PHP MySQL update

[espfutbol98]

I'm trying to update some info from a php page to a MySQL table. I get the error: Parse error: syntax error, unexpected T_ELSE in page.php on line 41. Even if I troubleshoot, there is always another problem and I'm not to good at PHP. So far the variables are:

PHP Code:

$username = $_SESSION['user']
$id = $_SESSION['user_id']
$user_email = $_SESSION['user_email']
$country = $_SESSION['country'] 


The php page code is:

PHP Code:

<?php 
session_start();

if (!isset($_SESSION['user']))
{
header("Location: login.php");
}

include ('dbc.php'); 

if ($_POST['Submit']=='Change')
{
$rsPwd = mysql_query("select user_pwd from users where user_name='$_SESSION[user]'") or die(mysql_error());
list ($oldpwd) = mysql_fetch_row($rsPwd);

if ($oldpwd == md5($_POST['oldpwd']))
 {
  $newpasswd = md5($_POST['newpwd']);
  
  mysql_query("Update users
                  SET user_pwd = '$newpasswd'
                WHERE user_name = '$_SESSION[user]'
                ") or die(mysql_error());
  header("Location: settings.php?kvar");                
  } else 
  { header("Location: settings.php?uspjeh"); }
}

if ($_POST['Submit']=='Update')
{
$rsPwd = mysql_query("select user_email and user_coutry from users where user_name='$_SESSION[user]'") or die(mysql_error());
list ($oldpwd) = mysql_fetch_row($rsPwd);
  
if ($newemail == ($_POST['newemail'])) { ($newcountry == ($_POST['newcountry']));
{
  mysql_query("Update users
                  SET user_email = '$newemail' AND country = '$newcountry'
                WHERE user_name = '$_SESSION[user]'
                ") or die(mysql_error());                
}
//Line 41 below
else { header("Location: #"); }
}
?>
<html>
<head>
</head>
<body>
<p> 
  <?php if (isset($_GET['kvar'])) { echo '<div class="msg" style="color: green;">Password Updated</div>'; } ?>
  <?php if (isset($_GET['uspjeh'])) { echo '<div class="msg" style="color: red;">Password does not match.</div>'; } ?>
</p>
<h2>Change Password</h2>
<form action="page.php" method="post" name="form3" id="form3">
  <p>Old Password 
    <input name="oldpwd" type="password" id="oldpwd">
  </p>
  <p>New Password: 
    <input name="newpwd" type="password" id="newpwd">
  </p>
  <p> 
    <input name="Submit" type="submit" id="Submit" value="Change">
  </p>
  <br />
Current e-mail:<div style="font-weight: bold;"><?php echo $_SESSION['user_email']; ?></div>
<br />
New:&nbsp;<input name="newemail" id="newemail">
<br />
<br />
Current location:<div style="font-weight: bold;"><?php echo $_SESSION['country']; ?></div>
<br />
New: &nbsp;<input name="newcountry" id="newcountry">
<br />
<input name="Submit" type="submit" id="Submit" value="Update">
</form>
</body>
</html>

[misson]

Think about what "parse error" and "syntax error" (as opposed to logical errors) mean. Your code is invalid PHP, probably because you've mistyped something.

If you indent nested blocks (as per one of the standard indent styles), you'll see that you've an extra open bracket ("{") on line 35. You'll also see that the HTML is part of the last "if" block, which has no closing bracket.

Indent styles make source code easier to read, which makes certain errors easier to catch. Get a good editor and it will indent for you.

[espfutbol98]

I got the server errors gone; now I just have the error from the code in the page "ERROR".

