CODEWITHSUNDEEP
phpmysqldatabasepdo
Franck Muller
Franck Muller

Reputation: 43

Unable to update table PDO update

I'm attempting to update a table in a database using PDO. At present I'm submitting the form and getting nothing but a white screen, I've enabled all error reporting options and still nothing but a white screen.. I've been staring at the code for what feels like a lifetime and still can't resolve the issue. A push in the right direction would be much appreciated...Thanks 

require('includes/config.php'); 

//if not logged in redirect to login page
if(!$user->is_logged_in()){ header('Location: login.php'); } 

$signedin = $_SESSION['username'];

$sql = "UPDATE member SET firstname = :firstname, 
            lastname = :lastname, 
            username = :username,  
            email = :email,
            age = :age,    
            country = :country  
            where username = $signedin";
$stmt = $db->prepare($sql);                                  
$stmt->bindParam(':firstname', $_POST['firstname'], PDO::PARAM_STR);       
$stmt->bindParam(':lastname', $_POST['$lastname'], PDO::PARAM_STR);    
$stmt->bindParam(':username', $_POST['username'], PDO::PARAM_STR);
// use PARAM_STR although a number  
$stmt->bindParam(':email', $_POST['email'], PDO::PARAM_STR); 
$stmt->bindParam(':age', $_POST['age'], PDO::PARAM_STR);   
$stmt->bindParam(':country', $_POST['country'], PDO::PARAM_INT);   
$stmt= $db->execute($sql);
?>

Upvotes: 0

Views: 56

Answers (2)

Machavity
Machavity

Reputation: 31624

The execute() function doesn't need the $sql (you provided that in prepare())

$stmt->execute();

Next, you should pass all your data into your prepared statement, otherwise you're defeating the purpose (which is maximum security). So let's remove 

$sql = "UPDATE member SET firstname = :firstname, 
            lastname = :lastname, 
            username = :username,  
            email = :email,
            age = :age,    
            country = :country  
            where username = :username";
//snip
$stmt->bindParam(':username', $_SESSION['username'], PDO::PARAM_STR);

Upvotes: 2

Chin Leung
Chin Leung

Reputation: 14921

You need the quotes in your where clause.

$sql = "UPDATE member SET firstname = :firstname, 
        lastname = :lastname, 
        username = :username,  
        email = :email,
        age = :age,    
        country = :country  
        where username = '$signedin'";

Also, it's better to update by id since it's unique.

Upvotes: 1

Related Questions