Jump to content

PDO Update


sgt_disco

Recommended Posts

Hello, I have spent a few days working on this... I have based my project off of this code:

http://www.codingcage.com/2015/04/php-login-and-registration-script-with.html

However, I cannot find a way to let the user UPDATE their info on their profile page.

I have tried adding this to the class.user.php file...

public function update($umail,$first_name,$last_name,$address,$city,$state,$zip,$phone)
	{
	  try
	  {

	    $stmt = $this->conn->prepare("UPDATE users SET
	                user_email = :user_email,
	                first_name = :first_name,
	                last_name = :last_name,
	                address = :address,
	                city = :city,
	                state = :state,
	                zip = :zip,
	                phone = :phone");
	    $stmt->bindparam(":umail", $umail);
	    $stmt->bindparam(":first_name", $first_name);
	    $stmt->bindparam(":last_name", $last_name);
	    $stmt->bindparam(":address", $address);
	    $stmt->bindparam(":city", $city);
	    $stmt->bindparam(":state", $state);
	    $stmt->bindparam(":zip", $zip);
	    $stmt->bindparam(":phone", $phone);
	    $stmt->execute();

	    $stmt->execute();

	    return $stmt;
	  }
	  catch(PDOException $e)
	  {
	    echo $e->getMessage();
	  }
	}

 

then on the profile page I am...

 

<?php
require_once("session.php");
require_once("class.user.php");
$auth_user = new USER();
$user_id = $_SESSION['user_session'];
$stmt = $auth_user->runQuery("SELECT * FROM users WHERE user_id=:user_id");
$stmt->execute(array(":user_id"=>$user_id));
$userRow=$stmt->fetch(PDO::FETCH_ASSOC);


(I am a bit confused as to how to call in that public function)

?>

Assuming my addition to class.user.php is correct, how can I call in the function to allow any changes on <input> to update to the user's row on the database?

Edited by sgt_disco
Link to comment
Share on other sites

There a few problems with that tutorial. The code (including your post) has been littered with try/catch blocks and exposing internal system errors to the user. PDO exceptions should be allowed to bubble up the stack. PHP handles it quite well. You can use set_exemption_handler if you want to do something custom. Outputting Internal system errors is only good for hackers. Also, the script depends on the name of a button to be submitted in order to work. That will completely fail in certain cases. You need to check the REQUEST METHOD.

The code has also built in a race condition on the registration by checking if a username is available first. The insert should just be attempted and then capture the duplicate error if any. This is the one place where it would be OK to use a try/catch block. It also exposes specific username/email error messages that are a security risk.

The script keeps running after redirects. There needs to be a die or exit right after the redirects.

There are probably more issues as well. On the plus side, it uses PDO.

Edited by benanamen
Link to comment
Share on other sites

I do plan to fix the try/catch blocks as you have stated before I put it into production. But it has been providing me useful info in the meantime during testing.

my button: name="btn-update"

so at my attempt to call in that public function i created

if(isset($_POST['btn-update']))
{
	(THIS IS WHERE I AM STUCK)
}

 

Edited by sgt_disco
Link to comment
Share on other sites

Thank you guys,

Barand: Thanks for those pointers, would not want to update every row.

benanamen: I have a feeling that the amount of time I have spent reverse engineering this source code might have been more well spent setting it up myself properly, as I learned a lot through working with this code, but obviously some things are still slipping past me.

I have used that site for reference while working on this, but I guess because I didn't build everything myself, its hard for me to really work within code that I'm not already 100% sure of proper implementation.

Edited by sgt_disco
Link to comment
Share on other sites

1 hour ago, sgt_disco said:

I do plan to fix the try/catch blocks as you have stated before I put it into production. But it has been providing me useful info in the meantime during testing.

there's no need to be editing your code when you switch the environment it runs in. if you remove the try/catch logic you have now, and let php catch the exception, it will use its error_reporting, display_errors, and log_errors settings to control what happens with the actual error information. when learning, developing, and debugging you would display all errors. when on a live/public server, you would log all errors.

the only time your code should catch and handle a database exception is if your code needs to detect and handle the insertion/update of duplicate data, which is a recoverable application error, not a fatal database error.

Edited by mac_gyver
  • Like 1
Link to comment
Share on other sites

1 hour ago, sgt_disco said:

benanamen: I have a feeling that the amount of time I have spent reverse engineering this source code might have been more well spent setting it up myself properly, as I learned a lot through working with this code, but obviously some things are still slipping past me.

I have used that site for reference while working on this, but I guess because I didn't build everything myself, its hard for me to really work within code that I'm not already 100% sure of proper implementation. 

As far as picking a tutorial, it is one of the "better" ones, mainly because it uses PDO. Nevertheless, you still need to learn what the code is actually doing to know if there are any potential issues. The tutorial I linked to will give you a good understanding of using PDO. The rest will come with experience along with our feedback.

I think it's safe to say we all prefer to help you with code YOU wrote instead of trying to debug some third party code copy/pasted from the Internet. Just keep at it. We were all beginners at one time. ?

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.