Solved

Leaving field unchanged on UPDATE in php

Posted on 2010-09-20
15
409 Views
Last Modified: 2013-12-12
Hi,

I'm designing a user register system and am doing the admin update part for users at the moment.

However i have become stuck on something i thought would be simple.

When the admin updates a user they have a choice to change the password of that user. They can't see the password so obviously the box is left blank however i want it to be that if they do enter a new password then the password field updates. I have the code below, however what is happening at the moment is when the admin changes the password it all works fine, however if the admin leaves the password box empty, then the password is still changed to just a blank space.

I want it so that if the password box is left blank it doesn't change the current password?

Thanks, Alex
function userUpdate() {

	if (!$_POST['username'] | !$_POST['email'] | !$_POST['firstname'] | !$_POST['lastname'] | !$_POST['dd'] | !$_POST['mm'] | !$_POST['yyyy']) {
 		die('You did not complete all of the required fields');
 	}
 
  	$_POST['password'] = md5($_POST['password']);
 	if (!get_magic_quotes_gpc()) {
 		$_POST['password'] = addslashes($_POST['password']);
 		$_POST['username'] = addslashes($_POST['username']);
 	}
	
	$username = $_POST['username'];
	$email = $_POST['email'];
	$password = $_POST['password'];
	$firstname = $_POST['firstname'];
	$lastname = $_POST['lastname'];
	$enabled = $_POST['enabled'];
	$usergroup = $_POST['usergroup'];
	$id = $_POST["id"];

	$dd = $_POST['dd'];
	$mm = $_POST['mm'];
	$yyyy = $_POST['yyyy'];
	
	$dob = "".$yyyy."".$mm."".$dd."";

	
	$query = "UPDATE user SET username=\"" . $username . "\", email=\"" . $email . "\", firstname=\"" . $firstname . "\", lastname=\"" . $lastname . "\", dob=\"" . $dob . "\", enabled=\"" . $enabled . "\", usergroup_id=\"" . $usergroup . "\"  WHERE id=$id";
	$result = mysql_query($query);
	
	if (!$password) {
		header("Location:index.php");
	} else {
		$query2 = "UPDATE user SET password=\"" . $password . "\" WHERE id=$id";
		$result2 = mysql_query($query2);
		header("Location:index.php");
	}
	
	
}

Open in new window

0
Comment
Question by:echocpt
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
  • +3
15 Comments
 
LVL 36

Expert Comment

by:Loganathan Natarajan
ID: 33715169
try like this,
<?
function userUpdate() {

	if (!$_POST['username'] | !$_POST['email'] | !$_POST['firstname'] | !$_POST['lastname'] | !$_POST['dd'] | !$_POST['mm'] | !$_POST['yyyy']) {
 		die('You did not complete all of the required fields');
 	}
 
  	$_POST['password'] = md5($_POST['password']);
 	if (!get_magic_quotes_gpc()) {
 		$_POST['password'] = addslashes($_POST['password']);
 		$_POST['username'] = addslashes($_POST['username']);
 	}
	
	$username = $_POST['username'];
	$email = $_POST['email'];
	$password = $_POST['password'];
	$firstname = $_POST['firstname'];
	$lastname = $_POST['lastname'];
	$enabled = $_POST['enabled'];
	$usergroup = $_POST['usergroup'];
	$id = $_POST["id"];

	$dd = $_POST['dd'];
	$mm = $_POST['mm'];
	$yyyy = $_POST['yyyy'];
	
	$dob = "".$yyyy."".$mm."".$dd."";

	
	if (empty($password)) {
	
	$query1 = "UPDATE user SET username=\"" . $username . "\", email=\"" . $email . "\", firstname=\"" . $firstname . "\", lastname=\"" . $lastname . "\", dob=\"" . $dob . "\", enabled=\"" . $enabled . "\", usergroup_id=\"" . $usergroup . "\"  WHERE id=$id";
	
	} else {
	
	$query2 = "UPDATE user SET username=\"" . $username . "\", email=\"" . $email . "\", firstname=\"" . $firstname . "\", lastname=\"" . $lastname . "\", dob=\"" . $dob . "\", enabled=\"" . $enabled . "\", usergroup_id=\"" . $usergroup . "\", password=\"" . $password . "\"  WHERE id=$id";
	}
	
