update user details sql query not working

[edgarasm]

Hi again ,

 

Im trying to create  form which allows the users to edit their data , I've created the form ,added the sql i think is right but its not working and giving me sql erro that the data can't be inserted . this is my code for the form details.php :

<?php include '../header.php'; 
	  include '../config2.php';
	
	session_start();
	
	$id = $_POST['ID'];
	
	
?>
	<script type="text/javascript" src="js/jquery.js"></script>
	<script type="text/javascript" src="js/parsley.js"></script>
	
	<script>
		$(document).ready(function() { 

    // submit data on click and check if valid 
    $('#sendData').click(function(e) { 
        //check if valid with parsley
        var valid = $('#detailform').parsley ( 'validate' );
        if ( valid === false )
        {
            e.preventDefault();
        }
        else 
        {
            $.post("updateprocess.php", $("#detailform").serialize());       
        }
    });
}); 
		</script>
	<div id="title">
		<div class="inner">
			
			<h1>Changing Your Account Details</h1>
		</div>
	</div>	
	  
	<div id="content" class="right-sidebar">
	    
		<div class="container inner">
		<div id="main" role="main">
		<div class="container">

				<h3>Please Choose Which information Your would like to change</h3>
				
				<form data-validate="parsley" method="POST" action="updateprocess.php" id="detailform" >
					<label>Email Address</label>
					<input type="text" name="login_email" data-required="true" value="<?php echo $account['login_email']; ?>"/>
					<label>Change a password</label>
					<input type="password" name="login_password" data-notblank="true"/>
					<label>Re-enter new password</label>
					<input type="password" name="confirm" data-notblank="true"/>
					<label>First Name</label>
					<input type="text" name="first_name" data-required="true"   value="<?php echo $account['first_name']; ?>" disabled="disabled" />
					<label>Last Name</label>
					<input type="text" name="last_name" data-notblank="true" />
					<label>Address line 1</label>
					<input type="text" name="address_one" data-required="true" value="<?php echo $account['address_one']; ?>"/>
					<label>Address line 2</label>
					<input type="text" name="address_two" data-required="true" value="<?php echo $account['address_two']; ?>"/>
					<label>Town/City</label>
					<input type="text" name="town_city" data-required="true" value="<?php echo $account['town_city']; ?>" />
					<label>County</label>
					<input type="text" name="county_option" data-required="true" value="<?php echo $account['county_option']; ?>"/>
					<label>Postcode</label>
					<input type="text" name="post_code" data-required="true" value="<?php echo $account['post_code']; ?>"/>
					<label>Phone number</label>
					<input type="text" name="phone_number" data-required="true" value="<?php echo $account['phone_number']; ?>"/> 
					<p></p>
					<p></p>
					<p></p>
					<p></p>
					<p></p>
					
					
					<input type="checkbox" class="checkbox" id="agree" name="agree" /> I Agree With Terms & Conditions</p>
					
					<td> <input type="submit" name="submit" class="button" value= "Save"/></td>
				</form>
				</div>
				<div class="space"></div>
			</div>
			<ul class="sidebar" role="complementary">
				<li>
					<h2>Navigation</h2>
					<ul class="link-list">
<li><a href="/account/dashboard.php">Dashboard</a></li>
<li><a href="/account/transfer.php">Transfer Money</a></li>
<li><a href="/account/transactions.php">Transactions</a></li>
<li><a href="/account/withdrawal.php">Withdraw Funds</a></li>
<li><a href="/account/upload.php">Upload Funds</a></li>
<li><a href="/account/details.php">Change My details</a></li>
					</ul>
				</li>
			</ul>
		</div>
	</div>
<?php include '../footer.php'; ?>

this is the update.php script

<?php

include "config2.php";

$id = $_POST['ID'];

$sql="SELECT * FROM users WHERE id='$id'";
$result=mysql_query($sql);

$id = $_POST['ID'];

$rows=mysql_fetch_array($result);

$email = $_POST['login_email'];
$pass =  md5($_POST['login_password']);
$confirm = md5($_POST['confirm']);
$fname = $_POST['first_name'];
$lname = $_POST['last_name'];
$addressone = $_POST['address_one'];
$addresstwo = $_POST['address_two'];
$towncity = $_POST['town_city'];
$countyoption = $_POST['county_option'];
$postcode = $_POST['post_code'];
$phone = $_POST['phone_number'];
$update = 'UPDATE users SET( login_email, login_password, confirm, first_name, last_name, address_one, address_two, town_city, county_option, post_code, phone_number) VALUES("'.$email.'","'.$pass.'","'.$confirm.'","'.$fname.'","'.$lname.'","'.$addressone.'","'.$addresstwo.'","'.$towncity.'","'.$countyoption.'","'.$postcode.'","'.$phone.'")WHERE id="'.$id.'""';
//$insert = 'UPDATE users SET login_email="'.$email.'", login_password="'.$pass.'", confirm="'.$confirm.'", first_name="'.$fname.'", last_name="'.$lname.'", address_one="'.$addressone.'", address_two="'.$addresstwo.'", town_city="'.$towncity.'", county_option="'.$countyoption.'", post_code="'.$postcode.'", phone_number="'.$phone.'" WHERE id="'.$id.'""'; 
mysql_query($update) or die("Failed Updating Your Data,check SQL");

   header( 'Location: ../account/success.php' ) ;

