0
   <form name="form1" method="POST" action="#" onSubmit="return check();">
<?php
$con = mysql_connect("localhost","root","");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db("shg", $con);
$result = mysql_query("SELECT * FROM consumer");
$email=$_POST['myusername'];
$password=$_POST['mypassword'];
$query="select * from consumer where email='$email' and password='$password'";
$result=mysql_query($query);
if(mysql_num_rows($result)==1)
{
$count=mysql_num_rows($result);

// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){
session_register("myusername");
session_register("mypassword");
}
$query="select * from consumer where email='$_POST[myusername]'";
  $res = @mysql_query($query);
  while($row = mysql_fetch_array($res))
   {

echo "<TABLE BORDER='0' ALIGN='CENTER' WIDTH='95%'>";
echo"<h2>Consumer Registration</h2>";
echo"<h3><b>";
echo"<tr>";
echo"<td>Title</td>";
echo"<td>";
printf("<input type='text' name='t1' value=\"$row[title]\">\n");
echo"</td></tr>";
echo"<tr>";
echo"<td>Firstname</td>";
echo"<td>";
printf("<input type='text' name='n1' value=\"$row[firstname]\">\n");
echo"</td></tr>";
 echo"<tr>";
echo"<td>Lastname</td>";
echo"<td>";
printf("<input type='text' name='n2' value=\"$row[lastname]\">\n");
echo"</td></tr>";
echo"<tr>";
echo"<td>Password</td>";
echo"<td>";
printf("<input type='text' name='p1' value=\"$row[password]\">\n");
echo"</td></tr>";
 echo"<tr>";
echo"<td>Confirm Password</td>";
echo"<td>";
printf("<input type='text' name='p2' value=\"$row[confirmpassword]\">\n");
echo"</td></tr>";
 echo"<tr>";
echo"<td>Title</td>";
echo"<td>";
printf("<input type='text' name='n3' value=\"$row[title1]\">\n");
echo"</td></tr>";
 echo"<tr>";
echo"<td>Organisation</td>";
echo"<td>";
printf("<input type='text' name='n4' value=\"$row[organisation]\">\n");
echo"</td></tr>";
 echo"<tr>";
echo"<td>Address1</td>";
echo"<td>";
printf("<input type='text' name='n5'  value=\"$row[address1]\">\n");
echo"</td></tr>";
echo"<tr>";
echo"<td>Address2</td>";
echo"<td>";
printf("<input type='text' name='n6' value=\"$row[address2]\">\n");
echo"</td></tr>";
 echo"<tr>";
echo"<td>City</td>";
echo"<td>";
printf("<input type='text' name='n7' value=\"$row[city]\">\n");
echo"</td></tr>";
echo"<td>State</td>";
echo"<td>";
printf("<input type='text' name='s1' value=\"$row[state]\">\n");
echo"</td></tr>";
echo"<td>Zip</td>";
echo"<td>";
printf("<input type='text' name='z1' value=\"$row[zip]\">\n");
echo"</td></tr>";
echo"<td>Country</td>";
echo"<td>";
printf("<input type='text' name='c1' value=\"$row[country]\">\n");
echo"</td></tr>";
 echo"<td>Fax</td>";
echo"<td>";
printf("<input type='text' name='fa1' value=\"$row[fax]\">\n");
echo"</td></tr>";
echo"<td>E-mail</td>";
echo"<td>";
printf("<input type='text' name='e1' value=\"$row[email]\">\n");
echo"</td></tr>";
  }
  }
mysql_close($con);
?>

