Solved

php form, check password before post

Posted on 2009-04-11
7
442 Views
Last Modified: 2013-12-12
Hello,

I am have a field named "password" and I would like to have the app check the password before the information is updated into the fields. The password is MD5.

I would also like it to check the table to see if the email is being used, it is "email_address".

Please see attached code.
<?

include('db.php');

session_start();

$userid = $_SESSION['userid'];
 
 

// ***** This part will process when you Click on "Submit" button *****

// Check, if you clicked "Submit" button
 

// Get parameters from form.

$first_name = $_POST['first_name'];

$last_name = $_POST['last_name'];

$phone_number = $_POST['phone_number'];

$email_address = $_POST['email_address'];

$address = $_POST['address'];

$czipcode = $_POST['czipcode'];

$city = $_POST['city'];

$state = $_POST['state'];
 

if($userid > 0){

// Do update statement.

mysql_query("update users set first_name='$first_name', last_name='$last_name', phone_number='$phone_number', email_address='$email_address', address='$address', czipcode='$czipcode', city='$city', state='$state' where userid='$userid'");
 

// Re-direct this page to select.php.

header("location:control_panel_contact.php");
 
 

}
 

exit;
 
 

// Close database connection.

mysql_close();

?>

Open in new window

0
Comment
Question by:movieprodw
  • 4
  • 3
7 Comments
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 24126319
Uhh, where is the field named "password" -- I don't see it in what you posted?

Also, you might want to get a good book on MySQL.  Using unescaped values in a MySQL query is a no-no.  Have a look at the PHP function mysql_real_escape_string() to see some of what you need to do in order to protect your data base.

Best, ~Ray
0
 
LVL 1

Author Comment

by:movieprodw
ID: 24126434
Ray,

Please see revised code below with mysql_real_escape_string() and password field.

Thanks,
Matt
<?

include('db.php');

session_start();

$userid = $_SESSION['userid'];
 
 

// ***** This part will process when you Click on "Submit" button *****

// Check, if you clicked "Submit" button
 

// Get parameters from form.

$first_name = mysql_real_escape_string($_POST['first_name']);

$last_name = mysql_real_escape_string($_POST['last_name']);

$phone_number = mysql_real_escape_string($_POST['phone_number']);

$email_address = mysql_real_escape_string($_POST['email_address']);

$address = mysql_real_escape_string($_POST['address']);

$czipcode = mysql_real_escape_string($_POST['czipcode']);

$city = mysql_real_escape_string($_POST['city']);

$state = mysql_real_escape_string($_POST['state']);

$password = mysql_real_escape_string($_POST['password']);
 
 

if($userid > 0){

// Do update statement.

mysql_query("update users set first_name='$first_name', last_name='$last_name', phone_number='$phone_number', email_address='$email_address', address='$address', czipcode='$czipcode', city='$city', state='$state' where userid='$userid'");
 

// Re-direct this page to select.php.

header("location:control_panel_contact.php");
 
 

}
 

exit;
 
 

// Close database connection.

mysql_close();

?>

Open in new window

0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 24126501
That's a good idea.

I am making some assumptions here.  For example, I am assuming that when you say the password is MD5, you mean that the password is part of the "users" table and that it is encoded with the MD5 algorithm.

Insert this code after line 10 to test for the password.
// TEST TO SEE IF THE PASSWORD IS PROVIDED CORRECTLY

// ENCODE THE PASSWORD TO MATCH THE FIELD IN THE DB

$md5 = md5($_POST["password"];
 

// CONSTRUCT AND RUN THE QUERY

$sql = "SELECT password FROM users WHERE password = \"$md5\" AND userid = \"$userid\" LIMIT 1";

$res = mysql_query($sql);

if (!$res) // RETURNS FALSE ON QUERY FAILURE

{

   echo "<br/>QUERY FAIL: $sql \n";

   $err = mysql_errno() . ' ' . mysql_error();

   die($err);

}
 

// TEST FOR ROWS IN THE RESULTS SET - SHOULD BE ONE

if (!mysql_num_rows($res))

{

// NO ROWS IN RESULTS MEANS THE PASSWORD WAS NO GOOD

   die("WRONG PASSWORD"); // PUT YOUR ERROR HANDLING CODE HERE

}

// IF WE GET THIS FAR, THE PASSWORD MATCHES THE USERID

Open in new window

0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 1

Author Comment

by:movieprodw
ID: 24126633
I am sorry but I can not get it to work, I was able to stop the code on line 12 and echo $md5 and it was the correct encrypted pass in the db but it seems to error with no explanation after line 12.

Any ideas?
<?

include('db.php');

session_start();

$userid = $_SESSION['userid'];
 

$password = $_POST['password'];
 

// TEST TO SEE IF THE PASSWORD IS PROVIDED CORRECTLY

// ENCODE THE PASSWORD TO MATCH THE FIELD IN THE DB

$md5 = md5($_POST[password]);
 
 

// CONSTRUCT AND RUN THE QUERY

$sql = "SELECT password FROM users WHERE password = "$md5" AND userid = "$userid" LIMIT 1";

$res = mysql_query($sql);

if (!$res) // RETURNS FALSE ON QUERY FAILURE

{

   echo "<br/>QUERY FAIL: $sql \n";

   $err = mysql_errno() . ' ' . mysql_error();

   die($err);

}
 

// TEST FOR ROWS IN THE RESULTS SET - SHOULD BE ONE

if (!mysql_num_rows($res))

{

// NO ROWS IN RESULTS MEANS THE PASSWORD WAS NO GOOD

   die("WRONG PASSWORD"); // PUT YOUR ERROR HANDLING CODE HERE

}

// IF WE GET THIS FAR, THE PASSWORD MATCHES THE USERID
 

$first_name = mysql_real_escape_string($_POST['first_name']);

$last_name = mysql_real_escape_string($_POST['last_name']);

$phone_number = mysql_real_escape_string($_POST['phone_number']);

$email_address = mysql_real_escape_string($_POST['email_address']);

$address = mysql_real_escape_string($_POST['address']);

$czipcode = mysql_real_escape_string($_POST['czipcode']);

$city = mysql_real_escape_string($_POST['city']);

$state = mysql_real_escape_string($_POST['state']);
 
 

if($userid > 0){

// Do update statement.

mysql_query("update users set first_name='$first_name', last_name='$last_name', phone_number='$phone_number', email_address='$email_address', address='$address', czipcode='$czipcode', city='$city', state='$state', updated='1' where userid='$userid'");
 

// Re-direct this page to select.php.

header("location:control_panel_contact.php");
 
 

}
 

exit;
 
 

// Close database connection.

mysql_close();
 

?>

Open in new window

0
 
LVL 108

Accepted Solution

by:
Ray Paseur earned 500 total points
ID: 24126724
Line 14 is wrong.  You have to escape the quotes.  See the example I posted above - the backslashes will perform the escape for you.  Make that change and try it again, OK?
0
 
LVL 1

Author Closing Comment

by:movieprodw
ID: 31569269
Your the man Ray!

Thank you Sir
0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 24126798
Thanks for the points - glad you're on the right track! ~Ray
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Both Easy and Powerful How easy is PHP? http://lmgtfy.com?q=how+easy+is+php (http://lmgtfy.com?q=how+easy+is+php)  Very easy.  It has been described as "a programming language even my grandmother can use." How powerful is PHP?  http://en.wikiped…
Build an array called $myWeek which will hold the array elements Today, Yesterday and then builds up the rest of the week by the name of the day going back 1 week.   (CODE) (CODE) Then you just need to pass your date to the function. If i…
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

912 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now