Monty Monty - 5 months ago 18
SQL Question

Table value are not changing

There is my code of EDIT.php DB_Functions,and g.php..I'm not geting where is the fault is anyone here who can help me to find out mistake on my code

Every things happen as easy but change in table is not reflecting..my SQL query is working properly on XAMP server..
It may be silly mistake but not able to find it..

edit.php

<?php
//error_reporting(0);
include("class_db.php");
include_once('DB_Functions.php');

if (isset ($_GET['edit_id']))
{
$id=$_GET['edit_id'];
{
if(isset($_POST['nam']))
{
$id =($_POST['edit_id']);
$name=($_POST['name']);
$lastname=($_POST['lastname']);
$email=($_POST['email']);
$duser=($_POST['duser']);
$pass=($_POST['pass']);
$mob=($_POST['mob']);
$website=($_POST['website']);


$result = file_get_contents('http://localhost/rajju/demo/webservises/webservises/webservices/g.php?action=update_details&id='.$id.'&name='.$name.'&lastname='.$lastname.'&email='.$email.'&duser='.$duser.'&pass='.$pass.'&mob='.$mob.'&website='.$website);

$result = json_decode($result, true);

if($result == 'success'){

header("location:http://localhost/rajju/demo/webservises/webservises/webservices/list.php");
}
else{
print_r($result);
}

}

}
}
$select =mysql_query("select * from users where id=$id");
$var = mysql_fetch_object($select);


?>


DB_Functions.php

public function updateUser($id,$name,$lastname,$email,$duser,$pass,$mob,$website)

{
$app_list =mysql_query("UPDATE users SET name='".$name."',lastname='".$lastname."',email='".$email."',duser='".$duser."',pass='".$pass."',mob='".$mob."',website='".$website."' WHERE id='".$id."'");

if ($app_list) {
return true;
} else {
return false;
}
}


g.php

else if($tag == 'update_details')
{
$db = new DB_Functions();
//$id = ($_GET['id']);
$name=($_GET['name']);
$lastname=($_GET['lastname']);
$email=($_GET['email']);
$duser=($_GET['duser']);
$pass=($_GET['pass']);
$mob=($_GET['mob']);
$website=($_GET['website']);

//exit (json_encode($name));

if ($db ->updateUser($name,$lastname,$email,$duser,$pass,$mob,$website))
{
exit (json_encode('success'));

}else
{
exit (json_encode('errorzz'));

}

}

Answer

The following should work. Note this still wont totally protect you against xss and other attacks. However its a lot better than using mysql_query!! Additionally, you should sanatise and check your incoming $_GET params and Salt+Hash your passwords.

<?php 
    $conn   = new PDO( DB_DSN, DB_USERNAME, DB_PASSWORD );
    $sql    = "UPDATE users SET name=:name, lastname=:lastname, email=:email, duser=:duser, pass=:pass, mob=:mob, website=:website, WHERE id=:id";;
    $st     = $conn->prepare( $sql );
    $st->bindValue(":name", $name, PDO::PARAM_STR);
    $st->bindValue(":lastname", $lastname, PDO::PARAM_STR);
    $st->bindValue(":email", $email, PDO::PARAM_STR);
    $st->bindValue(":duser", $duser, PDO::PARAM_STR);
    $st->bindValue(":pass", $pass, PDO::PARAM_STR);
    $st->bindValue(":mob", $mob, PDO::PARAM_STR);
    $st->bindValue(":website", $website, PDO::PARAM_STR);
    $st->bindValue(":id", $id, PDO::PARAM_INT);
    $st->execute();
?>