Member Avatar for infoitmanoj 
   <form name="form1" method="POST" action="#" onSubmit="return check();">
<?php
$con = mysql_connect("localhost","root","");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db("shg", $con);
$result = mysql_query("SELECT * FROM consumer");
$email=$_POST['myusername'];
$password=$_POST['mypassword'];
$query="select * from consumer where email='$email' and password='$password'";
$result=mysql_query($query);
if(mysql_num_rows($result)==1)
{
$count=mysql_num_rows($result);

// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){
session_register("myusername");
session_register("mypassword");
}
$query="select * from consumer where email='$_POST[myusername]'";
  $res = @mysql_query($query);
  while($row = mysql_fetch_array($res))
   {

echo "<TABLE BORDER='0' ALIGN='CENTER' WIDTH='95%'>";
echo"<h2>Consumer Registration</h2>";
echo"<h3><b>";
echo"<tr>";
echo"<td>Title</td>";
echo"<td>";
printf("<input type='text' name='t1' value=\"$row[title]\">\n");
echo"</td></tr>";
echo"<tr>";
echo"<td>Firstname</td>";
echo"<td>";
printf("<input type='text' name='n1' value=\"$row[firstname]\">\n");
echo"</td></tr>";
 echo"<tr>";
echo"<td>Lastname</td>";
echo"<td>";
printf("<input type='text' name='n2' value=\"$row[lastname]\">\n");
echo"</td></tr>";
echo"<tr>";
echo"<td>Password</td>";
echo"<td>";
printf("<input type='text' name='p1' value=\"$row[password]\">\n");
echo"</td></tr>";
 echo"<tr>";
echo"<td>Confirm Password</td>";
echo"<td>";
printf("<input type='text' name='p2' value=\"$row[confirmpassword]\">\n");
echo"</td></tr>";
 echo"<tr>";
echo"<td>Title</td>";
echo"<td>";
printf("<input type='text' name='n3' value=\"$row[title1]\">\n");
echo"</td></tr>";
 echo"<tr>";
echo"<td>Organisation</td>";
echo"<td>";
printf("<input type='text' name='n4' value=\"$row[organisation]\">\n");
echo"</td></tr>";
 echo"<tr>";
echo"<td>Address1</td>";
echo"<td>";
printf("<input type='text' name='n5'  value=\"$row[address1]\">\n");
echo"</td></tr>";
echo"<tr>";
echo"<td>Address2</td>";
echo"<td>";
printf("<input type='text' name='n6' value=\"$row[address2]\">\n");
echo"</td></tr>";
 echo"<tr>";
echo"<td>City</td>";
echo"<td>";
printf("<input type='text' name='n7' value=\"$row[city]\">\n");
echo"</td></tr>";
echo"<td>State</td>";
echo"<td>";
printf("<input type='text' name='s1' value=\"$row[state]\">\n");
echo"</td></tr>";
echo"<td>Zip</td>";
echo"<td>";
printf("<input type='text' name='z1' value=\"$row[zip]\">\n");
echo"</td></tr>";
echo"<td>Country</td>";
echo"<td>";
printf("<input type='text' name='c1' value=\"$row[country]\">\n");
echo"</td></tr>";
 echo"<td>Fax</td>";
echo"<td>";
printf("<input type='text' name='fa1' value=\"$row[fax]\">\n");
echo"</td></tr>";
echo"<td>E-mail</td>";
echo"<td>";
printf("<input type='text' name='e1' value=\"$row[email]\">\n");
echo"</td></tr>";
  }
  }
mysql_close($con);
?>