?>

[dalecosp]

 

 

giving me sql erro that the data can't be inserted

Show this error would probably be helpful ;)

Here's an idea:

 

mysql_query($update) or die("Failed Updating Your Data. The SQL was: $update");

Then you can read the SQL and see what's wrong (it's usually a quoting problem or data in the wrong format, etc., but we can't know that without the text of the error message, as I noted above).

 

[edgarasm]

Heres the error :/

 

Failed Updating Your Data. The SQL was: UPDATE users SET( login_email, login_password, confirm, first_name, last_name, address_one, address_two, town_city, county_option, post_code, phone_number) VALUES("edgarasm@rocketmail.com","b5154b11aa74cf0bf13f957860d614b6","b5154b11aa74cf0bf13f957860d614b6","","Malov","Flat 2 35 Talbot Avenue","Charminster","Bournemouth","Dorset","BH3 7HS","447795192986")WHERE id="""

[dalecosp]

The ID field is empty, (or does it have a double quote all alone in it?) and that's an error.

[Psycho]

Just a side comment. It will help you greatly if you write the code that creates the query in a readable format. The way you have it now makes it extremely difficult to 1) see the whole query and 2) confirm that the all the quote marks are correct since it keeps going in and out of the quoted text. Here is how I would write that in my code:

 

 

$update = "UPDATE users SET
               (login_email, login_password, confirm, first_name, last_name, address_one,
                address_two, town_city, county_option, post_code, phone_number)
           VALUES
               ('{$email}', '{$pass}', '{$confirm}', '{$fname}', '{$lname}', '{$addressone}',
                '{$addresstwo}', '{$towncity}', '{$countyoption}', '{$postcode}', '{$phone}')
           WHERE id = '{$id}'";

[edgarasm]

 

Just a side comment. It will help you greatly if you write the code that creates the query in a readable format. The way you have it now makes it extremely difficult to 1) see the whole query and 2) confirm that the all the quote marks are correct since it keeps going in and out of the quoted text. Here is how I would write that in my code:

$update = "UPDATE users SET
               (login_email, login_password, confirm, first_name, last_name, address_one,
                address_two, town_city, county_option, post_code, phone_number)
           VALUES
               ('{$email}', '{$pass}', '{$confirm}', '{$fname}', '{$lname}', '{$addressone}',
                '{$addresstwo}', '{$towncity}', '{$countyoption}', '{$postcode}', '{$phone}')
           WHERE id = '{$id}'";

This fixed the error but the database doesn't update ?

 

Any ideas?

 

Thanks for the clear up by the way 

[Barand]

Wrong syntax for update query. Should be

UPDATE table
SET
   Col1 = 'val1'
,  Col2= 'val2'
,  etc
WHERE ...

[Psycho]

 

Wrong syntax for update query. Should be

UPDATE table
SET
   Col1 = 'val1'
,  Col2= 'val2'
,  etc
WHERE ...

LOL, I didn't even read the query. Shame on me.

[edgarasm]

 

 

UPDATE table

SET

  

Col1 = 'val1'

,  Col2= 'val2'

,  etc

WHERE ...

LOL, I didn't even read the query. Shame on me.

I have updated the query the format you provided me with and it still doesn't update ,starting to worder if the values are getting passed through Post or maybe the ID block doesn't know which id to update :/

Edited November 20, 2013 by edgarasm

[mac_gyver]

the replies in this thread have already shown that there is no id value in the query statement.

 

your form doesn't have an id field, but even more important, if you were passing the id through the form it would allow anyone to modify the user information for anyone else since you are not checking if the id being edited/submitted is the same as the currently logged in user.

 

you must enforce security on the server in your php code. the only person who should be able to modify their own user information is the user who it belongs to (and perhaps moderators/administrators on your site.)

[edgarasm]

Yes thats the idea for the user be able to edit their data in case it changes . 

 

How could i possibly reinforce and pass the id through the form ?

 

Is there any way ?

[dalecosp]

Yes thats the idea for the user be able to edit their data in case it changes . 

 

How could i possibly reinforce and pass the id through the form ?

 

Is there any way ?

The canonical way is:

<input type='hidden' name='id' value='<?php echo $id; ?>' />

This has one potential problem; the user's ID number is then viewable in the browser's HTML source.

 

Since you've already called session_start() in the script, I'd stick the ID in the $_SESSION array and then use that value when I process the query in update.php.

Edited November 20, 2013 by dalecosp