managing users...update details page

[kamstar]

hi there.
i have used the tutorial by kevin and everything seems to work ok without error.
however i have made a 'my page' where after logging in the user can see their details, edit and update.
after submitting the form everything looks ok again without error, however the database is not updated!

is this a sessions problem....will i need to destroy the old session and register a new one?...i would appreciate any help/advice.

btw: sessions are registered as 'uid' and 'pwd' as in the tutorial. the sql table headings can be seen in the sql update statement within the code.

heres the code:

ITS BEEN UPDATED SO IT NOW WORKS...BELOW IS THE CORRECT CODE IF YOU WANT IT...AT YOUR OWN RISK!

PHP Code:

<?
//see below for this file
include("login.php"); 
?>

<title>title</title>
<h1>My Page</h1>


<?
dbConnect("db name");//add ur db name here

if ($uid) { 

if ($submit) { 

//change tablename to urs...the varibales should 
//match the ones in the form below ..the ones in 
//CAPS should match the ones in ur table

$sql = "UPDATE tablename SET 
USERID = '$userid',
PASSWORD = '$newpass',
FIRSTNAME = '$firstname',
SURNAME = '$surname',
EMAIL = '$email',
COMMENTS = '$comments'
WHERE ID= '$id'"; 

$result = mysql_query($sql); 

//added next line to check variables were being passed
echo "$userid, $newpass, $firstname, $surname, $email, $comments, $id";
//end 

if (!$result) 
{  
echo("A database error occurred");
echo("<p>Show the Error<br>".
           "Error: " . mysql_error());
           exit();
}


echo "<p>Thank you! Information updated.</p>"; 

// Email the new password to the person.    

$message = "Hello $firstname! Your registration details have been updated.\n\n";
$message .= "Your details are as follows: \n\n";
$message .= "Username: $userid\nPassword: $newpass\n\nPlease keep this e-mail for future reference.";
            
mail($email,"your registration updated",         
$message, "From:us<email address>");//add ur email addres here
   

} 


else { 

echo "<p>Welcome!, $username... You are logged in</p>";

// query the DB 
//again put ur table info here...uid and pwd should 
//be from ur session as in the tutorial so 
//probably dont need to change uid and pwd
$sql = "SELECT * FROM tablename WHERE USERID = '$uid' AND PASSWORD = '$pwd'";
$result = mysql_query($sql);

while ($row  =  mysql_fetch_row($result)) {

$ID=$row[0];
$UI=$row[1];
$PW=$row[2];
$FN=$row[3];
$SN=$row[4];
$EM=$row[5];
$CO=$row[6];
}
        
print("<form method=\"post\" action=$PHP_SELF>"); 
print("<table border = 0>"); 
//new line to make script work
print("<input type=\"hidden\" name=\"id\" value=\"$ID\">");
//end
print("<tr><td><p>User ID:</p></td>");
print("<td><input type=\"Text\" name=\"userid\" value=\"$UI\"></td></tr>");

print("<tr><td><p>Password:</p></td>");
print("<td><input type=\"Text\" name=\"newpass\" value=\"$PW\"></td></tr>");

print("<tr><td><p>First Name:</p></td>");
print("<td><input type=\"Text\" name=\"firstname\" value=\"$FN\"></td></tr>");

print("<tr><td><p>Surname:</p></td>");
print("<td><input type=\"Text\" name=\"surname\" value=\"$SN\"></td></tr>");

print("<tr><td><p>Email:</p></td>");
print("<td><input type=\"Text\" name=\"email\" value=\"$EM\"></td></tr>");

print("<tr><td><p>Comments:</p></td>");
print("<td><input type=\"Text\" name=\"comments\" value=\"$CO\"></td></tr>");

print("</table><br>");
print("<input type=\"Submit\" name=\"submit\" value=\"Update\"></form>");



if (!$result) 
{  
echo("A database error occurred");
echo("<p>Show the Error<br>".
           "Error: " . mysql_error());
           exit();
}
}
}

?>

here's login.php - based upon kevins tutorial

PHP Code:

<?php 

// the db file with ur db connection
// see the tutorial on what to put in here
include("db.inc");

session_start();

if(!isset($uid)) 
{  
?>  

<title>:LogIn:</title>  


<h1>:Login Required:</h1>  
<p>You must log in to access this area of the site. </p>  
<p><form method="post" action="<?PHP_SELF?>">    
User ID:<br><input type="text" name="uid" maxlength=100><br><br>    
Password:<br><input type="password" name="pwd" maxlength=100><br><br>    
<input type="submit" value="Log in">
<input type=reset name=Reset value=Clear Form>
</form></p>  


<?php  exit;}

session_register("uid");
session_register("pwd");

dbConnect("db name");//ur db name here

//change tablename to yours
$sql = "SELECT * FROM tablename WHERE USERID = '$uid' AND PASSWORD = '$pwd'";
$result = mysql_query($sql);

if (!$result) 
{  
die("A database error occurred");
}

if (mysql_num_rows($result) == 0) 
{  
session_unregister("uid");  
session_unregister("pwd");  
?>  

<title>:Access Denied:</title>  


<h1>:Access Denied:</h1>  
<p>Your user ID or password is incorrect.</p>  


<?php  
exit;
}

$username = mysql_result($result,0,"FIRSTNAME");
?>

[seanf]

Are you getting an error from MySQL?

Sean

[kamstar]

seanf,
thanks for your reply.
no i'm not getting any error msg's from the script at all...so it must be running ok?....just not sure where the problem lies.

[Defender1]

echo all of the variables being submitted first and check to make sure there's actually something being submitted.

[kamstar]

defender,
tried echoing the variables...see the code.
on the confirmation page all the edited variables are correct and match the changes made but again the db is not updated.

[Bob [Nescience.org]]

Change:

PHP Code:

$sql = "UPDATE tablename SET 
USERID = '$userid',
PASSWORD = '$newpass',
FIRSTNAME = '$firstname',
SURNAME = '$surname',
EMAIL = '$email',
COMMENTS = '$comments'
WHERE ID= '$id'"; 


To:

PHP Code:

$sql = "UPDATE tablename SET 
USERID = '$userid',
PASSWORD = '$newpass',
FIRSTNAME = '$firstname',
SURNAME = '$surname',
EMAIL = '$email',
COMMENTS = '$comments'
WHERE ID=$id"; 


Just an idea, whenever I remove the ''s from ID='$id' my scripts always work .. I don't know why .. just a quirky little thing (I may be totally wrong of course ..)

[kamstar]

thanks bob.
tried your suggestion and got the following error:
"Error: You have an error in your SQL syntax near '' at line..." ie the id variable needed the ''.

[Defender1]

instead of this

PHP Code:

result = mysql_query($sql); 
if (!$result) 
{  
echo("A database error occurred");
echo("<p>Show the Error<br>".
           "Error: " . mysql_error());
           exit();
} 


try this

PHP Code:

if(!mysql_query($sql)){
echo "An error has occured!";
echo mysql_error();
} else {
echo "Query successful!";
} 


[kamstar]

guys, thanks for all ur help.

i managed to find the solution..pretty silly of me really. what i should have done is add a hidden field in the submit form with the variable $id.
i've added it to the script and it works for me.

to anyone who wants to use the script, its an add on to kevins manging users...tutorial ie login.php:
after the user logs in, a form is presented which allows the user to edit and update any of their details and is then emailed confirmation. for it to work make sure all the table names/headings, db names, email addresses are correct etc...

use at ur own peril! as i havent tested it for security yet...also further improvements could include; a 2nd email field which double checks the email address, same for the password field; a log out page; other fields such as user preferences for the display of content eg myyahoo type of thing; putting the 'mypage' in a popup page so when the user closes the window it should close the session for better security? -im only guessing... i think there is a balance as to how many questions you can ask and getting the user to fill the form.

if anyone makes any improvements, please let me know..thanks.

[Bob [Nescience.org]]

Could you e-mail it to me, or post it on the web somewhere for us all to download and play with?

Thanks!

[kamstar]

i've edited the original code above and included remarks so its all there...keeps this whole msg page short!....have fun.