	$result = mysql_query($query) or die(mysql_error());
	
	header("Location:index.php");
	
	
}
?>

Open in new window

0
 
LVL 36

Expert Comment

by:Loganathan Natarajan
ID: 33715179
corrected script,
<?
function userUpdate() {

	if (!$_POST['username'] | !$_POST['email'] | !$_POST['firstname'] | !$_POST['lastname'] | !$_POST['dd'] | !$_POST['mm'] | !$_POST['yyyy']) {
 		die('You did not complete all of the required fields');
 	}
 
  	//$_POST['password'] = md5($_POST['password']);
 	
	if (!get_magic_quotes_gpc()) {
 		$_POST['password'] = addslashes($_POST['password']);
 		$_POST['username'] = addslashes($_POST['username']);
 	}
	
	if (!empty($_POST['password'])
	{
		$password = md5($_POST['password']);	
	}
	
	
	$username = $_POST['username'];
	$email = $_POST['email'];
	
	$firstname = $_POST['firstname'];
	$lastname = $_POST['lastname'];
	$enabled = $_POST['enabled'];
	$usergroup = $_POST['usergroup'];
	$id = $_POST["id"];

	$dd = $_POST['dd'];
	$mm = $_POST['mm'];
	$yyyy = $_POST['yyyy'];
	
	$dob = "".$yyyy."".$mm."".$dd."";

	
	if (!empty($password)) {
	
	$query = "UPDATE user SET username=\"" . $username . "\", email=\"" . $email . "\", firstname=\"" . $firstname . "\", lastname=\"" . $lastname . "\", dob=\"" . $dob . "\", enabled=\"" . $enabled . "\", usergroup_id=\"" . $usergroup . "\", password=\"" . $password . "\"  WHERE id=$id";
	
	} else {
	
	
	
	$query = "UPDATE user SET username=\"" . $username . "\", email=\"" . $email . "\", firstname=\"" . $firstname . "\", lastname=\"" . $lastname . "\", dob=\"" . $dob . "\", enabled=\"" . $enabled . "\", usergroup_id=\"" . $usergroup . "\"  WHERE id=$id";
	}
	
	$result = mysql_query($query) or die(mysql_error());
	
	header("Location:index.php");
	
	
}
?>

Open in new window

0
 
LVL 58

Accepted Solution

by:
cyberkiwi earned 350 total points
ID: 33715183

function userUpdate() {

	if (!$_POST['username'] | !$_POST['email'] | !$_POST['firstname'] | !$_POST['lastname'] | !$_POST['dd'] | !$_POST['mm'] | !$_POST['yyyy']) {
 		die('You did not complete all of the required fields');
 	}
 
        $password = $_POST['password'];
        $password = $password=="" ? "" : md5($password);
 	if (!get_magic_quotes_gpc()) {
                $password = $password=="" ? "" : addslashes($password);
 		$_POST['username'] = addslashes($_POST['username']);
 	}
	
	$username = $_POST['username'];
	$email = $_POST['email'];
	$firstname = $_POST['firstname'];
	$lastname = $_POST['lastname'];
	$enabled = $_POST['enabled'];
	$usergroup = $_POST['usergroup'];
	$id = $_POST["id"];

	$dd = $_POST['dd'];
	$mm = $_POST['mm'];
	$yyyy = $_POST['yyyy'];
	
	$dob = "".$yyyy."".$mm."".$dd."";

	
	$query = "UPDATE user SET username=\"" . $username . "\", email=\"" . $email . "\", firstname=\"" . $firstname . "\", lastname=\"" . $lastname . "\", dob=\"" . $dob . "\", enabled=\"" . $enabled . "\", usergroup_id=\"" . $usergroup . "\"  WHERE id=$id";
	$result = mysql_query($query);
	
	if (!$password) {
		header("Location:index.php");
	} else {
		$query2 = "UPDATE user SET password=\"" . $password . "\" WHERE id=$id";
		$result2 = mysql_query($query2);
		header("Location:index.php");
	}
	
	
}

Open in new window

0
Business Impact of IT Communications

What are the business impacts of how well businesses communicate during an IT incident? Targeting, speed, and transparency all matter. Find out more in this infographic.

 
LVL 110

Expert Comment

by:Ray Paseur
ID: 33715190
It is a logic error.  The code is making an md5 hash before testing for a blank field.  You should test for the blank field before making the hash, or test for the blank field in the original input $_POST.

