Display employee profile after login

I facing the problem that my query can't be executed, there have an error, i am newbie so don't know where is the problem. Anyone can help me to solve the problem?

the profile.php coding:
<?php
session_start();
$employee_id=$_SESSION['employee_id'];

$query=query("SELECT * FROM employee WHERE employee_id = '$employee_id");
confirm($query);

while($row=mysqli_fetch_assoc($query)){
$employee_name = $row['employee_name'];
$employee_ic=$row['employee_ic'];
$employee_image=$row['employee_image'];
}
?>

<form role="form" action="" method="post" enctype="multipart/form-data">

<div class="form-group">
<label>Employee Name</label>
<input type="text" class="form-control" name="employee_name" value="<?php echo $employee_name ?>"></div>

<div class="form-group">
<label>Employee IC Number</label>
<input type="text" class="form-control" name="employee_ic" value="<?php echo $employee_ic ?>"></div>
</form>

 

You're missing a single quote after the variable in the query. Also, the query, and coding style, is deplorable - always use prepared queries, even when you should "know" that the variable is safe. Granted, you are using mysqli_ instead of mysql_, which is good, but a lot of the point of changing from mysql_ goes away if you don't actually utilize the modern ways of using the DB-handler.

 

After add the missing quote, the query are not working too. I use prepared queries to reduce the storage space to store the program.

 

What is the error message you are getting?

 

error message give an undefined query message
here is my login function:
if(isset($_POST['submit'])){

$email = $_POST['email'];
$email_query=query("SELECT * FROM employee WHERE user_email='{$email}'");
if(mysqli_num_rows($email_query)==0){

$_SESSION['email_not_valid']=$email;
redirect("index.php");
}else{

$password = escape_string($_POST['password']);

$query = query ("SELECT * FROM employee WHERE user_email = '{$email}' AND user_password = '{$password}'");

confirm($query);

while($row = fetch_array($query)){

$db_user_email = $row['user_email'];
$db_user_password = $row['user_password'];
$db_user_role = $row['user_role'];
$db_username=$row['username'];
$db_employee_id=$row['employee_id'];

}

if($email == $db_user_email && $password == $db_user_password && $db_user_role == "employee"){

$_SESSION['user_email'] = $db_user_email;
$_SESSION['user_role'] = $db_user_role;
$_SESSION['username']=$db_username;
$_SESSION['employee_id']=$db_employee_id;
//Go to the right page if password and email is correct and user role is admin

redirect("../employee/index.php");
}

 

The error is probably within the line where you state the SQL string. For testing purposes, try substituting this line with variations of SQL string and see what happens, i.e. whether you have proper database connectivity.

So, from your original post, try changing this original line:

$query=query("SELECT * FROM employee WHERE employee_id = '$employee_id");

The above line looks wrong to me, because you are not forming the query correctly for mysqli_fetch_assoc.

It is more likely to be:

$query="SELECT * FROM employee WHERE employee_id = '$employee_id";

Then later in your script you would use mysqli_fetch_assoc($conn, $query) to run the query, where $conn is your database connection variable.

So, in summary, you are not forming the correct SQL query syntax, and you are not passing it to mysqli_fetch_assoc($conn, $query) correctly.

 

the problem of error show that possible memory leak where.. the below is coding i did modify.
<?php
$con=mysqli_connect("localhost","root","","hrm");
session_start();
$employee_id=$_SESSION['employee_id'];

$query="SELECT * FROM employee WHERE employee_id= 'employee_id'";

if($result=mysqli_query($con,$query)){
while($row=mysqli_fetch_assoc($result)){
$employee_name = $row['employee_name'];
$employee_ic=$row['employee_ic'];
$employee_image=$row['employee_image'];
$contact_no=$row['contact_no'];
$emergency_no=$row['emergency_no'];
$address=$row['address'];
$job_title=$row['job_title'];
$department=$row['department'];
}
mysqli_free_result($result);
}
mysqli_close($con);
?>