0

I can't update my table on the database, my code seems to look fine. I see no errors in it and yet it's not working.

Here is my table row

$userType = mysqli_real_escape_string($conn, trim($_POST['type']));
$password = md5($password_1); //encrypt the password before saving in the database
$codeInput = mysqli_real_escape_string($conn, trim($_POST['code']));

$clientInfo = "UPDATE client SET 
                    client_username='$username', 
                    email_add='$email' 
                WHERE code = '$codeInput')";

$query = "INSERT INTO account (username, email, password, type) 
                       VALUES ('$username', '$email', '$password', '$userType')";

mysqli_query($conn, $clientInfo);
mysqli_query($conn, $query);

$_SESSION['username'] = $username;
$_SESSION['success'] = "You are now logged in";
header('location: ../public/pgClient/index.php');

UPDATE:

After showing error here is what it says now.

Fatal error: Uncaught mysqli_sql_exception: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ')' at line 1 in C:\xampp\htdocs\FAME\private\includes\server.php:72 Stack trace: #0 C:\xampp\htdocs\FAME\private\includes\server.php(72): mysqli_query(Object(mysqli), 'UPDATE client S...') #1 C:\xampp\htdocs\FAME\public\sgnUp.php(1): include('C:\\xampp\\htdocs...') #2 {main} thrown in C:\xampp\htdocs\FAME\private\includes\server.php on line 72
dstrants
  • 5,645
  • 2
  • 18
  • 27
Rav Lucin
  • 11
  • 5
  • echo or var_dump the database error, most time it will show you why its not working. Also don't use md5 hash for passwords ITS NOT SECURE – Baracuda078 Jun 11 '20 at 19:37
  • 3
    Please dont __roll your own__ password hashing, specially not using `MD5()` or `SHA1()`. PHP provides [`password_hash()`](http://php.net/manual/en/function.password-hash.php) and [`password_verify()`](http://php.net/manual/en/function.password-verify.php) please use them for the safety of your users. – RiggsFolly Jun 11 '20 at 19:38
  • 3
    Your script is open to [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) You should consider using [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) in either the `MYSQLI_` or `PDO` API's instead of concatenated values – RiggsFolly Jun 11 '20 at 19:40
  • To get errors out of PHP even in a LIVE environment add these 4 lines to the top of any `MYSQLI_` based script you want to debug `ini_set('display_errors', 1); ini_set('log_errors',1); error_reporting(E_ALL); mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);`. This will force any `MYSQLI_` errors to generate an Exception that you can see on the browser as well as normal PHP errors. – RiggsFolly Jun 11 '20 at 19:40
  • @RiggsFolly Where can I put that lines of codes? – Rav Lucin Jun 11 '20 at 19:44
  • 1
    My comment says exactly where to put them, `at the TOP of any script` – RiggsFolly Jun 11 '20 at 19:46
  • If you're just getting started with PHP and want to build applications, I'd strongly recommend looking at various [development frameworks](https://www.cloudways.com/blog/best-php-frameworks/) to see if you can find one that fits your style and needs. They come in various flavors from lightweight like [Fat-Free Framework](https://fatfreeframework.com/) to far more comprehensive like [Laravel](http://laravel.com/). These give you concrete examples to work from and guidance on how to write your code and organize your project's files. – tadman Jun 11 '20 at 19:57
  • **WARNING**: Writing an access control layer is not easy and there are many opportunities to get it severely wrong. Any modern [development framework](https://www.cloudways.com/blog/best-php-frameworks/) like [Laravel](http://laravel.com/) comes with an [authentication system](https://laravel.com/docs/master/authentication) built-in, and there are [authentication libraries](http://phprbac.net/) you can use. At the absolute least follow [recommended security best practices](http://www.phptherightway.com/#security) and **never store passwords as plain-text** or a weak hash like **SHA1 or MD5**. – tadman Jun 11 '20 at 19:58
  • 1
    Thank you all for your comments, I appreciate it. I'm slowly learning the terms and good practice for php. – Rav Lucin Jun 11 '20 at 20:03
  • Everyone starts out learning, and if you're doing it right, you'll always be learning more. One resource to keep in mind is [PHP the Right Way](https://phptherightway.com) which provides an overview of the PHP ecosystem and best practices. – tadman Jun 11 '20 at 20:08
  • I've updated the post of the error that I got. – Rav Lucin Jun 11 '20 at 20:09
  • 1
    Until you parameterize this it's not even worth talking about syntax errors. Placeholder values fix *a lot of problems* instantly and *permanently*. – tadman Jun 11 '20 at 20:14
  • One of the errors is your first SQL statement. You have a closing parenthesis, but ne opening one. It's a the end of the SQL stored in $clientInfo. The above comments about using a parameterized query and SQL injection are something to be taken seriously. – Sloan Thrasher Jun 11 '20 at 21:28
  • @SloanThrasher thank you for your answer, I just found it out right now. – Rav Lucin Jun 12 '20 at 09:41

0 Answers0