Updating user profile

[Boxerman]

Hi guys,

 

Im making my own admin panel and i want to pull down the users profile so i can edit it i am using this to display what is currently in the database:

 

$id=$_GET['id'];
$sql="SELECT * FROM $tbl_name WHERE id='$id'";
$result=mysql_query($sql);

$rows=mysql_fetch_array($result);
?>
<table width="400" border="0" cellspacing="1" cellpadding="0">
<tr>
<form action="updateuser.php" method="post">
<input type="hidden" name="ud_id" value="<? echo $rows['email']; ?>">
 <p>First Name: <input type="text" name="firstname" value="<? echo $rows['username']; ?>"><br>
Last Name: <input type="text" name="lastname" value="<? echo $rows['lastname']; ?>"><br>
Username: <input type="text" name="username" value="<? echo $rows['username']; ?>"><br>
Age: <input type="text" name="age" value="<? echo $rows['age']; ?>"><br>
User Level: <input type="text" name="user_level" value="<? echo $rows['user_level']; ?>"><br>
E-mail Address: <input type="text" name="email" value="<? echo $rows['email']; ?>"><br>
Bio: <textarea rows="2" name="bio" cols="21"><? echo $rows['bio']; ?></textarea><br>
<br><input type="Submit" value="Update">
</p>
</form>

 

That part works, my problem is, why i click submit, it says it has been successful but the database has not been updated? can someone help

 

Code:

 

<?php
$host="";
$user_name="";
$password=""; 
$db_name=""; 
$tbl_name=""; 
mysql_connect("$host", "$user_name", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

$sql="UPDATE $tbl_name SET firstname='$firstname', lastname='$lastname', username='$username', age='$age', user_level='$user_level', email='$email', bio='$bio' WHERE id='$id'";
$result=mysql_query($sql);

if($result){
echo "Successful";
echo "<BR>";
echo "<a href='listusers.php'>Back to members list</a>";
}

else {
echo "ERROR Updating User";
}

?>

 

Its not updating the databse can someone lead me the right way please.

 

Thanks!

J

[TeNDoLLA]

Try

$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$username = $_POST['username'];
$age = $_POST['age'];
$user_level = $_POST['user_level'];
$email = $_POST['email'];
$bio = $_POST['bio'];
$id = $someId // Dunno where from you gettin this?

$sql="UPDATE $tbl_name SET firstname='$firstname', lastname='$lastname', username='$username', age='$age', user_level='$user_level', email='$email', bio='$bio' WHERE id='$id'";
$result=mysql_query($sql);

 

Also you should sanitize the user input before putting in to database.

[Boxerman]

That also does not seem to work, it outputs it is successful but has not updated database.

 

Im very confused now.

[TeNDoLLA]

Try running your query so u will get the message in case of error, does it give any?

$result=mysql_query($sql) or die(mysql_error());

 

Does it give some error? You could also echo your $sql variable and see if it is correctly formed query.

[hoogie]

It looks like the problem is that you have this line in your query:

 

WHERE id = $id

 

But the variable $id is not set anywhere in the update page.  This means that your query is trying to update all rows that have an empty id field, and since you probably don't have any rows with an empty id field, it's not updating anything.

 

You need to pass the id to the update form using a hidden field, or some other method.

[PFMaBiSmAd]

^^^ In addition to passing $id somehow, you need to validate that the current visitor is an admin and has sufficient permissions to modify the data for the member with that id value. You also need to validate and escape all the data being put into the query statement.

[Boxerman]

Thanks Tendolla,

 

It wasnt finding the ID on where to post the updated data.

 

Echo'ing the $sql works, and i can walk away leaving something new.

 

Thanks!