-2

I have searched over 1500 posts over the last 2 weeks and have not found the solution to make my code work. My registration and login forms work correctly but when the user logins to add or edit information the sql database does not update with the users input and the error/updated message does not echo. My users register with name, surname, email and password but once they login they need to add to their personal information and later be able to edit the personal information. But nothing I've tried has worked...please help me I really need to get this right.... my code is as follows:

PHP CODE:

<?php
include_once "connect_to_mysql.php";
$id = $_SESSION['id'];

$title=$_POST['title'];
$username=$_POST['username'];
$surname=$_POST['surname'];
$identityno=$_POST['identityno'];
$gender=$_POST['gender'];
$birthdate = strftime("%d %b %Y", strtotime($row['birthdate']));
$ethnicity=$_POST['ethnicity'];
$nationality=$_POST['nationality'];
$homeaddress=$_POST['homeaddress'];
$province=$_POST['province'];
$suburb=$_POST['suburb'];
$hometele=$_POST['hometele'];
$celltele=$_POST['celltele'];
$creditclear=$_POST['creditclear'];
$criminalrecord=$_POST['criminalrecord'];
$driverslicense=$_POST['driverslicense'];
$owntransport=$_POST['owntransport'];
$medicalconditions=$_POST['medicalconditions'];

$query("UPDATE cic_candidates SET title='$title', username='$username', surname='$surname', 
identityno='$identityno', gender='$gender', birthdate='$birthdate', ethnicity='$ethnicity', 
nationality='$nationality', homeaddress='$homeaddress', province='$province', suburb='$suburb', 
hometele='$hometele', celltele='$celltele', creditclear='$creditclear', 
criminalrecord='$criminalrecord', driverslicense='$driverslicense', 
owntransport='$owntransport', medicalconditions='$medicalconditions' WHERE id='$id'");
mysql_query($query);

echo 'Your account info has been updated, you will now see the new info.<br /><br />
To return to your profile edit area, <a href="edit_personal_details.php">click here</a>';
exit();
mysql_close();

