Displaying logged in user's profile.

**ak47** · 06-22-2017, 10:07 AM

Hi. I wants to display logged in user's profile in a page. I wrote all queries for that. The problem is I am unable to fetch data from table "users" from database "videos". Please tell me where I made mistake and what I have to do to overcome those.
Her is my code:

user.php

PHP Code:


<div class="content">

     <?php

      $sql = "SELECT * FROM users WHERE username='$username'";

          $result = mysqli_query($database,$sql) or die(mysqli_error($database)); 

      $rws = mysqli_fetch_array($result);

     ?> 

     <?php include 'edit-profile-form.php' ?>

</div>

edit-profile-form.php

In this I have added form like:

PHP Code:


<form action="update-profile.php" method="POST">

<label>Username</label>

<input type="text" name="Username" class="form-control" value="<?php echo $rws['Username']; ?>">

</form>

update-profile.php

PHP Code:


<?php

    ini_set("display_errors",1);    

    session_start();

    $id=(isset($_SESSION['Id']) ? $_SESSION['Id'] : '');

    if(isset($_POST)){

        require '../_database/database.php';

        $username = $_POST['Username'];

        $email = $_POST['Email'];

        $employee = $_POST['EmployeeID'];

        $designation = $_POST['Designation'];

        $password = $_POST['Password'];

        $query = ("UPDATE users SET (Username, Email, EmployeeID, Designation, Password) VALUES ('$username', '$email', '$employee', '$designation', '$password') WHERE Id='$id'");

    if(!$query) $con->errno;

    if ( !$stmt = $con->prepare("SELECT * FROM users WHERE Id='$id'") ) 

     echo "Prepare Error: ($con->errno) $con->error";

    if ( !$stmt->bind_param("sssss", $_POST['Username'], $_POST['Email'], $_POST['EmployeeID'], $_POST['Designation'], $_POST['Password']) )

     echo "Binding Parameter Error: ($con->errno) $con->error";

    if ( !$stmt->execute() ) 

     echo "Execute Error: ($stmt->errno)  $stmt->error";

}

?>

**rubyOnPails** · 06-22-2017, 10:17 PM

Hey, I'm glad you've taken my advice to use prepared statements. However, you are them incorrectly. The whole purpose of prepared statements is to provide a template for values that will go there later, using question marks. This makes it impossible for an attacker to escape your code and delete your entire database for example. Here's how you would fix one of your select query.

Code:

$stmt = $con->prepare("SELECT * FROM users WHERE Id=?")
$stmt->bind_param("i", $id);
$stmt->execute();
$result = $stmt->get_result();
$numRows = $result->num_rows;
if($numRows > 0) {
  while($row = $result->fetch_assoc()) {
    $resultArr[] = $row;
  }
}
$stmt->close();

Hopefully this example helped you understand it better. I'd reread that article I posted in your other thread though.

**ak47** · 06-28-2017, 06:15 AM

@rubyOnPails, Thank you for the nice information. Now the data is displaying but the thing is it is not updating. I am getting below error:
"Fatal error: Uncaught Error: Call to a member function bind_param() on boolean in C:\xampp\htdocs\VS\components\update-profile.php:15 Stack trace: #0 {main} thrown in C:\xampp\htdocs\VS\components\update-profile.php on line 15"

My code is

<?php
include '../_database/database.php';
ini_set("display_errors",1);
session_start();
$msg="";
if($_SERVER["REQUEST_METHOD"] == "POST")
{
$username = $_POST['Username'];
$email = $_POST['Email'];
$employee = $_POST['EmployeeID'];
$designation = $_POST['Designation'];
$password = $_POST['Password'];
$id = (isset($_SESSION['Id']) ? $_SESSION['Id'] : '');
$sql=$database->prepare("UPDATE users SET (Username,Email,EmployeeID,Designation,Password) VALUES (?,?,?,?,?) WHERE Id=?");
$sql->bind_param("ssiss", $username, $email, $employee, $designation, $password);
$sql->execute();
if($sql->execute()){
echo "You have successfully updated your profile ";
}
else{
print_r($sql->errorInfo());
$msg=" There is some problem in updating your profile. Please contact site admin ";
}
}
?>

Please give me a solution for this.

**rubyOnPails** · 06-28-2017, 05:04 PM

Try this:

Code:

$sql->bind_param("ssissi", $username, $email, $employee, $designation, $password, $id);

The problem was that you had 6 question marks, but only provided five values in bind_param(). You forgot to add $id.

**DyDr** · 06-28-2017, 07:25 PM

Additionally, you have missed two important points in the replies in your previous threads.

1) You need to have error handling for all the database statements. The current error is because the prepare() failed and returned a boolean false value. As has already been stated, the easiest way of adding error handling for all the database statements it to enable exceptions for the mysqli extension. My reply in your previous thread showed how to enable exceptions.

2) The sql syntax for your UPDATE query is incorrect. Also, as stated in a previous reply, you initially had the correct syntax for an update query. When you convert this to use a prepared query, all you do to the sql syntax is replace the php variables with ? place-holders and remove any single-quotes from around the values.

Something else you need to notice from your previous posts. A forum moderator/admin has been adding the forum's php bbcode tags to format the posted code. You need to do this yourself when you write the posts.

**ak47** · 06-29-2017, 04:17 AM

@rubyOnPails, Thank you so much. I did what you suggested about "mysqli extension" in "php.ini" and you posted below. Still I am facing the same problem. Anyhow once again I will go through my code and your suggestions, once I done I will let you know.

Thank You,