更新查询不更新表

Question

I have a user data profile that I want to update when a user has filled out a form. When the update query is run values are being passed to the PHP script but not being changed in the table.

HTML of form:

    echo "<br />";
    echo "From this page you can change your profile details.";
    echo "<br />";
    echo "<br />";
    echo "<form id='edit' action='../scripts/editscript.php' method='post' accept-charset='UTF-8'>";
    echo "<label for='firstname'>First Name:</label>";
    echo "<input type='text' id='firstname' name='firstname' />";
    echo "<br />";
    echo "<label for='lastname'>Last Name:</label>";
    echo "<input type='text' id='lastname' name='lastname' />";
    echo "<br />";
    echo "<label for='username'>User Name:</label>";
    echo "<input type='text' id='username' name='username' />";
    echo "<br />";
    echo "<label for='password'>Password:</label>";
    echo "<input type='password' id='password' name='password' />";
    echo "<br />";
    echo "<label for='passwordconfirm'>Confirm Password:</label>";
    echo "<input type='password' id='passwordconfirm' name='passwordconfirm' />";
    echo "<br />";
    echo "<label for='email'>E-Mail:</label>";
    echo "<input type='email' id='email' name='email' />";
    echo "<br />";
    echo "<label for='like'>Something you like:</label>";
    echo "<input type='text' id='like' name='like' />";
    echo "<br />";
    echo "<label for='dislike'>Something you dislike</label>";
    echo "<input type='text' id='dislike' name='dislike' />";
    echo "<br />";
    echo "<label for='fact'>A fun fact about yourself:</label>";
    echo "<input type='text' id='fact' name='fact' />";
    echo "<br />";
    echo "<label for='allow'>Do you want other people to see parts of your profile:</label>";
    echo "<input type='radio' name='allow' value='yes' /> Yes";
    echo "<input type='radio' name='allow' value='no' /> No";
    echo "<br />";
    echo "<br />";
    echo "<input type='submit' name='submit' value='Confirm' />";
    echo "</form>";

PHP script:

<?PHP
session_start();
$time = time();
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$username = $_POST['username'];
$salt = substr(base64_encode(openssl_random_pseudo_bytes(17)),0,22);
$salt = str_replace("+",".",$salt);
$salt = '$2a$08$' . $salt;
$password = crypt($_POST['password'], $salt);
$email = $_POST['email'];
$like = $_POST['like'];
$dislike = $_POST['dislike'];
$fact = $_POST['fact'];
$allow = $_POST['allow'];
$UID = $_SESSION['user']['UID'];
if ($allow == 'yes') {
    $allowvalue = 1;
} else {
    $allowvalue = 0;
};
$con = mysqli_connect('localhost','//db_username','//db_pass','//table');
if (mysqli_connect_errno($con)) {
    echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
$query = "UPDATE users SET firstname = '" . $firstname . "',
lastname = '" . $lastname . "',
username = '" . $username . "',
password = '" . $password . "',
email = '" . $email . "',
like = '" . $like . "',
dislike = '" . $dislike . "',
fact = '" . $fact . "',
allowview = " . $allowvalue . " WHERE UID = " . $UID . "";
mysqli_query($con,$query);
mysqli_close($con);
?>

I really don't get why this isn't going as expected. Any help is appreciated. :)

Answer 1

Prepared statements are not only good for avoiding sql infection but they will also help you organizing your code hence make your code more solid

<?php
session_start();
/*your variables*/
$time = time();
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$username = $_POST['username'];
$salt = substr(base64_encode(openssl_random_pseudo_bytes(17)),0,22);
$salt = str_replace("+",".",$salt);
$salt = '$2a$08$' . $salt;
$password = crypt($_POST['password'], $salt);
$email = $_POST['email'];
$like = $_POST['like'];
$dislike = $_POST['dislike'];
$fact = $_POST['fact'];
$allow = $_POST['allow'];
$UID = $_SESSION['user']['UID'];
if ($allow == 'yes') {
    $allowvalue = 1;
} else {
    $allowvalue = 0;
};

$mysqli = new mysqli("localhost", "//db_username", "//db_pass", "//table");
/* check connection */
if (mysqli_connect_errno()) {
    echo ("Failed to connect to MySQL:: %s\n", mysqli_connect_error());
    exit();
}
/* Prepare an update statement */
$query = "UPDATE users SET firstname = ?,
lastname = ?,
username = ?,
password = ?,
email = ?,
like = ?,
dislike = ?,
fact = ?,
allowview = ? WHERE UID = ?";

$stmt = $mysqli->prepare($query);
$stmt->bind_param("ssssssssii",$firstname, $lastname, $username, $password, $email, 
                               $like, $dislike, $fact, $allowvalue, $UID);

/* Execute the statement */
$stmt->execute();

/* close connection */
$mysqli->close();
?>

Answer 2

do a

var_dump($_SESSION['user']['UID']);

most probably the id does not match the id in the db

Answer 3

I figured out what it was. One of the columns in my database was 'like'. This is a MySQL keyword so it was messing with my query, thanks for the suggestions anyway :)