0

Is there something wrong with the syntax of the statement? I've been messing around with inserting different variables into the code and it still wont update in phpmyadmin. Pretty new with this language so please bear with me.

Pretty sure the line giving me the issue is:

$pdoQuery ="UPDATE `Lab4` SET `ActiveUser`=".$Yes." WHERE UserName=".$Email."";

I just don't know what the issue is...

<?php
   //connect to the database
   session_start(); //this must be the very first line on the php page, to register this page to use session variables
      $_SESSION['timeout'] = time();

   //if this is a page that requires login always perform this session verification
   //require_once "inc/sessionVerify.php"; 

     require_once "dbconnect.php";
     require_once "inc/util2.php";
     require_once "mail/mail.class.php";

      include "header.php";

   // $EmailCode = $_GET["Code"];
     if (isset($_SESSION['Code'])){
     echo $_SESSION['Code'];
     echo $_SESSION['Email'];
     }
     ?>


      <?php 
        if (isset($_POST['Submit'])){

                 try {
                  $pdoConnect = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);

              }
              catch (PDOException $exc) {
                  echo $exc->getMessage();
                  exit();
              }
              //$NotAnActiveUserYet = "No";            
             // mysql query to insert data
            $Email = $_SESSION['Email'];
             $Yes = "Yes";  



              $pdoQuery ="UPDATE `Lab4` SET `ActiveUser`=".$Yes." WHERE UserName=".$Email."";
              $pdoResult = $pdoConnect->prepare($pdoQuery);
              $pdoResult->execute(); 
              if ($pdoResult) {
                  echo 'Data Inserted';
              } else {
                  echo 'Data Not Inserted';
              }
         }
         ?>
Improve this question
2
  • 1
    WARNING: When using PDO you should be using prepared statements with placeholder values and supply any user data as separate arguments. In this code you have potentially severe SQL injection bugs. Never use string interpolation or concatenation and instead use prepared statements and never put $_POST, $_GET or any user data directly in your query. Refer to PHP The Right Way for general guidance and advice. Commented Oct 21, 2017 at 18:33
  • 1
    Short answer: You've completely failed to escape things properly. Use placeholder values and your problem's solved. Commented Oct 21, 2017 at 18:33

1 Answer 1

Reset to default
1

_Try something along these lines:

$params = array(
    'ActiveUser' => $Yes,
    'UserName' => $Email,
);

$pdoQuery ='UPDATE `Lab4` SET `ActiveUser`=:ActiveUser WHERE `UserName`=:UserName';
$pdoResult = $pdoConnect->prepare($pdoQuery);
$pdoResult->execute($params);

And as tadman said,... NEVER trust anything from a browser. (includes $_REQUEST, $_GET, $_POST, $_COOKIE, etc.)

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.