PHP Code:

<?php 
session_start();

if (!isset($_SESSION['user']))
{
header("Location: login.php");
}

include ('dbc.php'); 

if ($_POST['Submit']=='Change')
{
$rsPwd = mysql_query("select user_pwd from users where user_name='$_SESSION[user]'") or die(mysql_error());
list ($oldpwd) = mysql_fetch_row($rsPwd);

if ($oldpwd == md5($_POST['oldpwd']))
 {
  $newpasswd = md5($_POST['newpwd']);
  
  mysql_query("Update users
                  SET user_pwd = '$newpasswd'
                WHERE user_name = '$_SESSION[user]'
                ") or die(mysql_error());
  header("Location: settings.php?kvar");                
  } else 
  { header("Location: settings.php?uspjeh"); }
}

if ($_POST['Submit']=='Update')
{
$rsInfo = mysql_query("select user_email and country from users where user_name='$_SESSION[user]'") or die(mysql_error());
list ($newmail) = mysql_fetch_row($rsInfo);
  
 if ($newemail == ($_POST['newemail'])) 
 {
    $newcountry == ($_POST['newcountry']);

                 mysql_query("Update users
                  SET user_email = '$newemail' AND country = '$newcountry'
                WHERE user_name = '$_SESSION[user]'
                ") or die(mysql_error());
    header("Location: settings.php?kvar");                
 }
    else { header("Location: settings.php?uspjeh"); }
}
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="hr-HR" xmlns="http://www.w3.org/1999/xhtml" lang="hr-HR">
<head>
</head>
<body>                
<p> 
  <?php if (isset($_GET['kvar'])) { echo '<div class="msg" style="color: green;">Info Updated</div>'; } ?>
  <?php if (isset($_GET['uspjeh'])) { echo '<div class="msg" style="color: red;">Error</div>'; } ?>
</p>
<h2>Change Password</h2>
<form action="settings.php" method="post" name="form3" id="form3">
  <p>Old Password 
    <input name="oldpwd" type="password" id="oldpwd">
  </p>
  <p>New Password: 
    <input name="newpwd" type="password" id="newpwd">
  </p>
  <p> 
    <input name="Submit" type="submit" id="Submit" value="Change">
  </p>
  <br />
Current e-mail:<div style="font-weight: bold;"><?php echo $_SESSION['user_email']; ?></div>
<br />
New:&nbsp;<input name="newemail" id="newemail">
<br />
<br />
Current location:<div style="font-weight: bold;"><?php echo $_SESSION['country']; ?></div>
<br />
New: &nbsp;<input name="newcountry" id="newcountry">
<br />
<input name="Submit" type="submit" id="Submit" value="Update">
</form>
</body>
</html>

[misson]

PHP Code:

    $rsInfo = mysql_query("select user_email and country from users where user_name='$_SESSION[user]'") or die(mysql_error()); 


In "select user_email and country ...", the "and" is a logical operator. To select multiple fields, use a comma: "select user_email, country ...". Review the SELECT statement syntax.

PHP Code:

    list ($newmail) = mysql_fetch_row($rsInfo);
    if ($newemail == ($_POST['newemail'])) 
    {
        $newcountry == ($_POST['newcountry']);

         mysql_query("Update users
                  SET user_email = '$newemail' AND country = '$newcountry'
                WHERE user_name = '$_SESSION[user]'
                ") or die(mysql_error()); 


Are you sure you want '==' in the above lines? '=' looks more appropriate. Also, you're getting $newemail from the database, comparing that to what the user entered into the form, then updating the record with the old value. There are a few different errors in the code, and two possible rewrites to fix them. I can't tell which is correct because I can't tell your intent.

You've got some security issues to fix. Firstly, you need to sanitize newemail and newcountry, otherwise you're opening up your script to SQL injection. In general, you need to validate or sanitize all user input. How you do this depends on what subsystem you're passing the data to. In this script, mysql_real_escape_string or the filter functions can do the job.

Secondly, you need to add some salt when calculating MD5 hashes to prevent dictionary attacks (in particular, rainbow tables). This is easy: just set $salt somewhere, and call md5 as: "md5($salt+$pwd)". Better would be to define a function:

PHP Code:

function password($pwd) {
    global $salt;
    return md5($salt+$pwd);
} 


That will make it easier to change the hash method.