<?php
//including the database connection file

$con = mysql_connect("localhost","root","");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db("shg", $con);
$result = mysql_query("SELECT * FROM consumer where email='$_POST[myusername]'");
if($_POST['update'])
{
    $title= $_POST['t1'];
    $firstname=$_POST['n1'];
    $lastname=$_POST['n2'];
    $password=$_POST['p1']; 
    $confirmpassword=$_POST['p2'];
    $title1=$_POST['n3'];
    $organisation=$_POST['n4'];
    $address1=$_POST['n5'];
    $address2=$_POST['n6']; 
    $city=$_POST['n7'];
    $state=$_POST['s1'];
    $zip=$_POST['z1'];
    $country=$_POST['c1'];
    $fax=$_POST['fa1'];
    $email=$_POST['e1'];
   $result="update consumer set title='$_POST[t1]',firstname='$_POST[n1]',lastname='$_POST[n2]',password='$_POST[p1]',confirmpassword='$_POST[p2]',title1='$_POST[n3]',organisation='$_POST[n4]',address1='$_POST[n5]',address2='$_POST[n6]',city='$_POST[n7]',state='$_POST[s1]',zip='$_POST[z1]',country='$_POST[c1]',fax='$_POST[fa1]',email='$_POST[e1]' WHERE email='$_POST[e1]'";
    }
    mysql_close($con);
?>
<body>
<input type="submit" name="update" value="update" /></td></tr>
</body>
5
Contributors
7
Replies
27
Views
4 Years
Discussion Span
Last Post by veedeoo
0

You clearly didn't read the rules when joining Daniweb?

As a word of advice for your next post, make sure you are clear and informative, what doesn't work, what was supposed to happen and what happened instead. This way you can get an answer a lot quicker.

So what is not working, is it displaying any errors? It doesn't appear to have any syntax errors so which bit went wrong?

As a tip, add this to the top of your code:

ini_set('display_errors()', '1')

I also suggest you use MySQLi and Parametised statements, you are very vulnerable at the moment from SQL Injection.

Edited by Octet

0

If it isn't updating then there is an error, have you tried adding the snippet I posted to the top of your file?

0

No need for all the '$_POST's' in the update when you've set the variables just above, doubling up on work,
use

title='$title',firstname='$firstname'

etcetera.

0

This won't work, will it?

$result="update consumer set title='$_POST[t1]',firstname='$_POST[n1]',lastname='$_POST[n2]',password='$_POST[p1]',confirmpassword='$_POST[p2]',title1='$_POST[n3]',organisation='$_POST[n4]',address1='$_POST[n5]',address2='$_POST[n6]',city='$_POST[n7]',state='$_POST[s1]',zip='$_POST[z1]',country='$_POST[c1]',fax='$_POST[fa1]',email='$_POST[e1]' WHERE email='$_POST[e1]'";

because it's not a mysql_query, it's a variable.... mysql_query not $result.
Also your form has no closing tag, and no submit button, or method. Score= 0/10. I should start again, paying closer attention to the manuals.

<<EDIT>> Just noticed the submit at the bottom, but no closing form tag, and what's all that going on with the BODY tags, and no closing TABLE tag?

Edited by TonyG_cyprus: edit

0

Hi,

I have no intension of rediculing your script, but it worries me.. if ever this application is adopted to production server.

Don't worry much about the update for now, that is a pretty easy thing to do. Focus on, or at least give it some few minutes of thoughts on how your script will function if given a simple security evaluation..

most importantly, this part of your script,

$email=$_POST['myusername'];
$password=$_POST['mypassword'];
$query="select * from consumer where email='$email' and password='$password'";

So, if we type this values for myusername and mypassword.. we should be able to extract pretty much all of the members in our database..

    'anyusername' OR 'yx'='yx'

the same for our pass word

     'anypassword' OR 'yx'='yx'

by typing those hacks in your form, the php script will output all of our members stored in the database.

try running this on your phpmyadmin

SELECT * FROM `consumer` WHERE email='anymember' OR 'yx'='yx';

Should we be concern about the update query at this stage of our script? NO, we should fixed the security hole and then move on to much simpler problems..

The point I am trying to make here is that, it does not really matter if this is an school project, where the Professors doesn't really care much about security because of isolated environment. However, codes we write while in academic classrooms are the foundation of all the codes we are going to write in the real world.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.