Create a working Profile Page
Simple profile page which has read, update and delete functionsResulting Form
Explanation
Hello
Read User Information
<?php
$userId = $_SESSION["userId"];
$sql = "SELECT firstName, lastName, email FROM users WHERE userId = ?";
if($stmt = $mysqli->prepare($sql)){
// Bind variables to the prepared statement as parameters
$stmt->bind_param("i", $param_userId);
// Set parameters
$param_userId= $userId;
// Attempt to execute the prepared statement
$stmt->execute();
$result = $stmt->get_result();
if($result->num_rows == 1) {
$row = $result->fetch_array(MYSQLI_ASSOC);
// These variables are now free to use throughout this page
$firstName = $row["firstName"];
$lastName = $row["lastName"];
$email = $row["email"];
}
}
?>
Explanation
This code assumes you have set a $_SESSION['userId'] after a successful login.
Please see Login Form to see how to do this.
If you wish to read a user other than yourself, you need to pass this in the url as userId.
Then replace $_SESSION['userId'] with escape($_GET['userId'])
escape() is a function i have created in functions
Form
<label for="firstName" class="form-label">First Name</label>
<input type="text" class="form-control" id="firstName" name="firstName" aria-describedby="firstName" value="$firstName">
<label for="lastName" class="form-label">Last Name</label>
<input type="text" class="form-control" id="lastName" name="lastName" aria-describedby="lastName" value="$lastName">
<label for="email" class="form-label">Email</label>
<input type="email" class="form-control" id="email" name="email" aria-describedby="email" value="$email">
<div class="row mb-3">
<button type="submit" class="btn btn-primary" name="update">Update</button>
<button type="submit" class="btn btn-primary" name="delete">Delete</button>
</div>
</form>
Explanation
This function htmlspecialchars($_SERVER['PHP_SELF']) ensures your form cannot be hacked by cross site scripting.
It also states that the form will be proccessed on the same page although you could change this to another .php page.
The form is set to method="post". This is used because you will need to "post" (send) your form data to the server for processing.
The label for="" must match the input id="". This ensures that label will be used to the relevant input field.
The input name="" attribute is very important. This attribute is what will be used in processing your form.
Update "your" User In users Table
<?php
if(isset($_POST["update"]) && $_SERVER["REQUEST_METHOD"] == "POST"){
$userId = $_SESSION["userId"];
$firstName = escape($_POST["firstName"]);
$lastName = escape($_POST["lastName"]);
$email = escape($_POST["email"]);
$sql = "UPDATE users SET firstName=?, lastName=?, email=? WHERE userId=?";
if($stmt = $mysqli->prepare($sql)){
// Bind variables to the prepared statement as parameters
$stmt->bind_param("sssi", $param_firstName, $param_lastName, $param_email, $param_userId);
// Set parameters
$param_firstName = $firstName;
$param_lastName = $lastName;
$param_email = $email;
$param_userId = $userId;
// Attempt to execute the prepared statement
$stmt->execute();
}
}
?>
Explanation
The first if() statement performs a check to see if the "update" button has been pressed and also that the for method is set to "post".
This code is to update "YOUR" profile, if you wish to update another users profile then please see the Read User Information Explanation.
escape() is a function i have created in functions
I am using prepared statements to ensure your code is safe from cross site scripting.
The "sssi" is defining what type is being sent, s = string and i = integer. In my example I am saying that $param_firstName is a string and $param_userId is an integer. This is defined on Create Table page.
Delete "you" as a User
<?php
if(isset($_POST["delete"]) && $_SERVER["REQUEST_METHOD"] == "POST"){
$userId = $_SESSION["userId"];
$sql = "DELETE FROM users WHERE userId=?";
if($stmt = $mysqli->prepare($sql)){
// Bind variables to the prepared statement as parameters
$stmt->bind_param("i", $param_userId);
// Set parameters
$param_userId = $userId;
// Attempt to execute the prepared statement
$stmt->execute();
}
}
?>
Explanation
Hello