Jump to content

mysqli prepared update syntax error

sqlnoob

By sqlnoob
in PHP Coding Help

 Share

Recommended Posts

sqlnoob Member

sqlnoob

Posted
Posted 
<?php

//COOKIE CHECKER
if (isset($_COOKIE["person"])){

if (filter_var($_COOKIE["person"], FILTER_VALIDATE_INT)){
$user_id = $_COOKIE["person"];

//DATABASE CONNECTION VARIABLES
$myserver ="localhost";
$myname = "username";
$mypassword = "password";
$mydb ="dbname";

/*SQL CONNECTION*/
// Create connection
$conn = new mysqli($myserver, $myname, $mypassword, $mydb);

// Check connection
if ($conn->connect_error) {
echo '<!DOCTYPE HTML>
<HTML>
<HEAD>
<TITLE>test</TITLE>
</HEAD>
<BODY>
<H1>Decline of the Han - Three Kingdoms</H1>';
die("Connection failed: " . $conn->connect_error);
echo '</BODY>
</HTML>';
}
else {

//COUNT USER
$cquery = "SELECT COUNT(*) AS usercheck FROM Players WHERE ID = ?";
$cid = $conn->prepare($cquery);
$cid->bind_param('i', $user_id);
$cid->execute();
$cid->bind_result($usercheck);
$cid->fetch();

if ($usercheck ==1){

if (isset($_POST["profile"])){

if(!filter_var($_POST["profile"], FILTER_SANITIZE_STRING)){
echo '<!DOCTYPE HTML>
<HTML>
<HEAD>
<TITLE>test</TITLE>
</HEAD>
<BODY>';
echo '<P class="error">Unable to filter bio <a href="biography.php">return</a></P>';
echo '</BODY>
</HTML>';
}
else {

$profile = $_POST["profile"];

$sql = "UPDATE Player_Data SET Bio =? WHERE ID=?";
$q = $conn->prepare($sql);
$q->bind_param("si", $profile, $user_id);
$q->execute();

echo '<P>Biography altered <a href="biography.php">return</a></P>';

//close connection
$conn->close();

}

}

}
else {
echo '<!DOCTYPE HTML>
<HTML>
<HEAD>
<TITLE>test</TITLE>
</HEAD>
<BODY>';
echo '<P class="error">'.$usercheck.' '.$user_id.'</P>';
echo '<P class="error">No such user found!</P>';
//close connection
$conn->close();
//foot
echo '</BODY>
</HTML>';
}

//end connection check
}

}
else {
echo '<!DOCTYPE HTML>
<HTML>
<HEAD>
<TITLE>test</TITLE>
</HEAD>
<BODY>';
echo '<P class="error">ERROR invalid cookie!</P>';
echo '</BODY>
</HTML>';
}

}
else {
echo '<!DOCTYPE HTML>
<HTML>
<HEAD>
<TITLE>test</TITLE>
</HEAD>
<BODY>';
echo '<P class="error">No cookie detected!<br><a href="login.php">login</a></P>';
echo '</BODY>
</HTML>';
}

?>

I have an error in the update, but I am not seeing where I made it. Its annoying because the update won't execute and anything beyond the update isn't visible in the html source code in the browser, so it is likely to be a syntax error, but where?

Link to comment
https://forums.phpfreaks.com/topic/294283-mysqli-prepared-update-syntax-error/
Share on other sites
mac_gyver Prolific Member

mac_gyver

Posted
Posted

sorry to blast away at your code, but it contains a huge security hole, in that you are putting the user_id from the database into a cookie. this will let anyone impersonate any user and modify that user's data, simply by setting the cookie to any value they want.

 

the only place the user_id should exist at is on the server. your login system should set a session variable with the user_id. if you want a cookie, as a longer term/remember me, login, you should generate a unique and hard to guess token value, and store that in the cookie and in the user data in the database.

 

next, you have a lot of repetition in your code, making it harder for anyone to see what the program logic actually is, which i suspect may be (didn't actually copy the code to check) why part of it is not running. your html document should only be defined once, near the end, after a majority of the php program logic. all the php form processing logic and any database logic should be near the start of your file and should contain no html markup.

maxxd Prolific Member

maxxd

Posted
Posted

First and foremost, you'll want to turn on error checking at the top of your script

error_reporting(-1);
ini_set('display_errors',true);

Secondly, and I don't know if this is a forum-related thing or not, but the lack of indentation in the code makes it difficult to read and follow what's actually happening. I thought for a second you had an improperly nested if-else loop, but I missed an opening bracket earlier in the code. Also - just as a side-note - mac_gyver is absolutely correct about the issue with the repetition in the code. You're typing way too much, but that's a thing for later. Right now, turn on error reporting and see what that has to say.

CroNiX Member

CroNiX

Posted
Posted

DRY: Don't Repeat Yourself.

 

If you find yourself writing the same thing over and over (like your opening HTML), then that is a good indicator something is not structured correctly. No matter what your script does, it's going to send the same HTML starting code. So might as well write it once and not 5 times.

 

<!DOCTYPE HTML>
<HTML>
<HEAD>
<TITLE>test</TITLE>
</HEAD>
<BODY>
<?php
  //all your php code here.
?>
</BODY>
</HTML>
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.