PHP/MYSQL Update Statement advice

Question

I have a form with user details and an update statement that will update such details if the user wants to, i added validation so that an email cannot be associated with another account hence the if($checkuser != 0)

The issue with the statement is that if the user doesn't change their email and updates their details, they will get an error saying email already exist.

I wanted to integrate after the email existence check something like else if(($_POST["myusername"]) == ($row['email'])) then continue updating.(myusername variable name contains the email) meaning that if the posted email is the same as their current email then continue updating.

But i am getting lost, since i am relatively new with PHP i am having trouble with parenthesis and brackets.

Here is my code

if($_POST['usubmit']=='Update') 
{
    $Uerr = array();

    if (!$_POST['fullname'] || !$_POST['myusername']) 
        {   
            $Uerr[] = '» Name or Email must be filled in!';
        }

    if (!checkEmail($_POST['myusername']))
        {
            $Uerr[]='» Your email is not valid!';
        }


    // If there are no errors
    if(!count($Uerr))
        {
            /* Now we will check if username is already in use or not */
           $queryuser=mysql_query("SELECT * FROM customer WHERE email='" . mysql_real_escape_string($_POST["myusername"]) . "'");
           $checkuser=mysql_num_rows($queryuser);

           if($checkuser != 0)
            { 
                $Uerr[]='» Sorry this email is already registered!';
            }

        else 
                {
                    $updateDetails = mysql_query("UPDATE customer SET 
                    name = '" . mysql_real_escape_string($_POST["fullname"]) . "', 
                    dob = '" . mysql_real_escape_string($_POST["dob"]) . "',  
                    address = '" . mysql_real_escape_string($_POST["address"]) . "', 
                    email = '" . mysql_real_escape_string($_POST["myusername"]) . "', 
                    telephone = '" . mysql_real_escape_string($_POST["telephone"]) . "' 
                    WHERE cus_id = '$cus_id'"); 

                    if ($updateDetails) 

                            $_SESSION['Umsg']['Ureg-success']="» Your details have been updated successfully!";

                       else { 
                              $Uerr[]='» error updating your account'.mysql_error(); 
                            }
                }
        }
            if(count($Uerr))
            {
                $_SESSION['Umsg']['Ureg-err'] = implode('<br />',$Uerr);
            }

    header("Location: account.php");
    exit;        
}

Answer 1

I have a form with user details and an update statement that will update such details if the user wants to, i added validation so that an email cannot be associated with another account hence the The issue with the statement is that if the user doesn't change their email and updates their details, they will get an error saying email already exist.

Why don't you just check if there is existed email with another account except his account which can be solved with a few changes to your query.

$queryuser=mysql_query("SELECT * FROM customer WHERE email='" . 
mysql_real_escape_string($_POST["myusername"]) . "' AND cus_id!=" . intval($cus_id));

Answer 2

this should work

if($_POST['usubmit']=='Update') 
{
    $Uerr = array();

    if (!$_POST['fullname'] || !$_POST['myusername']) 
        {   
            $Uerr[] = '» Name or Email must be filled in!';
        }

    if (!checkEmail($_POST['myusername']))
        {
            $Uerr[]='» Your email is not valid!';
        }


    // If there are no errors
    if(!count($Uerr))
        {
            /* Now we will check if username is already in use or not */
           $queryuser=mysql_query("SELECT * FROM customer WHERE email='" . mysql_real_escape_string($_POST["myusername"]) . "' AND cus_id !=" . $cus_id(mysql_real_escape_string));

           $checkuser=mysql_num_rows($queryuser);

           if($checkuser != 0)
            { 
                $Uerr[]='» Sorry this email is already registered!';
            }

        else 
                {
                    $updateDetails = mysql_query("UPDATE customer SET 
                    name = '" . mysql_real_escape_string($_POST["fullname"]) . "', 
                    dob = '" . mysql_real_escape_string($_POST["dob"]) . "',  
                    address = '" . mysql_real_escape_string($_POST["address"]) . "', 
                    email = '" . mysql_real_escape_string($_POST["myusername"]) . "', 
                    telephone = '" . mysql_real_escape_string($_POST["telephone"]) . "' 
                    WHERE cus_id = '$cus_id'"); 

                    if ($updateDetails) 

                            $_SESSION['Umsg']['Ureg-success']="» Your details have been updated successfully!";

                       else { 
                              $Uerr[]='» error updating your account'.mysql_error(); 
                            }
                }
        }
            if(count($Uerr))
            {
                $_SESSION['Umsg']['Ureg-err'] = implode('<br />',$Uerr);
            }

    header("Location: account.php");
    exit;        
}

Answer 3

I do something ugly but works great.

I add the actual info on some hidden inputs like:

<input type="hidden" name="actual_email" value="<?php echo $object->email; ?>" />

Now you just need to check if the email on the user input (the visible one) is the same on the hidden input, if yes, just ignore the email validation because it means the user hasn't changed his email.

Answer 4

When you are having a user change their information, they should only have access to their account (for security & privacy purposes). Therefore you should use their e-mail as the identifier when getting their information.