0

I'm trying to update user profile with session. Suppose, the user profile page will update accordingly to the profile of the logged in user. Here's the sample code of user_profile.php:-

<?php
 session_start(); 
 ob_start();

 include("../function/dbconnect.php");
 include("header.php");
?>

<html>
<body>

<?php
if(isset($_SESSION['VALID_USER'])){

if(isset($_POST['submit']))
{
    $username = $_POST['username'];
    $password = $_POST['password'];

    $s=mysql_query("UPDATE tbl_staffs SET username='$username', password='$password' WHERE username='".mysql_real_escape_string($_SESSION["VALID_USER"])."'");

    if ($s)
        { echo "<script type='text/javascript'>alert('Successful - Record Updated!'); window.location.href = 'user_profile.php';</script>"; }
    else
        { echo "<script type='text/javascript'>alert('Unsuccessful - ERROR!'); window.location.href = 'user_profile.php';</script>"; }
}

$query1=mysql_query("SELECT * FROM tbl_staffs WHERE username='".mysql_real_escape_string($_SESSION["VALID_USER"])."'  AND user_levels = '".mysql_real_escape_string('1')."'");
$query2=mysql_fetch_array($query1); 

?>

<form  action="user_profile.php" method="POST">
<div>Your  Profile</div>
<table  border="0"  align="center"  cellpadding="2"  cellspacing="0">
<tr>
<td><div>Username:</div></td>
<td><input type="text" name="username" value="<?php  echo $query2['username'];  ?>" /></td>
</tr>
<tr>
<td><div  align="left"  id="tb-name">Password:</div></td>
<td><input type="text" name="password" value="<?php  echo $query2['password'];  ?>" /></td>
</tr>
</table>
<input type="submit" name="submit" value="Update" />
</form>

<?php
//  close  while  loop
}}
?>

<?php
//  close  connection;
mysql_close();
?>
</br>

</body>
</html>

The page returns blank. There are several other codes that I'm working on for the user_profile.php page too but, the results that I get are the same... I used below codes for admin to update user profile.

include('function/dbconnect.php');
        if(isset($_GET['id']))
        {
            $id=$_GET['id'];
                if(isset($_POST['submit']))
                {
                    $username   = $_POST['username'];
                    $email      = $_POST['email'];
                    $password   = $_POST['password'];
                    $user_type  = $_POST['user_type'];
                    $query3     = mysql_query("UPDATE tbl_staffs
                                              SET username='$username', email='$email', password='$password', WHERE id='$id'");

                    if ($query3)
                        { echo "<script type='text/javascript'>alert('Successful - Record Updated!'); window.location.href = 'user_list.php';</script>"; }
                    else
                        { echo "<script type='text/javascript'>alert('Unsuccessful - ERROR!'); window.location.href = 'user_list.php';</script>"; }
                }

    $query1=mysql_query("SELECT * FROM tbl_staffs WHERE id='$id'");
    $query2=mysql_fetch_array($query1); 



 <form method="post">
 <tr>
    <td><b>Username:</b></td><td><input type="text" name="username" style="width:255px" value="<?php echo $query2['username']; ?>" /></td>
  </tr>
  <tr>
    <td><b>Email:</b></td><td><input type="text" name="email" style="width:255px" value="<?php echo $query2['email']; ?>" /></td>
  </tr>
  <tr>
    <td><b>Password:</b></td><td><input type="text" name="password" style="width:255px" value="<?php echo $query2['password']; ?>" /></td>
  </tr>
  <tr>
    <td colspan="2" align="right">
    <br />
        <span title="Click to update the user details"><input type="submit" name="submit" value="Update" /></span>
    </td>
  </tr>
  </table>

  </form>
  <?php
    }
  ?>

Apparently, it works fine as it is. Though, when I tried to imply the codes for user so that they can update their own profile, the codes won't work. Where am I doing it wrong?

Improve this question
6
  • 1
    Multiple important errors here: 1. Using deprecated mysql_* libraries; 2. Open to SQL Injection attacks; 3. Many HTML issues. Please rewrite your codes. Commented Dec 15, 2015 at 3:33
  • so why do you only sanitize the values in the WHERE and not what you are actually inserting? Commented Dec 15, 2015 at 3:33
  • Once your user changes their username, you never reset $_SESSION['VALID_USER'] to that new value, so when you do the SELECT it will try to find the old username value and not the new value. Commented Dec 15, 2015 at 3:36
  • You have 1 too many } at <?php // close while loop }} ?>. It should only be 1. The 2nd one will cause a fatal error, which is why your page is blank. If you turned on error reporting, or used an IDE it would have told you. Commented Dec 15, 2015 at 3:39
  • side note - </br> should be <br> or <br />, not </br>. Commented Dec 15, 2015 at 3:41

1 Answer 1

Reset to default
1

first check your session is exist or not and then replace ".mysql_real_escape_string($_SESSION["VALID_USER"])." in your query by a variable like 

$VALID_USER=mysql_real_escape_string($_SESSION["VALID_USER"]);


if(isset($_POST['submit']))
{

$username = $_POST['username'];

$password = $_POST['password'];

$s=mysql_query("UPDATE tbl_staffs SET username='$username', password='$password' WHERE username='$VALID_USER");

if ($s)
    { echo "<script type='text/javascript'>alert('Successful - Record Updated!'); window.location.href = 'user_profile.php';</script>"; }
else
    { echo "<script type='text/javascript'>alert('Unsuccessful - ERROR!'); window.location.href = 'user_profile.php';</script>"; }
}

 $query1=mysql_query("SELECT * FROM tbl_staffs WHERE username='$'  AND user_levels = '".mysql_real_escape_string('1')."'");
$query2=mysql_fetch_array($query1);
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.