Cannot update database

Question

<?php
    session_start();

    if (isset($_POST['userid']) && isset($_POST['password']))
    {
    // if the user has just tried to log in
    $userid = $_POST['userid'];
    $password = $_POST['password'];

    $db_conn = new mysqli('localhost', 'user', 'passwd', 'dbname');

    if (mysqli_connect_errno()) {
    echo 'Connection to database failed:'.mysqli_connect_error();
    exit();
    }

    $query = 'select * from users '
           ."where userid like'$userid' "
           ." and password like sha1('$password')";

    $result = $db_conn->query($query);


    if ($result->num_rows >0 )
    {
     // if they are in the database register the user id
     $_SESSION['valid_user'] = $userid;    
    }
    $db_conn->close();
    }
    ?>
    <?

     $db_conn = new mysqli('localhost', 'user', 'passwd', 'dbname');

    if (mysqli_connect_errno()) {
    echo 'Connection to database failed:'.mysqli_connect_error();
    exit();
    }


    if (isset($_POST['submit'])) {
    if (empty($_POST['name']) || empty ($_POST['dob']) || empty ($_POST['contact'])|| empty          ($_POST['address'])|| empty ($_POST['email'])) {
    echo "All records to be filled in";
    exit;}
    }
    $name = $_POST['name'];
    $dob = $_POST['dob'];
    $contact = $_POST['contact'];
    $address = $_POST['address'];
    $email = $_POST['email'];

    $userid = $_SESSION['valid_user'];
    $sql = "UPDATE users SET name=$name, dob=$dob, contact=$contact, address=$address, email=$email
    WHERE userid ='$userid'";
      $result = $db_conn->query($sql);
    if (!$result) 
        echo "Your query failed.";
    else
        echo "User Information Updated ";

?>
<meta http-equiv="refresh" content="5;URL=members.php" /> 

I got your query failed when I run it. Anyone have any clue why my database dont get updated?

I'm pretty sure my sql works. Is there any mistake in my coding?

Answer 1

Looks like your exist statement is wrong..

 if (isset($_POST['submit'])) 
 {
    if (empty($_POST['name']) || empty ($_POST['dob']) || empty ($_POST['contact'])|| empty          ($_POST['address'])|| empty ($_POST['email'])) 
    {
        echo "All records to be filled in";
        **exit**;
    }
 }

Answer 2

Your query is okay, except that you're not using prepared statements.

The issue lies in your variables. echo them and see what's in them.

Since we don't have access to your database it's hard for us to verify if something else might be wrong with your query. You could for example create an SQL Fiddle.

Something else you should read up on: SQL Injection

Prepared statements look like this:

<?php
$mysqli = new mysqli("localhost", "my_user", "my_password", "world");

/* check connection */
if (mysqli_connect_errno()) {
    printf("Connect failed: %s\n", mysqli_connect_error());
    exit();
}

$city = "Amersfoort";

/* create a prepared statement */
if ($stmt = $mysqli->prepare("SELECT District FROM City WHERE Name=?")) {

    /* bind parameters for markers */
    $stmt->bind_param("s", $city);

    /* execute query */
    $stmt->execute();

    /* bind result variables */
    $stmt->bind_result($district);

    /* fetch value */
    $stmt->fetch();

    printf("%s is in district %s\n", $city, $district);

    /* close statement */
    $stmt->close();
}

/* close connection */
$mysqli->close();
?>