Note that if you change the hash method (even by adding salt), you'll invalidate any passwords currently stored in the table. You can resolve this by including a new column, e.g. 'pwd_method' or 'salted'. Use this new column to record what method was used to hash the password. If you wish, you can require users whose passwords were hashed with an old method to re-enter their passwords, thus updating the password method.

[espfutbol98]

I'm not sure if I specified excatly what I'm trying to do. I'm trying to replace the information user_email and country from the table users. I got part of this from a script so the password function works but the code I added doesn't. I'm not espically good with coding and I'm trying to figure out how to achive this. I tried to take account of the changes from prevous posts but I still get an error from the script itself. Here is the most recent code:

PHP Code:

<?php 
session_start();

if (!isset($_SESSION['user']))
{
header("Location: login.php");
}

include ('dbc.php'); 

if ($_POST['Submit']=='Change')
{
$rsPwd = mysql_query("select user_pwd from users where user_name='$_SESSION[user]'") or die(mysql_error());
list ($oldpwd) = mysql_fetch_row($rsPwd);

if ($oldpwd == md5($_POST['oldpwd']))
 {
  $newpasswd = md5($_POST['newpwd']);
  
  mysql_query("Update users
                  SET user_pwd = '$newpasswd'
                WHERE user_name = '$_SESSION[user]'
                ") or die(mysql_error());
//This is where I get the error
  header("Location: settings.php?kvar");                
  } else 
  { header("Location: settings.php?uspjeh"); }
}

if ($_POST['Submit']=='Update')
{
$rsEmail = mysql_query("select user_email from users where user_name='$_SESSION[user]'") or die(mysql_error());
list ($user_email) = mysql_fetch_row($rsEmail);
$rsCountry = mysql_query("select user_email from users where user_name='$_SESSION[user]'") or die(mysql_error());
list ($country) = mysql_fetch_row($rsCountry);
  
 if ($user_name == ($_SESSION['user'])) 
 {
    $newcountry = ($_POST['newcountry']);

                 mysql_query("Update users
                  SET user_email = '$newemail' AND country = '$newcountry'
                WHERE user_name = '$_SESSION[user]'
                ") or die(mysql_error());
    header("Location: settings.php?kvar");                
 }
    else { header("Location: settings.php?uspjeh"); }
}
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="hr-HR" xmlns="http://www.w3.org/1999/xhtml" lang="hr-HR">
<head>
</head>
<body>                
<p> 
  <?php if (isset($_GET['kvar'])) { echo '<div class="msg" style="color: green;">Info Updated</div>'; } ?>
  <?php if (isset($_GET['uspjeh'])) { echo '<div class="msg" style="color: red;">Error</div>'; } ?>
</p>
<h2>Change Password</h2>
<form action="settings.php" method="post" name="form3" id="form3">
  <p>Old Password 
    <input name="oldpwd" type="password" id="oldpwd">
  </p>
  <p>New Password: 
    <input name="newpwd" type="password" id="newpwd">
  </p>
  <p> 
    <input name="Submit" type="submit" id="Submit" value="Change">
  </p>
  <br />
Current e-mail:<div style="font-weight: bold;"><?php echo $_SESSION['user_email']; ?></div>
<br />
New:&nbsp;<input name="newemail" id="newemail">
<br />
<br />
Current location:<div style="font-weight: bold;"><?php echo $_SESSION['country']; ?></div>
<br />
New: &nbsp;<input name="newcountry" id="newcountry">
<br />
<input name="Submit" type="submit" id="Submit" value="Update">
</form>
</body>
</html>

[xav0989]

First of all, even though SQL is not case-sensitive, put all the reserved words in caps.

Code:

SELECT user_pwd FROM users WHERE user_name='$_SESSION[user]'
UPDATE users SET user_pwd = '$newpasswd' WHERE user_name = '$_SESSION[user]'

You get the idea!

Next, your database starts with youcpanelusername_, so users becomes yourcpanelusername_users.
Same thing for you mysql user.

