I have a problem with updating user information

[thomaslian]

I have a file called update.php and controlpanel.php.

 

The update file is a place where a registered user can update their information, i have a text that links to update file from the controlpanel file.

 

 

I am using Dreamweaver CS6, at first i make it fill the text boxes i have made, the code shows {RegistrerUsers.FirstName} on the firstname box. Then i go to Server Behaviors and udate my recordset(User). There i set filter to "UserName, =, URL Parameter, UserName" and click ok. I would then add a "update" button and a hidden field as normal.

 

Now i go to my controlpanel file and edit my recordset(User), i will set this one to "UserName, =, Session Variable, UserName". I now mark my update text and link it to the update file, before clicking ok i press the Parameters button, on name i fill "UserName" and value i fill "<?php echo $row_User['UserName']; ?>".

 

 

 

Then when i try this it would not work, i do see that the link is like this "update.php?UserName=". I am currently logged in as admin, so when i put admin in the link like this "update.php?UserName=admin", all the information would show up. So it does not do this automatically. Another problem is that i have access to edit other users, example if i put the username "user" in the link like this "update.php?UserName=user", i would get all information from user still if i am logged in as admin. I can also login as "user" and show admin information.

 

Any idea of what i could have done wrong?

[justsomeguy]

If this is not printing anything:<?php echo $row_User['UserName']; ?>Then all I can say is that $row_User['UserName'] either doesn't exist, or is empty. I don't use Dreamweaver, so I'm not sure how to tell you fix that, I would just edit the code directly.

Another problem is that i have access to edit other users, example if i put the username "user" in the link like this "update.php?UserName=user", i would get all information from user still if i am logged in as admin.

You're talking about authorization. Security generally involves 2 parts - authentication and authorization. Authentication is what happens when someone logs in, they type their username and password and authenticate themselves with the system, now the system knows who they are. Authorization is making sure that people are only allowed to access the parts that they should be able to. Authorization means adding a check to your update page to make sure that the user they are trying to update is themselves. Or, even better, remove the username from the URL completely and have the update page only show data for the username in the session.

[thomaslian]

Yes, i made the "User" and "UserName" before creating the boxes(i have also double checked that they have both big and smal characters), i also have a registration page that sends information to the database without problem.

Or, even better, remove the username from the URL completely and have the update page only show data for the username in the session.

Will the Update data in database toturial at w3schools do this?

mysqli_query($con,"UPDATE Persons SET Age=36WHERE FirstName='Peter' AND LastName='Griffin'");

So i have this from my database "FirstName", "LastName", "Email", "UserName" and "Password". I am not sure about the diffrence between "SET" and "WHERE". Would i example do this "SET FirstName=(to my textbox first name), LastName=(to my textbox last name) and so on" and then "WHERE FirstName=(old firstame in database) and so on"

So the code would be like this

mysqli_query($con,"UPDATE User SET FirstName=(textbox), LastName=(textbox)WHERE FirstName='(Firstname in database)' AND LastName='(Lastname in database)'");

Will this still work even if i am changing the value i am setting as "WHERE"? Sorry if i am asking silly questions, trying to learn this!

Edited June 18, 2014 by thomaslian

[justsomeguy]

Will the Update data in database toturial at w3schools do this?

It's not using the session there. Basically, on your update page, instead of looking for $_GET['UserName'] for the username, you should look in $_SESSION['UserName'] (or whatever it might be called in your application). That way it will only update the information for the logged in user.

I am not sure about the diffrence between "SET" and "WHERE". Would i example do this "SET FirstName=(to my textbox first name), LastName=(to my textbox last name) and so on" and then "WHERE FirstName=(old firstame in database) and so on"

The WHERE clause contains the conditions to identify the rows you want to change. If you do it based on the old name, then you will change any records that have the same name, even if they are different users. The WHERE clause should use a unique column on your users table, like the username, so that it only applies to the one record you're trying to update.

[thomaslian]

Okay, i got the diffrence now.

 

Well, with a little help from dreamweaver i got this code (i dont know if i got it sortet right). At first i got it working, but not anymore... I don't know what happend.

