SQL Update Query taking data from a form isn't running
Question
I have a form set up on a users profile, so if they want to update items such as their first name, last name, username, or email then they can.
When they hit the submit on the form, a PHP script runs which essentially checks if any fields are not empty, and if there are not empty, run an update query to the db on the student table. However, nothing seems to be happening, wondering if someone could point out where I have gone wrong as the student table does not update?
profile.php:
<form action="scripts/update-profile.php" method="post">
<h3 class="left-align fontAmaticH1">Student Details</h3>
<p class="left-align"><b>Username: </b><?php echo $row['username']; ?>
<div class="update-profile"><input type="text" name="username" placeholder="Update Username..."></div>
</p>
<p class="left-align"><b>Email Address: </b><?php echo $row['email']; ?>
<div class="update-profile"><input type="text" name="email" placeholder="Update Email..."></div>
</p>
<p class="left-align"><b>First Name: </b><?php echo $row['firstName']; ?>
<div class="update-profile"><input type="text" name="firstName" placeholder="Update First Name..."></div>
</p>
<p class="left-align"><b>Surname: </b><?php echo $row['lastName']; ?>
<button name="update-details" class="update-details" type="submit">Update Details</button>
</form>
Edit Details
PHP:
<?php
// Checking whether the user got to this page by clicking the proper button.
if (isset($_POST['update-details'])) {
require 'db.php';
// We grab all the data which we passed from the update form
$studentID = $_SESSION['studentID'];
$username = $_POST['username'];
$email = $_POST['email'];
$profileImage = $_POST['profileImage'];
$firstName = $_POST['firstName'];
$lastName = $_POST['lastName'];
$update = [];
if (! empty($username)) {
$update['username'] = "username ='".$username ."'";
}
if (! empty($email)) {
$update['email'] = "email='".$email ."'";
}
if (! empty($firstName)) {
$update['firstName'] = "firstName='".$firstName ."'";
}
if (! empty($lastName)) {
$update['lastName'] = "lastName='".$lastName ."'";
}
if (! empty($update)) {
$query = "UPDATE `student` SET ";
$query .= implode(', ', $update);
$query .= " WHERE `student`.`studentID` = $studentID ";
$result = $conn->query($query) or die ("update SQL error");
}
header("Location: ../profile.php?update=success");
}
?>
STUDENT TABLE
1 answers
solution1
1 ACCPTED 2020-03-11 19:16:14
1:
You are wide open for SQL injection here. Use Parameterised Queries. ALWAYS.
2:
Check Your PHP Error logs
3:
D on't
R epeat
Y ourself
Which means use PHP loop structures to save code and time and effort.
4:
Be aware that MySQL UTF-8 is NOT really UTF-8 and should always be replaced by utf8mb4_ character sets and collations.
5:
Your header Location redirects should always be followed by an exit / die() statement because PHP will keep processing until it reaches the end of the script, even if you give it a header . If you give multiple header "Location: ..." s then the final one is the one that will be followed.
6:
PHP has lots of array implosion and string interaction functions for you to use arrays in the context of turning them into Parameterised queries.
7:
Use Try / Catch blocks in PHP These should be used to catch errors and issues before they're committed.
8:
NEVER ever trust user input. Ever.
Quick and Dirty Example:
Using MySQLi ? syntax;
In your db.php file, to allow try/catch error catching with the MySQLi method:
\mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
In your script....
if (isset($_POST['update-details'])) { //tacky but it will do.
require 'db.php';
$studentID = (int)$_SESSION['studentID'];
// force to type integer to ensure
// data is always valid.
unset($_POST['update-details']); // forget this value.
$update = []; // make a new array
// Because your array keys are the same, you can simply loop through
// checking and then adding from one array to another.
//
// alternatively you can copy the whole @_POST array and simply
// run `array_filter` on it to clean it of empty values.
// (but this will not catch whitespaces)
foreach($_POST as $key=>$data){
$data = trim($data);
if(!empty($data)){
// use REGEX to do some cleaning of your Key values.
// NEVER EVER trust user input. NEVER.
$key = preg_replace("/[^a-z]/i","",$key);
$update[$key] = $data;
}
}
// end foreach.
if (\count($update) > 0 ) {
$keyString = implode(" = ? ,",array_keys($update));
$keyString." = ?" //append last reference
// Now build the dynamically built Parameterised SQL:
$query = "UPDATE `student` SET ".$keyString." WHERE `student`.`studentID` = ? ";
$runQuery = $conn->prepare($query);
// We will assume here all your data is a string (s) type.
$dataType = str_repeat("s", count($update));
$dataType .= "i"; // append data type for the ID at the end.
$update[] = $studentID;
//Use a Try / Catch block to check the functions work correctly.
// you can also use SQL transactions.
try {
// Bind your data to your query object
$runQuery->bind_param($dataType, \implode(",",$update));
// Execute your query.
$runQuery->execute();
$runQuery->free_result();
// This can feedback the number of rows updated.
$rows = (string)$runQuery->affected_rows;
error_log("Rows updated: ".$rows);
//close your query.
$runQuery->close();
}
catch(\mysqli_sql_exception $ex) {
// Do something with your query failure.
error_log("MySQL Error!: ".print_r($ex,true));
}
} //end count update
header("Location: ../profile.php?update=success");
exit; // STOP further PHP execution.
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.