least it works:

Code: Select all

<?php
mysql_connect("localhost", "root", "") or die(mysql_error());
mysql_select_db("login") or die(mysql_error());
$username = $_COOKIE['ID_my_site'];

if (isset($_POST[submit]))
   {
         $sql_username_output = mysql_real_escape_string($_POST['username_output']);
         $sql_username = mysql_real_escape_string($username);
         mysql_query("UPDATE users SET username='$sql_username_output' WHERE username='$sql_username';") or die("ERROR");


         $sql_first_name_output = mysql_real_escape_string($_POST['first_name_output']);     
         mysql_query("UPDATE users SET first_name='$sql_first_name_output' WHERE username='$sql_username';") or die("ERROR");
   }

$sql_username = mysql_real_escape_string($username);
$user_myself = mysql_query ("SELECT * from users where username = '$sql_username';") or die ("error");

echo "<form method='POST' action ='profile_edit.php'>";

   while ($output = mysql_fetch_array ($user_myself))
   {

      $html_username = htmlspecialchars($output['username'], ENT_QUOTES);
      echo "Username:&nbsp;<input type='text' value='$html_username' name='username_output'><p>";


      $html_first_name = htmlspecialchars($output['first_name'], ENT_QUOTES);
      echo "First Name:&nbsp;<input type='text' value='$html_first_name' name='first_name_output'><p>";
       
      echo "<p>";
   }
?>
<input type="submit" name="submit" value="submit">
</form>
<p>
<a href="members.php">Back</a>

You're a genius ..
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Looking good. Now, lets tackle some styling issues.

Change any instances of:

Code: Select all

$array[index]
to

Code: Select all

$array['index']
This is because when you omit the quotes, PHP looks for a constant of that name; failing that, it substitutes in the string equivalent. So the first code will break if an "index" constant is defined. Always use quotes for strings!
DonPatricio91
Forum Newbie
Posts: 18
Joined: Tue Dec 11, 2007 7:32 pm

Post by DonPatricio91 »

i am really learning a lot here today. i had to apply only one change.

Code: Select all

<?php
mysql_connect("localhost", "root", "") or die(mysql_error());
mysql_select_db("login") or die(mysql_error());
$username = $_COOKIE['ID_my_site'];


if (isset($_POST['submit']))
   {
         $sql_username_output = mysql_real_escape_string($_POST['username_output']);
         $sql_username = mysql_real_escape_string($username);
         mysql_query("UPDATE users SET username='$sql_username_output' WHERE username='$sql_username';") or die("ERROR");


         $sql_first_name_output = mysql_real_escape_string($_POST['first_name_output']);     
         mysql_query("UPDATE users SET first_name='$sql_first_name_output' WHERE username='$sql_username';") or die("ERROR");
   }


$sql_username = mysql_real_escape_string($username);
$user_myself = mysql_query ("SELECT * from users where username = '$sql_username';") or die ("error");


echo "<form method='POST' action ='profile_edit.php'>";

   while ($output = mysql_fetch_array ($user_myself))
   {



      $html_username = htmlspecialchars($output['username'], ENT_QUOTES);
      echo "Username:&nbsp;<input type='text' value='$html_username' name='username_output'><p>";


      $html_first_name = htmlspecialchars($output['first_name'], ENT_QUOTES);
      echo "First Name:&nbsp;<input type='text' value='$html_first_name' name='first_name_output'><p>";

      echo "<p>";
   }

?>

<input type="submit" name="submit" value="submit">
</form>
<p>
<a href="members.php">Back</a>
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

A few questions, now:

- Having a database with no password is not very secure. Have you made sure that it is not accessible to the public, or have you considered adding a password?
- Do you really want users to be able to rename their usernames? Usually, that sort of thing stays constant, especially considering that you're using it as a "primary key".
- How are you identifying if a user is who they say they are?

These are bigger, design issues.
DonPatricio91
Forum Newbie
Posts: 18
Joined: Tue Dec 11, 2007 7:32 pm

Post by DonPatricio91 »

OK, well so you actually understand what what I am trying to do. I am currently working on a project like Facebook, MySpace etc. Firstly, I just want to program the basics, I already have a login/register/userlist/profil for each user and now due to your help users can also edit their profil.
however, i programed all these scripts without regard to what you tought me right now, so it'll probably take me a day to alter all the scripts to what you told me to to, because I wasn't aware of all that. Later on I would like to build a really fancy site and all that. I think programing is just fun, so i want to do that and who knows i might ultimately promote the site, but i have not a lot of knowlege with just html/css/javascript/and php basics.

My Database, yeah. I am currently using XAMPP, so i am working offline, i am certainly going to set a password when i transfer the site to the internet.
Your right, I wont allow the users to rename their usernames. It wouldn't even work because the users solely get identified through

Code: Select all

$username = $_COOKIE['ID_my_site'];
and if somebody alters their username, it would be a mess. I know there is a tag in html that doesn't allows users to write in a test form, so i'll look that up. It's just not finished yet ..
I am identifieng the users through the little code I added above.
Post Reply