0

Every time I click the button, the update does not work as expected. However, if I change the where id = 1 it works.

<?php 
        $x=$_GET['id'];
        require 'db.php';
        echo 'sqsas'.$x;
        $stmt=$conn->prepare("select * from tbluser where id=:id");
        $stmt->bindValue('id',$x);          
        $stmt->execute();


        if(isset($_POST['btnEdit']))
        {   
            $stmt=$conn->prepare('update tbluser set username = :un, password = :pw,email = :em where id=:id');
            $stmt->bindValue(':id',$x);
            $stmt->bindValue(':un',$_POST['txtUsername']);
            $stmt->bindValue(':pw',$_POST['txtPassword']);
            $stmt->bindValue(':em',$_POST['txtEmail']);
            $stmt->execute();
            //header("location:view.php");
        }   
    ?>

and here is the HTML form:

<?php while($row = $stmt->fetch(PDO::FETCH_OBJ)) {?>
<form method="post" action="edit.php">
                <table>
                    <tr>
                        <td>id:</td>
                        <td><?php echo $row->id; ?></td>
                    </tr>

                    <tr>
                        <td>Email:</td>
                        <td><input type="text" name="txtEmail" value="<?php echo $row->email; ?>" /></td>
                    </tr>

                    <tr>
                        <td>Username:</td>
                        <td><input type="text" name="txtUsername"  value="<?php echo $row->username; ?>" /></td>
                    </tr>
                    <?php } ?>
                    <tr>
                        <td>Password:</td>
                        <td><input type="text" name="txtPassword"  /></td>
                    </tr>

                    <tr>
                        <td>&nbsp;</td>
                        <td><input type="submit" name="btnEdit" value="SAVE CHANGES"  /></td>
                    </tr>
                </table>
            </form>
Chris Martin
  • 30,334
  • 10
  • 78
  • 137
BlondePainter
  • 25
  • 6
  • insert and select works perfectly fine but idk why its not updating here.. i think i got the correct syntax i based on by procedural way.... i just started PDO today... – BlondePainter Apr 17 '16 at 12:52
  • Please give more information. What do you expect to happen, and what is happening? What does your HTML look like? – Aaron D Apr 17 '16 at 12:55
  • i am tring to update data echoed on the textbox using pdo but everytime i clicked edit, nothing happens. it gives me no error but it doesnt update but when i change the sql statement to 'update tbluser set username = :un, password = :pw,email = :em where id=:id' it is updating,... – BlondePainter Apr 17 '16 at 12:58
  • Please edit your question and include the HTML code with your form in it. – Aaron D Apr 17 '16 at 13:00
  • At the bottom-left of the question, just above the comments, there should be a link to "share" and "edit" the question. – Aaron D Apr 17 '16 at 13:03
  • Thanks. I think the problem is caused by not passing the ID back to the PHP script when the form is submitted. Please check my answer below, and if it works for you, accept it (or leave a comment if it didn't work). – Aaron D Apr 17 '16 at 13:29

1 Answers1

0

The reason the ID is not being passed to your PHP is because it is never declared as a form element. In your HTML, you simply echo it on the screen. I assume this is because you don't want the user to edit the ID, just the name, password and email. However, if you want that to be passed to the PHP script when the form is submitted, it has to be declared as a form element such as <input>. You can hide it to prevent the user from editing it, such as below:

<input type="hidden" name="id" value="<?php echo $row->id; ?>">

You can put this anywhere, since it will be hidden, but logically a good place to put it would be in the same <tr></tr> block that you use for displaying the ID.

Note: as Charlotte Dunois notes in the comments, this does not prevent a malicious user from changing the id to a different value using browser developer tools. Can you guess what will happen in this case? They will change the password for a different user, which is probably NOT what you want. Avoiding this huge security flaw is outside of the scope for this answer. However, one technique that can be used is to make use of cookies that hold a session ID token.

On your server side, you could have a list of active sessions in your database (or temporary file storage). This session database should have as its primary key a session_id that is securely generated (PHP has a function to do this). That database also holds information about the currently logged in user, including their ID. Then set a cookie parameter with the session_id. The user won't be able to modify it (although this might still be susceptible to things like sniffing and session hijacking - to protect against that look up information about MAC tokens).

With such a setup, you can simply remove the user ID as part of the form request and look it up based on the cookie information passed with the POST request. I recommend doing some reading about session cookies and MAC tokens if you want to make your application secure. If not, you will be hacked someday. One place to start is the PHP docs for session_id, and by reading other blogs and answers.

Community
  • 1
  • 1
Aaron D
  • 7,540
  • 3
  • 44
  • 48
  • 1
    Note: The user can still edit the input field by using the browser's developer tools. The input field is just not visible to the user, but it's certainly there and can be modified. – Charlotte Dunois Apr 17 '16 at 15:05
  • Charlotte can you telll me what is it called so i can research on it on how to prevent it thanks – BlondePainter Apr 17 '16 at 23:29
  • I updated the answer with some information about why the approach you are using is not secure and should not be used for anything you don't want hacked. – Aaron D Apr 21 '16 at 05:47
  • do you mean i just need to session the user id everytime the user log in? – BlondePainter Apr 23 '16 at 14:31
  • Remember that cookies can be edited too. So if you want to make sure that the user can't send malicious data (and change your admin user's password, for example), you shouldn't let them access it. That means sending some kind of session ID token, authenticating it with a scheme like MAC, and looking up the user ID linked with the session in some kind of storage (database or otherwise) on the server side. If you like, try and implement it and ask a new question if you have problems. You can check if it's secure over on the [Security SE](http://security.stackexchange.com). – Aaron D Apr 26 '16 at 13:40