views:

40

answers:

1

Ok I am making a registry for my website.

First page asks for some personal info

        if($error==false) {

        $query = pg_query("INSERT INTO chatterlogins(firstName, lastName, gender, password, ageMonth, ageDay, ageYear, email, createDate) VALUES('$firstNameSignup', '$lastNameSignup', '$genderSignup', md5('$passwordSignup'), $monthSignup, $daySignup, $yearSignup, '$emailSignup', now());");
        $query = pg_query("INSERT INTO chatterprofileinfo(email, lastLogin) VALUES('$emailSignup', now());");
        $userNameSet = $emailSignup;
        $_SESSION['$userNameSet'] = $userNameSet;
        header('Location: signup_step2.php'.$rdruri);

    }

The first query works. The second query works but doesn't save the email...

the session doesn't work but the header works and sends me to the next page

I get no errors even if I comment out header

next page

    @session_start();

$conn = pg_connect("host=localhost dbname=brittains_db user=brittains password=XXXX" );

$signinCheck = false;
$checkForm = "";

if(isset($_SESSION['$userName'])) {

    $userName = $_SESSION['$userName'];
    $signinCheck = true;
    $query = pg_query("UPDATE chatterprofileinfo SET lastLogin='now()' WHERE email='$userName'");

}

if(isset($_SESSION['$userNameSet'])) {

    $userName = $_SESSION['$userNameSet'];
    $signinCheck = true;
    $query = pg_query("UPDATE chatterprofileinfo SET lastLogin='now()' WHERE email='$userName'");

}

This is the top starting the session depending on if your logged in or not.

then if I enter in the info here and put it through this

if($error==false) {

    $query = pg_query("UPDATE chatterprofileinfo SET aboutSelf='$aboutSelf', hobbies='$hobbies', music='$music', tv='$tv', sports='$sports', lastLogin='now()' WHERE email='$userName'") or exit(pg_last_error());
    //header('Location: signup_step3.php'.$rdruri);

}

nothing shows up for on my database from this.

I have no idea where I went wrong

the website is

http://opentech.durhamcollege.ca/~intn2201/brittains/chatter/

A: 

For starters, don't put things that aren't strings in single-quotes like that. 'now()' means a literal string "now()"

Also, if you're doing updates to your database you're better of using prepared statements to help prevent against sql injection. In your case, see http://www.php.net/manual/en/function.pg-prepare.php

rkulla
kk thanks I should have known that duh moment ><
MrEnder
Or go for pg_query_params(), the easiest solution for safe input in a query. http://nl2.php.net/pg_query_params pg_prepare is good when you have repeating queries.
Frank Heikens