Whenever I submit a user update form in my dashboard, my error array returns a flag for unchanged values

by

Currently working on a project that requires me to build an admin area for an admin to manage users and permissions.

I’m using an array to return errors to admins if they submit duplicate data to database – for example, trying to change a users username to another existing username. This works, however when submitting the form if the data in one part of the form is changed (username is available but email address is unchanged) my error flag is returned.

I believe that since the SELECT statement I’ve created checks to see if the username or email address is taken prior to running my $stmt, it’s taking the existing username or email address already populated in the form as a new one despite it being the users existing username/email address.

Is there a way to work around this? I’m not sure if I need to restructure my select statement or error flag return – since running the SQL UPDATE statement works fine without the error flag return, it will just return a standard duplicate entry error if the values are the same.

As it works just now, when an admin updates the form – it will only be successfully updated if both the username and email address have both been changed.

admin_functions.php

$sql = "UPDATE ltc_users SET first_name = ?, second_name = ?, username = ?, email_address = ?, permission = ? WHERE user_id = ?";
$stmt = $conn->prepare($sql);
$stmt->bind_param("sssssi", $first_name, $second_name, $username, $email_address, $permission, $user_id);

if (isset($_POST['update_user'])) {

    $user_id = $_POST["user_id"];
    $first_name = mysqli_real_escape_string($conn, $_POST['first_name']);
    $second_name = mysqli_real_escape_string($conn, $_POST['second_name']);
    $username = mysqli_real_escape_string($conn, $_POST['username']);
    $email_address = mysqli_real_escape_string($conn, $_POST['email_address']);
    $permission = mysqli_real_escape_string($conn, $_POST['permission']);

    if (empty($username)) {
        array_push($error_flags, "username is required.");
    }
    if (empty($email_address)) {
        array_push($error_flags, "email is required.");
    }
    $user_check_query = "SELECT * FROM ltc_users WHERE username="$username" OR email_address="$email_address"LIMIT 1";
    $user_check_result = mysqli_query($conn, $user_check_query);
    $user_fa = mysqli_fetch_assoc($user_check_result);

    if ($user_fa['username'] === $username) {
        array_push($error_flags, "username already in use.");
    }

    if ($user_fa['email_address'] === $email_address) {
        array_push($error_flags, "email address already in use.");
    }

    if (count($error_flags) == 0) {

        $stmt->execute();
        // Success flag is not returned, return to fix**
        $_SESSION['success_flag'] = "user updated. <br><br>";
        header('location: manage-users.php');
    }
}

manage-users.php

<form method="post" action="manage-users.php">
                <?php if ($isEditingUser === true) : ?>
                    <input type="hidden" name="user_id" value="<?php echo $user_id; ?>">
                <?php endif ?>

                <input type="text" name="first_name" placeholder="first." value="<?php echo $first_name ?>" required>
                <input type="text" name="second_name" placeholder="second." value="<?php echo $second_name ?>" required>
                <input type="text" name="username" placeholder="username." minlength="5" value="<?php echo $username; ?>" required>
                <input type="email" name="email_address" placeholder="email address." value="<?php echo $email_address ?>" required>
                <!-- <input type="password" name="password_1" placeholder="password." minlength="8" required>
                <input type="password" name="password_2" placeholder="confirm password." minlength="8" required> -->
                <select name="permission" required>
                    <option value="" selected disabled hidden>select permission.</option>
                    <option value="user">user.</option>
                    <option value="admin">admin.</option>
                    <option value="restricted">restricted.</option>
                </select>

                <?php if ($isEditingUser === true) : ?>
                    <button type="submit" class="btn" name="update_user">update user.</button>
                <?php else : ?>
                    <button type="submit" class="btn" name="create_user">create user.</button>
                <?php endif ?>
            </form>

admin_message_error_function.php

<?php if (count($error_flags) > 0) : ?>
    <div class="error_flags">
        <?php foreach ($error_flags as $error_flag) : ?>
            <p><?php echo $error_flag ?></p>
        <?php endforeach ?>
    </div>
<?php endif ?>

Cheers.

I’ve tried a handful of things but haven’t had much luck.

  • Don’t use mysqli_real_escape_string() when you’re using parameter binding. That will cause strings to be double-escaped.

    – 

  • Why aren’t you using bind_param for $user_check_query?

    – 

  • Still quite new to PHP, mind this is for a second year project so this is welcome advice – thank you. I will come back to changing that but want to get the issue I’ve outlined fixed first.

    – 

  • But you clearly know how to do it, you did it with the UPDATE query.

    – 

  • Have just updated that part of it and will be more mindful of preparing statements in the future, thanks!

    – 

Leave a Comment