?>
Ashleigh
  • 1
  • 1
  • 3
  • 1
    Your code is too messy and I can see that your script can be SQL injected. – Lkopo Aug 31 '13 at 10:08
  • 1
    Whoa, that's a lot of code. We don't need to see the whole script. Post only the relevant code. Also, make use of `mysql_error` function. Your code is also vulnerable to **SQL injection**. If you're starting out, save the trouble and use `mysqli` or `PDO` instead. – Amal Murali Aug 31 '13 at 10:09
  • When someone sends "No, I don't have a drivers license", the SQL code breaks because of the `'`... Escape your input! – Marty McVry Aug 31 '13 at 10:12
  • Have edited original coding... – Ashleigh Aug 31 '13 at 10:37
  • Do you see any errors? Is your error reporting on? http://stackoverflow.com/questions/1053424/how-do-i-get-php-errors-to-display And if so, what do the errors tell you? – Dirk McQuickly Aug 31 '13 at 13:38
  • Is this right? `$birthdate = strftime("%d %b %Y", strtotime($row['birthdate']));` Shouldn't that be `$_POST['birthdate']` ? – Dirk McQuickly Aug 31 '13 at 13:52
  • Hi Dirk, to be totally honest I have changed the code so many times because I'm trying all the help topics online... Can I edit the original code at the tope and will you have a look at it... it seems to be getting better but now I get the following error: Fatal error: Function name must be a string .... which refers to: $query("UPDATE cic_candidates SET title='$title' I will update the original code above to show you what I have now... thanks for your help. – Ashleigh Aug 31 '13 at 13:56
  • I changed the birthdate and tested and it still shows the same error... what else do you think could be wrong? Do you think my coding on this: $query("UPDATE cic_candidates SET ....is wrong? Thanks a million for your time and help... – Ashleigh Aug 31 '13 at 13:59
  • Please print out your query. With the values, not the parameters – Dirk McQuickly Aug 31 '13 at 14:02
  • Hi Dirk, I'm sorry if I sound stupid but I don't know how to print out the query... can you guide me through how to do that? – Ashleigh Aug 31 '13 at 14:06
  • `die("UPDATE cic_candidates SET title='$title', username='$username', surname='$surname', identityno='$identityno', gender='$gender', birthdate='$birthdate', ethnicity='$ethnicity', nationality='$nationality', homeaddress='$homeaddress', province='$province', suburb='$suburb', hometele='$hometele', celltele='$celltele', creditclear='$creditclear', criminalrecord='$criminalrecord', driverslicense='$driverslicense', owntransport='$owntransport', medicalconditions='$medicalconditions' WHERE id='$id'")` – Dirk McQuickly Aug 31 '13 at 14:09
  • I did that and it still says error on line 42: Fatal error: Function name must be a string.... – Ashleigh Aug 31 '13 at 14:15
  • So put the line before line 42. Or comment out line 42 – Dirk McQuickly Aug 31 '13 at 14:18
  • I replaced line 42 with your code and it said: syntax error and then when I put the code before line 42 it said: Parse error: syntax error, unexpected T_VARIABLE... – Ashleigh Aug 31 '13 at 14:23
  • I'm sorry, I forgot the semicolon at the end of my line. Place that please – Dirk McQuickly Aug 31 '13 at 14:27
  • Wow! Great it worked!...this is what it printed: UPDATE cic_candidates SET title='', username='', surname='', identityno='', gender='', birthdate='', ethnicity='', nationality='', homeaddress='', province='', suburb='', hometele='', celltele='', creditclear='', criminalrecord='', driverslicense='', owntransport='', medicalconditions='' WHERE id='53'....what do we do now? Thanks so much Dirk... – Ashleigh Aug 31 '13 at 14:35
  • I found this but don't know how to fix my coding according to it...can you help? Fatal error: Function name must be a string This error usually rears its ugly head when you are using variable functions. If you use a variable function and the variable you are using is unset, this error will result - I often get this when I am typing faster than I can think and I accidentally hit $ before a function name. PHP naturally interprets this is a variable-function call, and tries to look up the function name inside the variable. – Ashleigh Aug 31 '13 at 14:42
  • All empty values? Try `die()` after posting some real values. I must admit, I'm baffled by now, just don't see it. – Dirk McQuickly Aug 31 '13 at 14:46
  • Oh...I understand now what you're saying... I will remove the "die" coding and will test it and see... sorry Dirk... I do appreciate your help... – Ashleigh Aug 31 '13 at 15:09
  • First take out the `die()` statement. Then load the page, fill in the form, but before posting, put back the `die()` statement. Don't take this wrong, but I think you have to do some more study. – Dirk McQuickly Aug 31 '13 at 15:17
  • I removed the die statement and I get the "function name must be a string error" which is what we had before we did the "die" coding...please see above. I don't take you the wrong way...I know there's a lot I still need to learn and am very grateful for your help... – Ashleigh Aug 31 '13 at 15:43

2 Answers2

0

Aside from the issues of SQL injection that have been mentioned above (the surname O'Connor will break your code, and that's the least-bad thing that might happen), you're missing the assignment operator when you create $query:

$query("UPDATE cic_candidates ....

PHP is interpreting that as a function call instead of an assignment. You don't need the brackets, and you do need an assignment operator:

$query = "UPDATE cic_candidates ....

You should look at moving away from mysql_ functions, to mysqli_ or PDO. They both make it easier for you to write more secure code. But at the very least you need to sanitise the data that you're adding to the database.

andrewsi
  • 10,954
  • 132
  • 33
  • 48
0

Change 

$query("sql query string");

to

$query = "sql query string";

then execute

mysql_query($query);
MaxEcho
  • 13,325
  • 6
  • 72
  • 84