update user data by user with mysql and php function

I’m trying to create Edit Profile by user with MySQL and PHP but there’s something wrong and I can’t figure it out. My code looks like this —> editprofileHTML.php:

include_once "includes/connector.inc.php";

if (!isset($firstname)) {
    $firstname = "";
if (!isset($lastname)) {
    $lastname = "";
if (!isset($gender)) {
    $gender = "";
if (!isset($username)) {
    $username = "";
if (!isset($phoneNr)) {
    $phoneNr = "";
<!doctype html>
<html lang="en">
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.0.2/dist/css/bootstrap.min.css" rel="stylesheet"
          integrity="sha384-EVSTQN3/azprG1Anm3QDgpJLIm9Nao0Yz1ztcQTwFspd3yD65VohhpuuCOmLASjC" crossorigin="anonymous">
    <link rel="stylesheet" href="editprofile.css">
    <link rel="icon" href="img/newslettericon.png">
    <title>Edit Profile</title>


require_once "menu.php";

<div class="container titleHolder">
    <h1 class="firstTtile">Edit Profile</h1>
    <a href="profile.php" class="secondTitle"><-Back</a>
<div class="container">
    <form class="row g-3" action="includes/editprofile.inc.php" method="post">
        <div class="col-md-6">
            <label for="firstname" class="form-label">Firstname</label>
            <input type="text" class="form-control" id="firstname" placeholder="Add your firstname..."
                   name="firstname" value="<?php echo $firstname; ?>">
        <div class="col-md-6">
            <label for="lastname" class="form-label">Lastname</label>
            <input type="text" class="form-control" id="lastname" placeholder="Add your lastname..."
                   name="lastname" value="<?php echo $lastname; ?>">
        <div class="col-md-12">
            <label for="username" class="form-label">Username</label>
            <input type="text" class="form-control" id="username" placeholder="Add your Username..."
                   name="username" value="<?php echo $username; ?>">
        <div class="col-12">
            <label for="phoneNr" class="form-label">Phone Number</label>
            <input type="text" class="form-control" id="phoneNr" placeholder="Please type in your Phone Number..." value="<?php echo $phoneNr; ?> "
        <div class="col-12">
            <label for="gender" class="form-label">Gender</label>
            <select class="form-control" name="gender" id="gender">
                <option selected="" name="none">Please select your gender...</option>
                <option id="female" name="female" <?php if($gender == "female"){?> selected="selected" <?php }?>>Female</option>
                <option id="male" name="male" <?php if($gender == "male"){?> selected="selected" <?php }?>>Male</option>
                <option id="other" name="other" <?php if($gender == "none"){?> selected="selected" <?php }?>>Decline to Answer</option>
        echo $error;
         <div class="col-12">
            <button type="submit" id="update" name="update" class="btn">Save Changes</button>
             <a type="submit" id="link" href="##" class="btn">Change Password</a>

and this is editprofile.inc.php:

ini_set("display_errors", true);

require_once "dbh.inc.php";
require_once "functions.inc.php";

if (isset($_POST["update"])) {

    $updatedData = [
        "firstname" => $_POST["firstname"],
        "lastname" => $_POST["lastname"],
        "phoneNr" => $_POST["phoneNr"],
        "username" => $_POST["username"],
        "gender" => $_POST["gender"],

    if (matchingUsername($updatedData["username"]) !== true) {
        $error = '<p class="error" > Please write your Username correctly </p>';
    if (invalidPhoneNr($updatedData["phoneNr"]) === true) {
        $error = '<p class="error" > Invalid Phone Number! </p>';

    if (!empty($error)) {
        require_once "/profile.php";


} else {
    header('Location: /editprofileHTML.php');

The functions I used in functions.php:

function updateUser($updatedData) {
    global $conn;
    $sql = 'UPDATE login SET firstname = "firstname", lastname = "lastname", username = "username", phoneNr = "phoneNr", gender = "gender" WHERE id = "id"';

    if ($conn->error){
        throw new Exception("Error updating user: " . $conn->error);
    return true;
function matchingUsername($username) {
    $user = loadUserByUsername($username);
    if ($username === $user) {
        return true;
    } return false;

function loadUserByUsername($username) {
    global $conn;
    $sql = 'SELECT * FROM login WHERE username = "'.$username.'"';
    $result = $conn->query($sql);

    return $result->fetch_assoc();

>Solution :

I think your error is in functions.php within the line of $sql = 'UPDATE login SET firstname = "firstname", lastname = "lastname", username = "username", phoneNr = "phoneNr", gender = "gender" WHERE id = "id"';

You are setting firstname as "firstname", however it should look more like this:

$sql = 'UPDATE login SET firstname = "'.$updatedData["firstname"].'", lastname = "'.$updatedData["lastname"].'",....

And so on.

Edit: Check Dharmans comment to my answer, this solution is open to SQL Injection.

Leave a Reply