0

I've tried to setup a script that when a form submits information to the PHP file, it will update the MySQL table. But I've tried to make it not update the database if the Post is blank/null. But it's not updating the table.

<?php
$name = $_POST['name'];
$email = $_POST['email'];
$password = $_POST['password'];
$nickname = $_POST['nickname'];
$user = $_POST['user'];

$enc_pass = md5($password);

$con=mysqli_connect("","","","");
// Check connection
if (mysqli_connect_errno())
  {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
  }
if (!isset($name)){
mysqli_query($con,'UPDATE members SET name="$name"
WHERE username="$user"');
}
if(!$email == ""){
mysqli_query($con,'UPDATE members SET username="$email"
WHERE username="$user"');
}
if(!$password == ""){
mysqli_query($con,'UPDATE members SET password="$enc_pass"
WHERE username="$user"');
}
if(!$nickname == ""){
mysqli_query($con,'UPDATE members SET nickname="$nickname"
WHERE username="$user"');
}
mysqli_close($con);
?>

I've removed the MySQL credentials for safety. Can anyone help me with this?

Regards TameTimmah

Improve this question
4
  • You are not doing any error checking so you will never know if one of your queries fails. See e.g. Catching Mysqli Errors Commented Jan 31, 2014 at 21:19
  • Also I hope you aren't serious about using MD5 for the passwords. Commented Jan 31, 2014 at 21:21
  • You have to check if the form was submitted if(isset($_POST['submit'])){ REST OF YOUR CODE HERE }; Commented Jan 31, 2014 at 21:23
  • Food for thought: The code you're using; md5 is old and you may (eventually) get hacked. You really need to use prepared statements with this. Read this and this too Commented Jan 31, 2014 at 22:26

2 Answers 2

Reset to default
3

I think some of your logic is incorrect. For example:

if (!isset($name)) {
    mysqli_query($con,'UPDATE members SET name="$name" WHERE username="$user"');
}

That's saying "if $name isn't set to anything, update the name in the database". $name is always going to be set to something, because you're initialising it at the beginning. I think what you need is more along the lines of:

if ($name != '')) {
    mysqli_query($con,'UPDATE members SET name="$name" WHERE username="$user"');
}

However, bear in mind that you aren't validating the POSTed data, so you're pront to SQL injection attacks. Always treat submitted data as untrustworthy and cleanse it before doing anything in the database, e.g.:

$name = mysqli_real_escape_string($_POST['name'];
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

your code is much wrong , but i corrected some . try this

   if (isset($name) and $name != ''){
       mysqli_query($con,'UPDATE members SET name="'.$name.'"
                          WHERE username="'.$user.'"');
                    }
   if($email != ""){
       mysqli_query($con,'UPDATE members SET username="'.$email.'"
                          WHERE username="'.$user.'"');
                   }
   if($password != ""){
       mysqli_query($con,'UPDATE members SET password="'.$enc_pass.'"
                          WHERE username="'.$user.'"');
                   }
   if($nickname != ""){
       mysqli_query($con,'UPDATE members SET nickname="'.$nickname.'"
                          WHERE username="'.$user.'"');
                   }
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.