And finally, what is the error message you are talking about in your last post, please transcribe it here.

[misson]

I tried to take account of the changes from prevous posts but I still get an error from the script itself.

As xav0989 wrote, always state the error message. If you mean you're getting redirected to "settings.php?uspjeh", then you know what's happening: the if ($user_name == ($_SESSION['user'])) test is failing. (Minor issue: the parentheses around $_SESSION['user'] in the test are unnecessary and only clutter up the code.) Did you set $user_name in db.php? The first time $user_name appears in the script you posted is when you compare it to $_SESSION['user'], which means it might be undefined.

PHP Code:

}
if ($_POST['Submit']=='Update') 


Since you just tested whether $_POST['Submit'] was 'Change' and the two possibilities are mutually exclusive, you might as well make this line:

PHP Code:

} else if ($_POST['Submit']=='Update') 


It's not a huge difference, but it is slightly more efficient.

PHP Code:

$rsEmail = mysql_query("select user_email from users where user_name='$_SESSION[user]'") or die(mysql_error());
list ($user_email) = mysql_fetch_row($rsEmail);
$rsCountry = mysql_query("select user_email from users where user_name='$_SESSION[user]'") or die(mysql_error());
list ($country) = mysql_fetch_row($rsCountry); 


Two selects is inefficient, and you're selecting user_email for the country. Try this:

PHP Code:

$result = mysql_query("SELECT user_email,country FROM users WHERE user_name='$_SESSION[user]'") or error('', mysql_error());
list ($user_email, $user_country) = mysql_fetch_row($rsEmail);

....
function error($msg, $devMsg='', $code=0) {
    // die($devMsg);
    header("Location: settings.php?uspjeh&msg=$msg");
    exit($code);
} 


Note I replaced the call to die() with an error() function (which could probably be named & implemented better, but it's just an example). die() is suitable while you're testing, but not for production code. error() lets you easily switch between development and production. If you're using a development server separate from the public server (which is a very good idea), put error() in a separate script with a different implementation on the development and production servers. That way you don't need to change anything to switch between development and production: on the dev server, you get the full error message, while users can get a more appropriate and (for them) informative message.

Also, internal details (such as the result of mysql_error()) should be disclosed only to developers. Such information will either confuse users if they don't understand the message or help them exploit security holes if they do. Users should get just enough information to fix the error (including suggestions; the Apple "Human Interface Guidelines" recommends "An error message should clearly convey what happened, why it happened, and the options for proceeding"). Think about the design of password entry fields. When a login fails, the error message doesn't print the password or even whether the mismatch was in the username or the password. What you get is a message suggesting checking that the caps lock is off.

Minor point: the 'Change' and 'Update' buttons aren't very descriptive. 'Change Password' and 'Update Profile' . <fieldset>s around the password and user info form element will help delineate the two sections and thus be less confusing for users. You might want to read up on form design from places like Luke Wroblewski's blog. Also, <br> isn't semantic. Use CSS for layout; it's easier to change than a bunch of tags. Use <label> elements to mark fields so that your form is accessible.

Finally, the 'user_' prefix on fields in the 'users' table is redundant.

[espfutbol98]

I have changed the script a little and now I am not getting any messages. When I click update, the form empties and in the database; user_email is set to 0 and the country remains the same. I have decided to add all of the relavent source code this time.
dbc.php

PHP Code:

<?php
$dbname = '****';
$link = mysql_connect("localhost","*****","*****") or die("Couldn't make connection.");
$db = mysql_select_db($dbname, $link) or die("Couldn't select database");
$user_name = $_SESSION['user'];
?>

php code from login.php

PHP Code:

<?php
session_start();
?>
<?php
if (isset($_SESSION['user'])) {
header("Location: secure.php"); }
?>
<?php 
include 'dbc.php';

