movieprodw
asked on
php form, check password before post
Hello,
I am have a field named "password" and I would like to have the app check the password before the information is updated into the fields. The password is MD5.
I would also like it to check the table to see if the email is being used, it is "email_address".
Please see attached code.
I am have a field named "password" and I would like to have the app check the password before the information is updated into the fields. The password is MD5.
I would also like it to check the table to see if the email is being used, it is "email_address".
Please see attached code.
<?
include('db.php');
session_start();
$userid = $_SESSION['userid'];
// ***** This part will process when you Click on "Submit" button *****
// Check, if you clicked "Submit" button
// Get parameters from form.
$first_name = $_POST['first_name'];
$last_name = $_POST['last_name'];
$phone_number = $_POST['phone_number'];
$email_address = $_POST['email_address'];
$address = $_POST['address'];
$czipcode = $_POST['czipcode'];
$city = $_POST['city'];
$state = $_POST['state'];
if($userid > 0){
// Do update statement.
mysql_query("update users set first_name='$first_name', last_name='$last_name', phone_number='$phone_number', email_address='$email_address', address='$address', czipcode='$czipcode', city='$city', state='$state' where userid='$userid'");
// Re-direct this page to select.php.
header("location:control_panel_contact.php");
}
exit;
// Close database connection.
mysql_close();
?>
ASKER
Ray,
Please see revised code below with mysql_real_escape_string()
Thanks,
Matt
Please see revised code below with mysql_real_escape_string()
Thanks,
Matt
<?
include('db.php');
session_start();
$userid = $_SESSION['userid'];
// ***** This part will process when you Click on "Submit" button *****
// Check, if you clicked "Submit" button
// Get parameters from form.
$first_name = mysql_real_escape_string($_POST['first_name']);
$last_name = mysql_real_escape_string($_POST['last_name']);
$phone_number = mysql_real_escape_string($_POST['phone_number']);
$email_address = mysql_real_escape_string($_POST['email_address']);
$address = mysql_real_escape_string($_POST['address']);
$czipcode = mysql_real_escape_string($_POST['czipcode']);
$city = mysql_real_escape_string($_POST['city']);
$state = mysql_real_escape_string($_POST['state']);
$password = mysql_real_escape_string($_POST['password']);
if($userid > 0){
// Do update statement.
mysql_query("update users set first_name='$first_name', last_name='$last_name', phone_number='$phone_number', email_address='$email_address', address='$address', czipcode='$czipcode', city='$city', state='$state' where userid='$userid'");
// Re-direct this page to select.php.
header("location:control_panel_contact.php");
}
exit;
// Close database connection.
mysql_close();
?>
That's a good idea.
I am making some assumptions here. For example, I am assuming that when you say the password is MD5, you mean that the password is part of the "users" table and that it is encoded with the MD5 algorithm.
Insert this code after line 10 to test for the password.
I am making some assumptions here. For example, I am assuming that when you say the password is MD5, you mean that the password is part of the "users" table and that it is encoded with the MD5 algorithm.
Insert this code after line 10 to test for the password.
// TEST TO SEE IF THE PASSWORD IS PROVIDED CORRECTLY
// ENCODE THE PASSWORD TO MATCH THE FIELD IN THE DB
$md5 = md5($_POST["password"];
// CONSTRUCT AND RUN THE QUERY
$sql = "SELECT password FROM users WHERE password = \"$md5\" AND userid = \"$userid\" LIMIT 1";
$res = mysql_query($sql);
if (!$res) // RETURNS FALSE ON QUERY FAILURE
{
echo "<br/>QUERY FAIL: $sql \n";
$err = mysql_errno() . ' ' . mysql_error();
die($err);
}
// TEST FOR ROWS IN THE RESULTS SET - SHOULD BE ONE
if (!mysql_num_rows($res))
{
// NO ROWS IN RESULTS MEANS THE PASSWORD WAS NO GOOD
die("WRONG PASSWORD"); // PUT YOUR ERROR HANDLING CODE HERE
}
// IF WE GET THIS FAR, THE PASSWORD MATCHES THE USERID
ASKER
I am sorry but I can not get it to work, I was able to stop the code on line 12 and echo $md5 and it was the correct encrypted pass in the db but it seems to error with no explanation after line 12.
Any ideas?
Any ideas?
<?
include('db.php');
session_start();
$userid = $_SESSION['userid'];
$password = $_POST['password'];
// TEST TO SEE IF THE PASSWORD IS PROVIDED CORRECTLY
// ENCODE THE PASSWORD TO MATCH THE FIELD IN THE DB
$md5 = md5($_POST[password]);
// CONSTRUCT AND RUN THE QUERY
$sql = "SELECT password FROM users WHERE password = "$md5" AND userid = "$userid" LIMIT 1";
$res = mysql_query($sql);
if (!$res) // RETURNS FALSE ON QUERY FAILURE
{
echo "<br/>QUERY FAIL: $sql \n";
$err = mysql_errno() . ' ' . mysql_error();
die($err);
}
// TEST FOR ROWS IN THE RESULTS SET - SHOULD BE ONE
if (!mysql_num_rows($res))
{
// NO ROWS IN RESULTS MEANS THE PASSWORD WAS NO GOOD
die("WRONG PASSWORD"); // PUT YOUR ERROR HANDLING CODE HERE
}
// IF WE GET THIS FAR, THE PASSWORD MATCHES THE USERID
$first_name = mysql_real_escape_string($_POST['first_name']);
$last_name = mysql_real_escape_string($_POST['last_name']);
$phone_number = mysql_real_escape_string($_POST['phone_number']);
$email_address = mysql_real_escape_string($_POST['email_address']);
$address = mysql_real_escape_string($_POST['address']);
$czipcode = mysql_real_escape_string($_POST['czipcode']);
$city = mysql_real_escape_string($_POST['city']);
$state = mysql_real_escape_string($_POST['state']);
if($userid > 0){
// Do update statement.
mysql_query("update users set first_name='$first_name', last_name='$last_name', phone_number='$phone_number', email_address='$email_address', address='$address', czipcode='$czipcode', city='$city', state='$state', updated='1' where userid='$userid'");
// Re-direct this page to select.php.
header("location:control_panel_contact.php");
}
exit;
// Close database connection.
mysql_close();
?>
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Your the man Ray!
Thank you Sir
Thank you Sir
Thanks for the points - glad you're on the right track! ~Ray
Also, you might want to get a good book on MySQL. Using unescaped values in a MySQL query is a no-no. Have a look at the PHP function mysql_real_escape_string()
Best, ~Ray