<?php// Things to notice:// The main job of this script is to execute an I

1. <?php
2.  
3. // Things to notice:
4. // The main job of this script is to execute an INSERT or UPDATE statement to create or update a user's profile information...
5. // ... but only once the data the user supplied has been validated on the client-side, and then sanitised ("cleaned") and validated again on the server-side
6. // It's your job to add these steps into the code
7. // Both sign_up.php and sign_in.php do client-side validation, followed by sanitisation and validation again on the server-side -- you may find it helpful to look at how they work
8. // HTML5 can validate all the profile data for you on the client-side
9. // The PHP functions in helper.php will allow you to sanitise the data on the server-side and validate *some* of the fields...
10. // ... but you'll also need to add some new PHP functions of your own to validate email addresses and dates
11.  
12. // execute the header script:
13. require_once "header.php";
14.  
15. // default values we show in the form:
16. $firstname = "";
17. $lastname = "";
18. $pets = "";
19. $email = "";
20. $dob = "";
21. // strings to hold any validation error messages:
22. $firstname_val = "";
23. $lastname_val = "";
24. $pets_val = "" ;
25. $email_val = "";
26. $dob_val = "";
27. // should we show the set profile form?:
28. $show_profile_form = false;
29. // message to output to user:
30. $message = "";
31.  
32. if (!isset($_SESSION['loggedInSkeleton']))
33. {
34. // user isn't logged in, display a message saying they must be:
35. echo "You must be logged in to view this page.<br>";
36. }
37. elseif (isset($_POST['firstname']))
38. {
39. // user just tried to update their profile
40.  
41. // connect directly to our database (notice 4th argument) we need the connection for sanitisation:
42. $connection = mysqli_connect($dbhost, $dbuser, $dbpass, $dbname);
43.  
44. // if the connection fails, we need to know, so allow this exit:
45. if (!$connection)
46. {
47. die("Connection failed: " . $mysqli_connect_error);
48. }
49.  
50. // SANITISATION:
51.  
52. $firstname = sanitise ($_POST['firstname'], $connection);
53. $lastname = sanitise ($_POST['lastname'], $connection);
54. $pets = sanitise ($_POST['pets'], $connection);
55. $email = sanitise ($_POST['email'], $connection);
56. $dob = sanitise ($_POST['dob'], $connection);
57.  
58. // SERVER-SIDE VALIDATION CODE :
59.  
60. $firstname_val = validateString($firstname, 1, 40) ;
61. $lastname_val = validateString($lastname, 1, 50);
62. $pets_val = validateInt ($pets, 0, 250);
63. $email_val = validateEmail ($email, FILTER_VALIDATE_EMAIL);
64. //$dob_val = validateDate ($dob, date )
65. // ...
66.  
67. $errors = $firstname_val . $lastname_val . $pets_val . $email_val ;
68.  
69. // check that all the validation tests passed before going to the database:
70. if ($errors == "")
71. {
72. // read their username from the session:
73. $username = $_SESSION["username"];
74.  
75. // now write the new data to our database table...
76.  
77. // check to see if this user already had a favourite:
78. $query = "SELECT * FROM profiles WHERE username='$username'";
79.  
80. // this query can return data ($result is an identifier):
81. $result = mysqli_query($connection, $query);
82.  
83. // how many rows came back? (can only be 1 or 0 because username is the primary key in our table):
84. $n = mysqli_num_rows($result);
85.  
86. // if there was a match then UPDATE their profile data, otherwise INSERT it:
87. if ($n > 0)
88. {
89. // we need an UPDATE:
90. $query = "UPDATE profiles SET firstname='$firstname',lastname='$lastname', pets=$pets,email='$email',dob='$dob' WHERE username='$username'";
91. $result = mysqli_query($connection, $query);
92. }
93. else
94. {
95. // we need an INSERT:
96. $query = "INSERT INTO profiles (username,firstname,lastname,age,pets,email,dob) VALUES ('$username','$firstname','$lastname',$pets,'$email','$dob')";
97. $result = mysqli_query($connection, $query);
98. }
99.  
100. // no data returned, we just test for true(success)/false(failure):
101. if ($result)
102. {
103. // show a successful update message:
104. $message = "Profile successfully updated<br>";
105. }
106. else
107. {
108. // show the set profile form:
109. $show_profile_form = true;
110. // show an unsuccessful update message:
111. $message = "Update failed<br>";
112. }
113. }
114. else
115. {
116. // validation failed, show the form again with guidance:
117. $show_profile_form = true;
118. // show an unsuccessful update message:
119. $message = "Update failed, please check the errors above and try again<br>";
120. }
121.  
122. // we're finished with the database, close the connection:
123. mysqli_close($connection);
124.  
125. }
126. else
127. {
128. // arrived at the page for the first time, show any data already in the table:
129.  
130. // read the username from the session:
131. $username = $_SESSION["username"];
132.  
133. // now read their profile data from the table...
134.  
135. // connect directly to our database (notice 4th argument):
136. $connection = mysqli_connect($dbhost, $dbuser, $dbpass, $dbname);
137.  
138. // if the connection fails, we need to know, so allow this exit:
139. if (!$connection)
140. {
141. die("Connection failed: " . $mysqli_connect_error);
142. }
143.  
144. // check for a row in our profiles table with a matching username:
145. $query = "SELECT * FROM profiles WHERE username='$username'";
146.  
147. // this query can return data ($result is an identifier):
148. $result = mysqli_query($connection, $query);
149.  
150. // how many rows came back? (can only be 1 or 0 because username is the primary key in our table):
151. $n = mysqli_num_rows($result);
152.  
153. // if there was a match then extract their profile data:
154. if ($n > 0)
155. {
156. // use the identifier to fetch one row as an associative array (elements named after columns):
157. $row = mysqli_fetch_assoc($result);
158. // extract their profile data for use in the HTML:
159. $firstname = $row['firstname'];
160. $lastname = $row['lastname'];
161. $pets = $row['pets'];
162. $email = $row['email'];
163. $dob = $row['dob'];
164. }
165.  
166. // show the set profile form:
167. $show_profile_form = true;
168.  
169. // we're finished with the database, close the connection:
170. mysqli_close($connection);
171.  
172. }
173.  
174. if ($show_profile_form)
175. {
176. echo <<<_END
177.  
178. <!-- CLIENT-SIDE VALIDATION -->
179.  
180. <!-- Changing the input types to the appropriate type and adding sensible character restrictions -->
181.  
182. <form action="set_profile.php" method="post">
183. Update your profile info:<br>
184. First name: <input type="text" maxlength = "40" name="firstname" value="$firstname"required>
185. <br>
186. Last name: <input type="text" maxlength = "40" name="lastname" value="$lastname"required>
187. <br>
188. Number of pets: <input type="number" min="0" max="128" name="pets" value="$pets"required>
189. <br>
190. Email address: <input type="email" maxlength ="50" name="email" value="$email"required>
191. <br>
192. Date of birth: <input type="date" name="dob" value="$dob"required>
193. <br>
194. <input type="submit" value="Submit">
195. </form>
196. _END;
197. }
198.  
199. // display our message to the user:
200. echo $message;
201.  
202. // finish of the HTML for this page:
203. require_once "footer.php";
204. ?>