Then you should build the query string dynamically.

There are many things wrong (and some dangerous) with the sample code.  Please buy this book and work through the examples.  You will come out years ahead!
http://www.sitepoint.com/books/phpmysql4/

I will try to post a better example for you in a moment.

Best regards, ~Ray
0
 

Expert Comment

by:ANMOL28
ID: 33715191
fine
0
 
LVL 32

Expert Comment

by:DrDamnit
ID: 33715249
There are two things to look at here.

The first is how you setup your MySQL table. In some cases, depending on how you set it up, it will update the password field whenever that record is updated, which would explain this behavior or MySQL.

So, you can either figure that one out, or...

Grab the password for safe keeping before the update (see below).

I also re-write your queries. The if statement creates a query depeding on if you need to use the saved password or not rather than creating two separate queries.

I moved the mysql_query() function and the header() function below the if statement so that we only have to write it once.

I also change the way you form your query to make it easier to read using the sprintf function (http://php.net/manual/en/function.sprintf.php).

function userUpdate() {

	if (!$_POST['username'] | !$_POST['email'] | !$_POST['firstname'] | !$_POST['lastname'] | !$_POST['dd'] | !$_POST['mm'] | !$_POST['yyyy']) {
 		die('You did not complete all of the required fields');
 	}
 
  	$_POST['password'] = md5($_POST['password']);
 	if (!get_magic_quotes_gpc()) {
 		$_POST['password'] = addslashes($_POST['password']);
 		$_POST['username'] = addslashes($_POST['username']);
 	}
	
	$username = $_POST['username'];
	$email = $_POST['email'];
	$password = $_POST['password'];
	$firstname = $_POST['firstname'];
	$lastname = $_POST['lastname'];
	$enabled = $_POST['enabled'];
	$usergroup = $_POST['usergroup'];
	$id = $_POST["id"];

	$dd = $_POST['dd'];
	$mm = $_POST['mm'];
	$yyyy = $_POST['yyyy'];
	
	$dob = "".$yyyy."".$mm."".$dd."";

	$query = "SELECT password "\" WHERE id=$id";
	$result = mysql_query($query);
	$row = mysql_fetch_array($result);
	$current_password = $row[0];
	
	if (!$password) {	
	$query = sprintf(' UPDATE `user` SET username="%s", email="%s", firstname="%s", lastname="%s", dob="%s", enabled="%s", usergroup_id = "%s", password="%s WHERE id="%s""', $username, $email, $firstname, $lastname, $dob, $enabled, $usergroup_id, $current_password, $id);
	} else {
			$query = sprintf(' UPDATE `user` SET username="%s", email="%s", firstname="%s", lastname="%s", dob="%s", enabled="%s", usergroup_id = "%s", password="%s WHERE id="%s""', $username, $email, $firstname, $lastname, $dob, $enabled, $usergroup_id, $password, $id);
	}
		$result = mysql_query($query);
		header("Location:index.php");	
}

Open in new window

0
 
LVL 110

Assisted Solution

by:Ray Paseur
Ray Paseur earned 75 total points
ID: 33715261
I think this might work, but I cannot test it because I do not have your data base.  But it should be right in principle.

HTH, ~Ray
function userUpdate()
{
   // DIE IF NECESSARY FIELDS ARE OMITTED
    if (!$_POST['username'] | !$_POST['email'] | !$_POST['firstname'] | !$_POST['lastname'] | !$_POST['dd'] | !$_POST['mm'] | !$_POST['yyyy']) 
    {
        die('You did not complete all of the required fields');
    } 
    
    // ESCAPE THE DATA FOR USE IN A QUERY
    $username  = mysql_real_escape_string($_POST['username']);
    $email     = mysql_real_escape_string($_POST['email']);
    $password  = mysql_real_escape_string($_POST['password']);
    $firstname = mysql_real_escape_string($_POST['firstname']);
    $lastname  = mysql_real_escape_string($_POST['lastname']);
    $enabled   = mysql_real_escape_string($_POST['enabled']);
    $usergroup = mysql_real_escape_string($_POST['usergroup']);
    $id        = mysql_real_escape_string($_POST["id"]);

