update1: I tried all of the suggestion (much appreciated btw) but the execution still isn't going through displaying "Updated 0 rows ". I have tried multiple ways of approaching this but nothing seems to work for me.
Here is the code I have at the moment:
if(isset($_POST['Done'])) {
$updateCD = "UPDATE users SET lgs=?, its=?, hbs=?, bios=?, pls=?, cts=? WHERE email=?";
$stmt = $con->prepare($updateCD);
$stmt->bind_param('sssssss', $_POST['lgs'], $_POST['its'], $_POST['hbs'], $_POST['bios'], $_POST['pls'], $_POST['cts'], $_GET['email']);
$stmt->execute();
if ($stmt->errno) {
echo "FAILURE!!! " . $stmt->error;
}
else {
echo "Updated {$stmt->affected_rows} rows";
$stmt->close();
}
}
I am wanting to increase the security of my code by replacing my basic sqli queries with prepared statements.
This UPDATE statement concerns updating the user's profile information in the database. Problem is, despite the models I followed, the update execution isn't getting through thus changing nothing in the database.
PHP code:
$email_login = mysqli_real_escape_string($con, $GET['email']);
$lg = mysqli_real_escape_string($con, $_POST['lgs']);
$it = mysqli_real_escape_string($con, $_POST['its']);
$hb = mysqli_real_escape_string($con, $_POST['hbs']);
$bio = mysqli_real_escape_string($con, $_POST['bios']);
$pl = mysqli_real_escape_string($con, $_POST['pls']);
$ct = mysqli_real_escape_string($con, $_POST['cts']);
if(isset($_POST['Done'])) {
$updateCD = "UPDATE users SET lgs=?, its=?, hbs=?, bios=?, pls=?, cts=? WHERE email=?";
$stmt = $con->prepare($updateCD);
$stmt->bind_param('sssssss', $lg, $it, $hb, $bio, $pl, $ct, $email_login);
$stmt->execute();
if ($stmt->errno) {
echo "FAILURE!!! " . $stmt->error;
}
else {
echo "Updated {$stmt->affected_rows} rows";
$stmt->close();
}
}
Note after closure: I understand why it may seem as if this question is similar to the other one, but by no means is it an exact duplicate. The referred question concerned updating a table in general whereas this question magnifies on using prepared statements to execute an update. I already know how to update a table without using prepared statements so I would like to improve my code syntax with a more reliable frameset. Although both questions are related, they have different scopes.