//Get database info<?php require_once('../Connections/lager.php'); ?><?phpif (!isset($_SESSION)) {  session_start();}$MM_authorizedUsers = "0,1";$MM_donotCheckaccess = "false";// *** Restrict Access To Page: Grant or deny access to this pagefunction isAuthorized($strUsers, $strGroups, $UserName, $UserGroup) {   // For security, start by assuming the visitor is NOT authorized.   $isValid = False;   // When a visitor has logged into this site, the Session variable MM_Username set equal to their username.   // Therefore, we know that a user is NOT logged in if that Session variable is blank.   if (!empty($UserName)) {     // Besides being logged in, you may restrict access to only certain users based on an ID established when they login.     // Parse the strings into arrays.     $arrUsers = Explode(",", $strUsers);     $arrGroups = Explode(",", $strGroups);     if (in_array($UserName, $arrUsers)) {       $isValid = true;     }     // Or, you may restrict access to only certain users based on their username.     if (in_array($UserGroup, $arrGroups)) {       $isValid = true;     }     if (($strUsers == "") && false) {       $isValid = true;     }   }   return $isValid; }$MM_restrictGoTo = "login.php";if (!((isset($_SESSION['MM_Username'])) && (isAuthorized("",$MM_authorizedUsers, $_SESSION['MM_Username'], $_SESSION['MM_UserGroup'])))) {     $MM_qsChar = "?";  $MM_referrer = $_SERVER['PHP_SELF'];  if (strpos($MM_restrictGoTo, "?")) $MM_qsChar = "&";  if (isset($_SERVER['QUERY_STRING']) && strlen($_SERVER['QUERY_STRING']) > 0)   $MM_referrer .= "?" . $_SERVER['QUERY_STRING'];  $MM_restrictGoTo = $MM_restrictGoTo. $MM_qsChar . "accesscheck=" . urlencode($MM_referrer);  header("Location: ". $MM_restrictGoTo);   exit;}if (!function_exists("GetSQLValueString")) {function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") {  if (PHP_VERSION < 6) {    $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;  }  $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);  switch ($theType) {    case "text":      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";      break;        case "long":    case "int":      $theValue = ($theValue != "") ? intval($theValue) : "NULL";      break;    case "double":      $theValue = ($theValue != "") ? doubleval($theValue) : "NULL";      break;    case "date":      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";      break;    case "defined":      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;      break;  }  return $theValue;}}$editFormAction = $_SERVER['PHP_SELF'];if (isset($_SERVER['QUERY_STRING'])) {  $editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);}if ((isset($_POST["MM_update"])) && ($_POST["MM_update"] == "register")) {  $updateSQL = sprintf("UPDATE Users SET FirstName=%s, LastName=%s, Email=%s, UserName=%s, Password=%s WHERE UserID=%s",                       GetSQLValueString($_POST['FirstName'], "text"),                       GetSQLValueString($_POST['LastName'], "text"),                       GetSQLValueString($_POST['Email'], "text"),                       GetSQLValueString($_POST['UserName'], "text"),                       GetSQLValueString($_POST['Password'], "text"),                       GetSQLValueString($_POST['UserID'], "int"));  mysql_select_db($database_lager, $lager);  $Result1 = mysql_query($updateSQL, $lager) or die(mysql_error());}$colname_GetUserInfo = "-1";if (isset($_SESSION['UserName'])) {  $colname_GetUserInfo = $_SESSION['UserName'];}mysql_select_db($database_lager, $lager);$query_GetUserInfo = sprintf("SELECT * FROM Users WHERE UserName = %s", GetSQLValueString($colname_GetUserInfo, "text"));$GetUserInfo = mysql_query($query_GetUserInfo, $lager) or die(mysql_error());$row_GetUserInfo = mysql_fetch_assoc($GetUserInfo);$totalRows_GetUserInfo = mysql_num_rows($GetUserInfo);?>

Edited June 19, 2014 by thomaslian

[justsomeguy]

That code is kind of a mess, Dreamweaver does not produce the best code. That is trying to authorize users based on whatever is set for the user group in the session, I can't tell what gets saved there. For the part where it is updating the database, it is counting on the user ID being part of the form data. I would get rid of that and have it use the session username for the user to update, so that it will only update the current user. The part where it displays the user data in the form, and then when it updates the database, should both use the username from the session.

[thomaslian]

Yes, the coding in Dreamweaver is a mess. I also see when i edit my "Server behaviors" it does only add a new code, it does not delete the old one. This will make a red "!", and the code will not work before you delete the old codes.

 

So I read about sessions, and it finally worked. I counted on the session Username like you said and that worked fine for me, my link looks like this "/pages/update.php" (very clean).

 

 

One last problem, when i click my update button, it opens a new tab, so i get two tabs with the "update.php". Is it anyway preventing the button to open a new tab? I only want to refresh the page i stay on.

 

 

 

Thanks for your time and help!

[justsomeguy]

A form will submit in a new window if the form tag has a target attribute set to anything other than _self or the name of the current window. Just remove the target attribute.