$user_name = mysql_real_escape_string($_POST['name']);

if ($_POST['Submit']=='Prijava')
{
$md5pass = md5($_POST['pwd']);
$sql = "SELECT id,user_name,user_email,country FROM users WHERE 
            user_name = '$user_name' AND 
            user_pwd = '$md5pass' AND user_activated='1'"; 
            
$result = mysql_query($sql) or die (mysql_error()); 
$num = mysql_num_rows($result);

    if ( $num != 0 ) { 

        // A matching row was found - the user is authenticated. 
       session_start(); 
       list($user_id,$user_name,$user_email,$country) = mysql_fetch_row($result);
        // this sets variables in the session 
        $_SESSION['user_email']= $user_email AND $_SESSION['country']= $country AND $_SESSION['user']= $user_name AND $_SESSION['user_id']= $id;  
        
            
        if (isset($_GET['ret']) && !empty($_GET['ret']))
        {
        header("Location: $_GET[ret]");
        } else
        {
        header("Location: secure.php");
        }
        //echo "Logged in...";
        exit();
    } 

header("Location: login.php?pogreska"); 
exit();        
}

?>

settings.php

PHP Code:

<?php 
session_start();

if (!isset($_SESSION['user']))
{
header("Location: login.php");
}

include ('dbc.php'); 

if ($_POST['Submit']=='Change')
{
$rsPwd = mysql_query("select user_pwd from users where user_name='$_SESSION[user]'") or die(mysql_error());
list ($oldpwd) = mysql_fetch_row($rsPwd);

if ($oldpwd == md5($_POST['oldpwd']))
 {
  $newpasswd = md5($_POST['newpwd']);
  
  mysql_query("Update users
                  SET user_pwd = '$newpasswd'
                WHERE user_name = '$_SESSION[user]'
                ") or die(mysql_error());
  header("Location: settings.php?kvar");                
  } else 
  { header("Location: settings.php?uspjeh"); }
}

else if ($_POST['Submit']=='Update')
{
$result = mysql_query("SELECT user_email,country FROM users WHERE user_name='$_SESSION[user]'") or die(mysql_error()); 
list ($user_email, $user_country) = mysql_fetch_row($result); 
  
 if ($user_name == $_SESSION['user']) 
 {
    $newemail = ($_POST['newemail']);
    $newcountry = ($_POST['newcountry']);

                 mysql_query("Update users
                  SET user_email = '$newemail' AND country = '$newcountry'
                WHERE user_name = '$_SESSION[user]'
                ") or die(mysql_error());
    // header("Location: settings.php?kvar");            
 }
    else { header("Location: settings.php?uspjeh"); }
}
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xml:lang="hr-HR" xmlns="http://www.w3.org/1999/xhtml" lang="hr-HR">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta http-equiv="Content-language" content="hr-HR">   
</head>
<body>                
<p> 
  <?php if (isset($_GET['kvar'])) { echo '<div class="msg" style="color: green;">Info Updated</div>'; } ?>
  <?php if (isset($_GET['uspjeh'])) { echo '<div class="msg" style="color: red;">Error</div>'; } ?>
</p>
<h2>Change Password</h2>
<fieldset>
<form action="settings.php" method="post" name="form3" id="form3">
  <p>Old Password 
    <input name="oldpwd" type="password" id="oldpwd">
  </p>
  <p>New Password: 
    <input name="newpwd" type="password" id="newpwd">
  </p>
  <p> 
    <input name="Submit" type="submit" id="Submit" value="Change">
  </p>
  </fieldset>
  <br />
  <fieldset>
Current e-mail:<div style="font-weight: bold;"><?php echo $_SESSION['user_email']; ?></div>
<br />
New:&nbsp;<input name="newemail" id="newemail">
<br />
<br />
Current location:<div style="font-weight: bold;"><?php echo $_SESSION['country']; ?></div>
<br />
New: &nbsp;<input name="newcountry" id="newcountry">
<br />
<input name="Submit" type="submit" id="Submit" value="Update">
</fieldset>
</form>
</body>
</html>

[misson]

As this is a new issue, you should create a new post. If you keep posting in the same thread, people will assume you're writing about the same topic and won't step in. Post in a new thread will bring in fresh eyes. Include a link back to the old thread if you wish.

dbc.php

PHP Code:

<?php
$dbname = '****';
$link = mysql_connect("localhost","*****","*****") or die("Couldn't make connection.");
$db = mysql_select_db($dbname, $link) or die("Couldn't select database");
$user_name = $_SESSION['user'];
?>

$_SESSION['user']; may not be set. Test using isset.

php code from login.php

PHP Code:

<?php
session_start();
?>
<?php
if (isset($_SESSION['user'])) {

No need to switch out of PHP if you're switching right back. Remove the "?><?php".

PHP Code:

if ($_POST['Submit']=='Prijava') 


$_POST['Submit'] might not be defined; test with isset.

PHP Code:

        // A matching row was found - the user is authenticated. 
       session_start(); 


You've already called session_start(). This isn't a huge problem, but it will generate a warning.

PHP Code:

        $_SESSION['user_email']= $user_email AND $_SESSION['country']= $country AND $_SESSION['user']= $user_name AND $_SESSION['user_id']= $id; 


Why are you using 'AND' here? If any of these fields is allowed to be Null, this could fail to set some session variables. Even if none of the fields are allowed to be Null, ANDing the assignments doesn't make sense.

settings.php

PHP Code:

[...]
 if ($user_name == $_SESSION['user']) 


When will this test ever fail? From the code I'm seeing, never.

PHP Code:

                 mysql_query("Update users
                  SET user_email = '$newemail' AND country = '$newcountry'
                WHERE user_name = '$_SESSION[user]'
                ") or die(mysql_error()); 


'AND' is an operator in SQL. Your query sets user_email to '$newemail' AND '$newcountry', which will first cast $newemail and $newcountry to integers. In all likelihood, they won't start with a number and will thus cast to 0. This is why user_email is set to 0.

You made the same mistake of misusing AND with an earlier SELECT statement. You should review SQL syntax.

Considering your liberal use of AND in SQL and PHP, you might have a misconception about it. 'AND' is a boolean operator, not a conjunction like the English 'and'. Use the 'AND' operator only when you're trying to evaluate the logical value of an expression. Think of it like '&&' if you need to differentiate it from 'and'.

[espfutbol98]

I finally got it to work! I just changed "AND" to ",". Here is the final settings.php code.

PHP Code:

<?php 
session_start();

if (!isset($_SESSION['user']))
{
header("Location: login.php");
}

include ('dbc.php'); 

if ($_POST['Submit']=='Change')
{
$rsPwd = mysql_query("select user_pwd from users where user_name='$_SESSION[user]'") or die(mysql_error());
list ($oldpwd) = mysql_fetch_row($rsPwd);

if ($oldpwd == md5($_POST['oldpwd']))
 {
  $newpasswd = md5($_POST['newpwd']);
  
  mysql_query("Update users
                  SET user_pwd = '$newpasswd'
                WHERE user_name = '$_SESSION[user]'
                ") or die(mysql_error());
  header("Location: settings.php?kvar");                
  } else 
  { header("Location: settings.php?uspjeh"); }
}

else if ($_POST['Submit']=='Update')
{
$result = mysql_query("SELECT user_email,country FROM users WHERE user_name='$_SESSION[user]'") or die(mysql_error()); 
list ($user_email, $user_country) = mysql_fetch_row($result); 
  
 if ($user_name == $_SESSION['user']) 
 {
    $newemail = ($_POST['newemail']);
    $newcountry = ($_POST['newcountry']);

                 mysql_query("UPDATE users
                  SET user_email = '$newemail', country = '$newcountry'
                WHERE user_name = '$_SESSION[user]'
                ") or die(mysql_error());
    header("Location: settings.php?kvar");            
 }
    else { header("Location: settings.php?uspjeh"); }
}
?>