<?php
//including the database connection file

$con = mysql_connect("localhost","root","");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db("shg", $con);
$result = mysql_query("SELECT * FROM consumer where email='$_POST[myusername]'");
if($_POST['update'])
{
    $title= $_POST['t1'];
    $firstname=$_POST['n1'];
    $lastname=$_POST['n2'];
    $password=$_POST['p1']; 
    $confirmpassword=$_POST['p2'];
    $title1=$_POST['n3'];
    $organisation=$_POST['n4'];
    $address1=$_POST['n5'];
    $address2=$_POST['n6']; 
    $city=$_POST['n7'];
    $state=$_POST['s1'];
    $zip=$_POST['z1'];
    $country=$_POST['c1'];
    $fax=$_POST['fa1'];
    $email=$_POST['e1'];
   $result="update consumer set title='$_POST[t1]',firstname='$_POST[n1]',lastname='$_POST[n2]',password='$_POST[p1]',confirmpassword='$_POST[p2]',title1='$_POST[n3]',organisation='$_POST[n4]',address1='$_POST[n5]',address2='$_POST[n6]',city='$_POST[n7]',state='$_POST[s1]',zip='$_POST[z1]',country='$_POST[c1]',fax='$_POST[fa1]',email='$_POST[e1]' WHERE email='$_POST[e1]'";
    }
    mysql_close($con);
?>
<body>
<input type="submit" name="update" value="update" /></td></tr>
</body>
  • 5 Contributors
  • 7 Replies
  • 252 Views
  • 3 Hours Discussion Span
  • Latest Post Latest Post by veedeoo
Member Avatar for Octet

You clearly didn't read the rules when joining Daniweb?

As a word of advice for your next post, make sure you are clear and informative, what doesn't work, what was supposed to happen and what happened instead. This way you can get an answer a lot quicker.

So what is not working, is it displaying any errors? It doesn't appear to have any syntax errors so which bit went wrong?

As a tip, add this to the top of your code:

ini_set('display_errors()', '1')

I also suggest you use MySQLi and Parametised statements, you are very vulnerable at the moment from SQL Injection.

Edited by Octet
Member Avatar for infoitmanoj

it's not any error but not updated in my record what can i do....

Member Avatar for cmps

Sorry but your code is not clear ... why you are echoing at each line ?

Member Avatar for Octet

If it isn't updating then there is an error, have you tried adding the snippet I posted to the top of your file?

Member Avatar for TonyG_cyprus

No need for all the '$_POST's' in the update when you've set the variables just above, doubling up on work,
use

title='$title',firstname='$firstname'

etcetera.

Member Avatar for TonyG_cyprus

This won't work, will it?

$result="update consumer set title='$_POST[t1]',firstname='$_POST[n1]',lastname='$_POST[n2]',password='$_POST[p1]',confirmpassword='$_POST[p2]',title1='$_POST[n3]',organisation='$_POST[n4]',address1='$_POST[n5]',address2='$_POST[n6]',city='$_POST[n7]',state='$_POST[s1]',zip='$_POST[z1]',country='$_POST[c1]',fax='$_POST[fa1]',email='$_POST[e1]' WHERE email='$_POST[e1]'";

because it's not a mysql_query, it's a variable.... mysql_query not $result.
Also your form has no closing tag, and no submit button, or method. Score= 0/10. I should start again, paying closer attention to the manuals.

<<EDIT>> Just noticed the submit at the bottom, but no closing form tag, and what's all that going on with the BODY tags, and no closing TABLE tag?

Edited by TonyG_cyprus because: edit
Member Avatar for veedeoo

Hi,

I have no intension of rediculing your script, but it worries me.. if ever this application is adopted to production server.

Don't worry much about the update for now, that is a pretty easy thing to do. Focus on, or at least give it some few minutes of thoughts on how your script will function if given a simple security evaluation..

most importantly, this part of your script,

$email=$_POST['myusername'];
$password=$_POST['mypassword'];
$query="select * from consumer where email='$email' and password='$password'";

So, if we type this values for myusername and mypassword.. we should be able to extract pretty much all of the members in our database..

    'anyusername' OR 'yx'='yx'

the same for our pass word

     'anypassword' OR 'yx'='yx'

by typing those hacks in your form, the php script will output all of our members stored in the database.

try running this on your phpmyadmin

SELECT * FROM `consumer` WHERE email='anymember' OR 'yx'='yx';

Should we be concern about the update query at this stage of our script? NO, we should fixed the security hole and then move on to much simpler problems..

The point I am trying to make here is that, it does not really matter if this is an school project, where the Professors doesn't really care much about security because of isolated environment. However, codes we write while in academic classrooms are the foundation of all the codes we are going to write in the real world.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.