Results 1 to 6 of 6

Thread: Displaying logged in user's profile.

  1. #1
    Join Date
    Jun 2017
    Location
    Bengaluru, Karnataka, India
    Posts
    15
    Thanks
    6
    Thanked 0 Times in 0 Posts

    Post Displaying logged in user's profile.

    Hi. I wants to display logged in user's profile in a page. I wrote all queries for that. The problem is I am unable to fetch data from table "users" from database "videos". Please tell me where I made mistake and what I have to do to overcome those.
    Her is my code:

    user.php

    PHP Code:
    <div class="content">
         <?php
          $sql 
    "SELECT * FROM users WHERE username='$username'";
              
    $result mysqli_query($database,$sql) or die(mysqli_error($database)); 
          
    $rws mysqli_fetch_array($result);
         
    ?> 
         <?php include 'edit-profile-form.php' ?>
    </div>
    edit-profile-form.php

    In this I have added form like:
    PHP Code:
    <form action="update-profile.php" method="POST">
    <label>Username</label>
    <input type="text" name="Username" class="form-control" value="<?php echo $rws['Username']; ?>">
    </form>
    update-profile.php

    PHP Code:
    <?php
        ini_set
    ("display_errors",1);    
        
    session_start();
        
    $id=(isset($_SESSION['Id']) ? $_SESSION['Id'] : '');
        if(isset(
    $_POST)){
            require 
    '../_database/database.php';
            
    $username $_POST['Username'];
            
    $email $_POST['Email'];
            
    $employee $_POST['EmployeeID'];
            
    $designation $_POST['Designation'];
            
    $password $_POST['Password'];
            
    $query = ("UPDATE users SET (Username, Email, EmployeeID, Designation, Password) VALUES ('$username', '$email', '$employee', '$designation', '$password') WHERE Id='$id'");
        if(!
    $query$con->errno;
        if ( !
    $stmt $con->prepare("SELECT * FROM users WHERE Id='$id'") ) 
         echo 
    "Prepare Error: ($con->errno$con->error";
        if ( !
    $stmt->bind_param("sssss"$_POST['Username'], $_POST['Email'], $_POST['EmployeeID'], $_POST['Designation'], $_POST['Password']) )
         echo 
    "Binding Parameter Error: ($con->errno$con->error";
        if ( !
    $stmt->execute() ) 
         echo 
    "Execute Error: ($stmt->errno)  $stmt->error";
    }
    ?>
    Last edited by keyboard; 06-23-2017 at 09:13 AM. Reason: Format: PHP Tags

  2. #2
    Join Date
    Oct 2016
    Posts
    9
    Thanks
    0
    Thanked 2 Times in 2 Posts

    Default

    Hey, I'm glad you've taken my advice to use prepared statements. However, you are them incorrectly. The whole purpose of prepared statements is to provide a template for values that will go there later, using question marks. This makes it impossible for an attacker to escape your code and delete your entire database for example. Here's how you would fix one of your select query.

    Code:
    $stmt = $con->prepare("SELECT * FROM users WHERE Id=?")
    $stmt->bind_param("i", $id);
    $stmt->execute();
    $result = $stmt->get_result();
    $numRows = $result->num_rows;
    if($numRows > 0) {
      while($row = $result->fetch_assoc()) {
        $resultArr[] = $row;
      }
    }
    $stmt->close();
    Hopefully this example helped you understand it better. I'd reread that article I posted in your other thread though.

  3. #3
    Join Date
    Jun 2017
    Location
    Bengaluru, Karnataka, India
    Posts
    15
    Thanks
    6
    Thanked 0 Times in 0 Posts

    Default

    @rubyOnPails, Thank you for the nice information. Now the data is displaying but the thing is it is not updating. I am getting below error:
    "Fatal error: Uncaught Error: Call to a member function bind_param() on boolean in C:\xampp\htdocs\VS\components\update-profile.php:15 Stack trace: #0 {main} thrown in C:\xampp\htdocs\VS\components\update-profile.php on line 15"

    My code is

    <?php
    include '../_database/database.php';
    ini_set("display_errors",1);
    session_start();
    $msg="";
    if($_SERVER["REQUEST_METHOD"] == "POST")
    {
    $username = $_POST['Username'];
    $email = $_POST['Email'];
    $employee = $_POST['EmployeeID'];
    $designation = $_POST['Designation'];
    $password = $_POST['Password'];
    $id = (isset($_SESSION['Id']) ? $_SESSION['Id'] : '');
    $sql=$database->prepare("UPDATE users SET (Username,Email,EmployeeID,Designation,Password) VALUES (?,?,?,?,?) WHERE Id=?");
    $sql->bind_param("ssiss", $username, $email, $employee, $designation, $password);
    $sql->execute();
    if($sql->execute()){
    echo "<font face='Verdana' size='2' color=green>You have successfully updated your profile<br></font>";
    }
    else{
    print_r($sql->errorInfo());
    $msg=" <font face='Verdana' size='2' color=red>There is some problem in updating your profile. Please contact site admin<br></font>";
    }
    }
    ?>


    Please give me a solution for this.

  4. #4
    Join Date
    Oct 2016
    Posts
    9
    Thanks
    0
    Thanked 2 Times in 2 Posts

    Default

    Try this:
    Code:
    $sql->bind_param("ssissi", $username, $email, $employee, $designation, $password, $id);
    The problem was that you had 6 question marks, but only provided five values in bind_param(). You forgot to add $id.

  5. The Following User Says Thank You to rubyOnPails For This Useful Post:

    ak47 (06-29-2017)

  6. #5
    Join Date
    Jan 2015
    Posts
    78
    Thanks
    0
    Thanked 19 Times in 19 Posts

    Default

    Additionally, you have missed two important points in the replies in your previous threads.

    1) You need to have error handling for all the database statements. The current error is because the prepare() failed and returned a boolean false value. As has already been stated, the easiest way of adding error handling for all the database statements it to enable exceptions for the mysqli extension. My reply in your previous thread showed how to enable exceptions.

    2) The sql syntax for your UPDATE query is incorrect. Also, as stated in a previous reply, you initially had the correct syntax for an update query. When you convert this to use a prepared query, all you do to the sql syntax is replace the php variables with ? place-holders and remove any single-quotes from around the values.

    Something else you need to notice from your previous posts. A forum moderator/admin has been adding the forum's php bbcode tags to format the posted code. You need to do this yourself when you write the posts.

  7. The Following User Says Thank You to DyDr For This Useful Post:

    ak47 (06-29-2017)

  8. #6
    Join Date
    Jun 2017
    Location
    Bengaluru, Karnataka, India
    Posts
    15
    Thanks
    6
    Thanked 0 Times in 0 Posts

    Default

    @rubyOnPails, Thank you so much. I did what you suggested about "mysqli extension" in "php.ini" and you posted below. Still I am facing the same problem. Anyhow once again I will go through my code and your suggestions, once I done I will let you know.

    Thank You,

Similar Threads

  1. user registration and profile management
    By canadametalsauction in forum General Paid Work Requests
    Replies: 1
    Last Post: 01-28-2014, 01:57 PM
  2. vBUlletin User Profile Tabs JavaScript
    By SorentoUltimate in forum JavaScript
    Replies: 4
    Last Post: 05-22-2010, 10:28 PM
  3. Replies: 2
    Last Post: 05-21-2010, 04:48 AM
  4. phpBB: Check session (logged in user?)
    By temp304 in forum PHP
    Replies: 3
    Last Post: 08-29-2007, 06:33 PM
  5. Replies: 1
    Last Post: 12-08-2005, 04:34 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •