Untitled

<?php

// Things to notice:
// The main job of this script is to execute an INSERT or UPDATE statement to create or update a user's profile information...
// ... but only once the data the user supplied has been validated on the client-side, and then sanitised ("cleaned") and validated again on the server-side
// It's your job to add these steps into the code
// Both sign_up.php and sign_in.php do client-side validation, followed by sanitisation and validation again on the server-side -- you may find it helpful to look at how they work
// HTML5 can validate all the profile data for you on the client-side
// The PHP functions in helper.php will allow you to sanitise the data on the server-side and validate *some* of the fields...
// ... but you'll also need to add some new PHP functions of your own to validate email addresses and dates

// execute the header script:
require_once "header.php";

// default values we show in the form:
$firstname = "";
$lastname = "";
$pets = "";
$email = "";
$dob = "";
// strings to hold any validation error messages:
$firstname_val = "";
$lastname_val = "";
$pets_val = "";
$email_val = "";
$dob_val = "";
// should we show the set profile form?:
$show_profile_form = false;
// message to output to user:
$message = "";

if (!isset($_SESSION['loggedInSkeleton']))
{
	// user isn't logged in, display a message saying they must be:
	echo "You must be logged in to view this page.<br>";
}
elseif (isset($_POST['firstname']))
{
	// user just tried to update their profile

	// connect directly to our database (notice 4th argument) we need the connection for sanitisation:
	$connection = mysqli_connect($dbhost, $dbuser, $dbpass, $dbname);

	// if the connection fails, we need to know, so allow this exit:
	if (!$connection)
	{
		die("Connection failed: " . $mysqli_connect_error);
	}

	// SANITISATION CODE MISSING:

	// take copies of the credentials the user submitted and sanitise (clean) them:
	$firstname = sanitise ($_POST['firstname'], $connection);
	$lastname = sanitise ($_POST['lastname'], $connection);
	$pets = sanitise ($_POST['pets'], $connection);
	$email = sanitise ($_POST['email'], $connection);
	$dob = sanitise ($_POST['dob'], $connection);

	// This is the code for server side validation, each field is validated seperately and has each have different conditions to be validated against
	$firstname_val = validateString($firstname, 5, 16);
    $lastname_val = validateString($lastname, 5, 16);
    $pets_val = validateInt($pets,0,128);
    if(!filter_var($email,FILTER_VALIDATE_EMAIL))
    {
        $email_val="$email is not valid";
    }
    //$dob_val = validateDOB($dob);


	//any errors will be stored in these variables
	$errors = $firstname_val . $lastname_val . $pets_val . $email_val;


	// check that all the validation tests passed before going to the database:
	if ($errors == "")
	{
		// read their username from the session:
		$username = $_SESSION["username"];

		// now write the new data to our database table...

		// check to see if this user already had a favourite:
		$query = "SELECT * FROM profiles WHERE username='$username'";

		// this query can return data ($result is an identifier):
		$result = mysqli_query($connection, $query);

		// how many rows came back? (can only be 1 or 0 because username is the primary key in our table):
		$n = mysqli_num_rows($result);

		// if there was a match then UPDATE their profile data, otherwise INSERT it:
		if ($n > 0)
		{
			// we need an UPDATE:
			$query = "UPDATE profiles SET firstname='$firstname',lastname='$lastname',pets=$pets,email='$email',dob='$dob' WHERE username='$username'";
			$result = mysqli_query($connection, $query);
		}
		else
		{
			// we need an INSERT:
			$query = "INSERT INTO profiles (username,firstname,lastname,pets,email,dob) VALUES ('$username','$firstname','$lastname',$pets,'$email','$dob')";
			$result = mysqli_query($connection, $query);
		}

		// no data returned, we just test for true(success)/false(failure):
		if ($result)
		{
			// show a successful update message:
			$message = "Profile successfully updated<br>";
		}
		else
		{
			// show the set profile form:
			$show_profile_form = true;
			// show an unsuccessful update message:
			$message = "Update failed<br>";
		}
	}
	else
	{
		// validation failed, show the form again with guidance:
		$show_profile_form = true;
		// show an unsuccessful update message:
		$message = "Update failed, please check the errors above and try again<br>";
	}

	// we're finished with the database, close the connection:
	mysqli_close($connection);

}
else
{
	// arrived at the page for the first time, show any data already in the table:

	// read the username from the session:
	$username = $_SESSION["username"];

	// now read their profile data from the table...

	// connect directly to our database (notice 4th argument):
	$connection = mysqli_connect($dbhost, $dbuser, $dbpass, $dbname);

	// if the connection fails, we need to know, so allow this exit:
	if (!$connection)
	{
		die("Connection failed: " . $mysqli_connect_error);
	}

	// check for a row in our profiles table with a matching username:
	$query = "SELECT * FROM profiles WHERE username='$username'";

	// this query can return data ($result is an identifier):
	$result = mysqli_query($connection, $query);

	// how many rows came back? (can only be 1 or 0 because username is the primary key in our table):
	$n = mysqli_num_rows($result);

	// if there was a match then extract their profile data:
	if ($n > 0)
	{
		// use the identifier to fetch one row as an associative array (elements named after columns):
		$row = mysqli_fetch_assoc($result);
		// extract their profile data for use in the HTML:
		$firstname = $row['firstname'];
		$lastname = $row['lastname'];
		$pets = $row['pets'];
		$email = $row['email'];
		$dob = $row['dob'];
	}

	// show the set profile form:
	$show_profile_form = true;

	// we're finished with the database, close the connection:
	mysqli_close($connection);

}

if ($show_profile_form)
{
    if(isset($_get['noval']))
    {
// a version without client side validation
echo <<<_END
<form action="set_profile.php?noval=y" method="post">
Update your profile info:<br>
  First name: <input type="text" name="firstname" value="$firstname"> $firstname_val
  <br>
  Last name: <input type="text" name="lastname" value="$lastname"> $lastname_val
  <br>
  Number of pets:<input type="text" name="pets" value="$pets"> $pets_val
  <br>
  Email address: <input type="text" name="email" value="$email"> $email_val
  <br>
  Date of birth: <input type="text" name="dob" value="$dob">
  <span class="error"</span>
  <br>
  <input type="submit" value="Submit">
  </form
_END;
}
else
{
//client side validation. This block shows the max values for the fields again and I have also wrote required for each field which means that no field can be left blank
echo <<<_END
<form action="set_profile.php" method="post">
  Update your profile info:<br>
  First name: <input type="text" maxlength = "16" name="firstname" value="$firstname"required> $firstname_val
  <br>
  Last name: <input type="text" maxlength = "16" name="lastname" value="$lastname"required> $lastname_val
  <br>
  Number of pets:<input type="number" min="1" max="128"name="pets" value="$pets"required> $pets_val
  <br>
  Email address: <input type="email" maxlength = "50" name="email" value="$email"required> $email_val
  <br>
  Date of birth: <input type="date" name="dob" value="$dob"required>
  <span class="error"</span>
  <br>
  <input type="submit" value="Submit">
</form>
_END;
}
}


// display our message to the user:
echo $message;

// finish of the HTML for this page:
require_once "footer.php";
?>