    // CONSTRUCT A DATE STRING (BETTER SEE:http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_201-Handling-date-and-time-in-PHP-and-MySQL.html)
    $dd = $_POST['dd'];
    $mm = $_POST['mm'];
    $yyyy = $_POST['yyyy'];
    $dob = "".$yyyy."".$mm."".$dd."";

    // CONSTRUCT A QUERY TO UPDATE USER DATA
    $query 
    = "UPDATE user SET username='$username'
    , email='$email'
    , firstname='$firstname'
    , lastname='$lastname'
    , dob='$dob'
    , enabled='$enabled'
    , usergroup_id'$usergroup'
    WHERE id=$id
    LIMIT 1"
    ;
    // RUN THE QUERY AND DIE ON ERROR
    $result = mysql_query($query) or die( mysql_error() );
    
    // IF THE PASSWORD IS NOT SET, REDIRECT
    if (empty($_POST["password"])) 
    {
        header("Location: /index.php");
        exit;
    } 
    
    // IF THE PASSWORD IS SET, UPDATE THE PASSWORD
    else 
    {
        $query2 = "UPDATE user SET password='$password ' WHERE id=$id LIMIT 1";
        $result2 = mysql_query($query2) or die( mysql_error() );
        header("Location: /index.php");
        exit;
    }
}

Open in new window

0
 
LVL 110

Expert Comment

by:Ray Paseur
ID: 33715283
Also, regarding this statement

if (!$_POST['username'] | !$_POST['email'] | !$_POST['firstname'] | !$_POST['lastname'] | !$_POST['dd'] | !$_POST['mm'] | !$_POST['yyyy'])

Make sure you understand the information on this page.  You might want || operators.
http://www.php.net/manual/en/language.operators.precedence.php

Just a thought... ~Ray
0
 
LVL 32

Assisted Solution

by:DrDamnit
DrDamnit earned 75 total points
ID: 33715315
Ray... good catch.

Because I knew those should be || (or) operators, I therefore literally saw || instead of |.

:-)
0
 

Author Comment

by:echocpt
ID: 33715435
Hi,

Sorry for the late reply, got pulled into a meeting. Thanks for the replies, they had some good points in that i will be sure to look into (i do consider myself fairly novice still in this) so thats good.

Unfortunately i have tried both your example Ray and yours DrDamnit and neither have worked. I have a feeling that it may be to do with the database then like you said earlier. If so how can i go about making it work?

Regarding the or statement, my bad, should have known better just let it slip but have now changed to ||.

Thanks Alex
0
 
LVL 58

Expert Comment

by:cyberkiwi
ID: 33715520
Try this one http:#a33715183
See how it keeps track of $password

While bettering your code, Ray inadvertently removed the md5 function.
0
 

Author Comment

by:echocpt
ID: 33715566
Hi cyberkiwi,

Not quite sure how i missed your post but have just tried it and it works :)

I noticed Ray had left the md5 out as well, but that was easy fix.

Anyway could you quickly explain what this line does so i know for future reference?:

        $password = $password=="" ? "" : md5($password);

I will split the points but weight yours as heavier because you obviously supplied best answer.

Thanks Alex
0
 
LVL 58

Expert Comment

by:cyberkiwi
ID: 33715622
The ? is a ternary operator taking 3 parts.

<condition> ? <iftrue> : <else>

It is a short form for writing

if <condition> then
  <iftrue>
else
  <else>

Regards
0
 

Author Comment

by:echocpt
ID: 33715645
Much help,

Thanks,
Alex
0
 
LVL 110

Expert Comment

by:Ray Paseur
ID: 33716721
Required reading here:
http://php.net/manual/en/language.expressions.php

Thanks for the points, ~Ray
0

Featured Post

Resolve Critical IT Incidents Fast

If your data, services or processes become compromised, your organization can suffer damage in just minutes and how fast you communicate during a major IT incident is everything. Learn how to immediately identify incidents & best practices to resolve them quickly and effectively.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Form submit takes only for one form 23 53
Code planning methods/tools? 5 56
PHP MYSQLI Connection in Function in a class 4 29
Undefined variable with $_POST in PHP 5 39
This article discusses how to implement server side field validation and display customized error messages to the client.
Containers like Docker and Rocket are getting more popular every day. In my conversations with customers, they consistently ask what containers are and how they can use them in their environment. If you’re as curious as most people, read on. . .
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question