sgt_disco Posted September 2, 2018 Share Posted September 2, 2018 Hello, I have spent a few days working on this... I have based my project off of this code: http://www.codingcage.com/2015/04/php-login-and-registration-script-with.html However, I cannot find a way to let the user UPDATE their info on their profile page. I have tried adding this to the class.user.php file... public function update($umail,$first_name,$last_name,$address,$city,$state,$zip,$phone) { try { $stmt = $this->conn->prepare("UPDATE users SET user_email = :user_email, first_name = :first_name, last_name = :last_name, address = :address, city = :city, state = :state, zip = :zip, phone = :phone"); $stmt->bindparam(":umail", $umail); $stmt->bindparam(":first_name", $first_name); $stmt->bindparam(":last_name", $last_name); $stmt->bindparam(":address", $address); $stmt->bindparam(":city", $city); $stmt->bindparam(":state", $state); $stmt->bindparam(":zip", $zip); $stmt->bindparam(":phone", $phone); $stmt->execute(); $stmt->execute(); return $stmt; } catch(PDOException $e) { echo $e->getMessage(); } } then on the profile page I am... <?php require_once("session.php"); require_once("class.user.php"); $auth_user = new USER(); $user_id = $_SESSION['user_session']; $stmt = $auth_user->runQuery("SELECT * FROM users WHERE user_id=:user_id"); $stmt->execute(array(":user_id"=>$user_id)); $userRow=$stmt->fetch(PDO::FETCH_ASSOC); (I am a bit confused as to how to call in that public function) ?> Assuming my addition to class.user.php is correct, how can I call in the function to allow any changes on <input> to update to the user's row on the database? Link to comment Share on other sites More sharing options...
benanamen Posted September 2, 2018 Share Posted September 2, 2018 There a few problems with that tutorial. The code (including your post) has been littered with try/catch blocks and exposing internal system errors to the user. PDO exceptions should be allowed to bubble up the stack. PHP handles it quite well. You can use set_exemption_handler if you want to do something custom. Outputting Internal system errors is only good for hackers. Also, the script depends on the name of a button to be submitted in order to work. That will completely fail in certain cases. You need to check the REQUEST METHOD. The code has also built in a race condition on the registration by checking if a username is available first. The insert should just be attempted and then capture the duplicate error if any. This is the one place where it would be OK to use a try/catch block. It also exposes specific username/email error messages that are a security risk. The script keeps running after redirects. There needs to be a die or exit right after the redirects. There are probably more issues as well. On the plus side, it uses PDO. Link to comment Share on other sites More sharing options...
sgt_disco Posted September 2, 2018 Author Share Posted September 2, 2018 I do plan to fix the try/catch blocks as you have stated before I put it into production. But it has been providing me useful info in the meantime during testing. my button: name="btn-update" so at my attempt to call in that public function i created if(isset($_POST['btn-update'])) { (THIS IS WHERE I AM STUCK) } Link to comment Share on other sites More sharing options...
benanamen Posted September 2, 2018 Share Posted September 2, 2018 This 12 minutes ago, sgt_disco said: if(isset($_POST['btn-update'])) Should be if ($_SERVER['REQUEST_METHOD'] == 'POST') Here is a tutorial to get you going. https://phpdelusions.net/pdo Link to comment Share on other sites More sharing options...
Barand Posted September 2, 2018 Share Posted September 2, 2018 Your update statement needs a WHERE clause to tell it which user's record to update (eg WHERE userid = :id). Without that you would update every record in the table with the same values. You also have two execute() instructions. Link to comment Share on other sites More sharing options...
sgt_disco Posted September 2, 2018 Author Share Posted September 2, 2018 Thank you guys, Barand: Thanks for those pointers, would not want to update every row. benanamen: I have a feeling that the amount of time I have spent reverse engineering this source code might have been more well spent setting it up myself properly, as I learned a lot through working with this code, but obviously some things are still slipping past me. I have used that site for reference while working on this, but I guess because I didn't build everything myself, its hard for me to really work within code that I'm not already 100% sure of proper implementation. Link to comment Share on other sites More sharing options...
mac_gyver Posted September 2, 2018 Share Posted September 2, 2018 1 hour ago, sgt_disco said: I do plan to fix the try/catch blocks as you have stated before I put it into production. But it has been providing me useful info in the meantime during testing. there's no need to be editing your code when you switch the environment it runs in. if you remove the try/catch logic you have now, and let php catch the exception, it will use its error_reporting, display_errors, and log_errors settings to control what happens with the actual error information. when learning, developing, and debugging you would display all errors. when on a live/public server, you would log all errors. the only time your code should catch and handle a database exception is if your code needs to detect and handle the insertion/update of duplicate data, which is a recoverable application error, not a fatal database error. Link to comment Share on other sites More sharing options...
benanamen Posted September 2, 2018 Share Posted September 2, 2018 1 hour ago, sgt_disco said: benanamen: I have a feeling that the amount of time I have spent reverse engineering this source code might have been more well spent setting it up myself properly, as I learned a lot through working with this code, but obviously some things are still slipping past me. I have used that site for reference while working on this, but I guess because I didn't build everything myself, its hard for me to really work within code that I'm not already 100% sure of proper implementation. As far as picking a tutorial, it is one of the "better" ones, mainly because it uses PDO. Nevertheless, you still need to learn what the code is actually doing to know if there are any potential issues. The tutorial I linked to will give you a good understanding of using PDO. The rest will come with experience along with our feedback. I think it's safe to say we all prefer to help you with code YOU wrote instead of trying to debug some third party code copy/pasted from the Internet. Just keep at it. We were all beginners at one time. ? Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.