Solved

Leaving field unchanged on UPDATE in php

Posted on 2010-09-20
15
400 Views
Last Modified: 2013-12-12
Hi,

I'm designing a user register system and am doing the admin update part for users at the moment.

However i have become stuck on something i thought would be simple.

When the admin updates a user they have a choice to change the password of that user. They can't see the password so obviously the box is left blank however i want it to be that if they do enter a new password then the password field updates. I have the code below, however what is happening at the moment is when the admin changes the password it all works fine, however if the admin leaves the password box empty, then the password is still changed to just a blank space.

I want it so that if the password box is left blank it doesn't change the current password?

Thanks, Alex
function userUpdate() {

	if (!$_POST['username'] | !$_POST['email'] | !$_POST['firstname'] | !$_POST['lastname'] | !$_POST['dd'] | !$_POST['mm'] | !$_POST['yyyy']) {
 		die('You did not complete all of the required fields');
 	}
 
  	$_POST['password'] = md5($_POST['password']);
 	if (!get_magic_quotes_gpc()) {
 		$_POST['password'] = addslashes($_POST['password']);
 		$_POST['username'] = addslashes($_POST['username']);
 	}
	
	$username = $_POST['username'];
	$email = $_POST['email'];
	$password = $_POST['password'];
	$firstname = $_POST['firstname'];
	$lastname = $_POST['lastname'];
	$enabled = $_POST['enabled'];
	$usergroup = $_POST['usergroup'];
	$id = $_POST["id"];

	$dd = $_POST['dd'];
	$mm = $_POST['mm'];
	$yyyy = $_POST['yyyy'];
	
	$dob = "".$yyyy."".$mm."".$dd."";

	
	$query = "UPDATE user SET username=\"" . $username . "\", email=\"" . $email . "\", firstname=\"" . $firstname . "\", lastname=\"" . $lastname . "\", dob=\"" . $dob . "\", enabled=\"" . $enabled . "\", usergroup_id=\"" . $usergroup . "\"  WHERE id=$id";
	$result = mysql_query($query);
	
	if (!$password) {
		header("Location:index.php");
	} else {
		$query2 = "UPDATE user SET password=\"" . $password . "\" WHERE id=$id";
		$result2 = mysql_query($query2);
		header("Location:index.php");
	}
	
	
}

Open in new window

0
Comment
Question by:echocpt
  • 4
  • 3
  • 3
  • +3
15 Comments
 
LVL 36

Expert Comment

by:Loganathan Natarajan
ID: 33715169
try like this,
<?
function userUpdate() {

	if (!$_POST['username'] | !$_POST['email'] | !$_POST['firstname'] | !$_POST['lastname'] | !$_POST['dd'] | !$_POST['mm'] | !$_POST['yyyy']) {
 		die('You did not complete all of the required fields');
 	}
 
  	$_POST['password'] = md5($_POST['password']);
 	if (!get_magic_quotes_gpc()) {
 		$_POST['password'] = addslashes($_POST['password']);
 		$_POST['username'] = addslashes($_POST['username']);
 	}
	
	$username = $_POST['username'];
	$email = $_POST['email'];
	$password = $_POST['password'];
	$firstname = $_POST['firstname'];
	$lastname = $_POST['lastname'];
	$enabled = $_POST['enabled'];
	$usergroup = $_POST['usergroup'];
	$id = $_POST["id"];

	$dd = $_POST['dd'];
	$mm = $_POST['mm'];
	$yyyy = $_POST['yyyy'];
	
	$dob = "".$yyyy."".$mm."".$dd."";

	
	if (empty($password)) {
	
	$query1 = "UPDATE user SET username=\"" . $username . "\", email=\"" . $email . "\", firstname=\"" . $firstname . "\", lastname=\"" . $lastname . "\", dob=\"" . $dob . "\", enabled=\"" . $enabled . "\", usergroup_id=\"" . $usergroup . "\"  WHERE id=$id";
	
	} else {
	
	$query2 = "UPDATE user SET username=\"" . $username . "\", email=\"" . $email . "\", firstname=\"" . $firstname . "\", lastname=\"" . $lastname . "\", dob=\"" . $dob . "\", enabled=\"" . $enabled . "\", usergroup_id=\"" . $usergroup . "\", password=\"" . $password . "\"  WHERE id=$id";
	}
	
	$result = mysql_query($query) or die(mysql_error());
	
	header("Location:index.php");
	
	
}
?>

Open in new window

0
 
LVL 36

Expert Comment

by:Loganathan Natarajan
ID: 33715179
corrected script,
<?
function userUpdate() {

	if (!$_POST['username'] | !$_POST['email'] | !$_POST['firstname'] | !$_POST['lastname'] | !$_POST['dd'] | !$_POST['mm'] | !$_POST['yyyy']) {
 		die('You did not complete all of the required fields');
 	}
 
  	//$_POST['password'] = md5($_POST['password']);
 	
	if (!get_magic_quotes_gpc()) {
 		$_POST['password'] = addslashes($_POST['password']);
 		$_POST['username'] = addslashes($_POST['username']);
 	}
	
	if (!empty($_POST['password'])
	{
		$password = md5($_POST['password']);	
	}
	
	
	$username = $_POST['username'];
	$email = $_POST['email'];
	
	$firstname = $_POST['firstname'];
	$lastname = $_POST['lastname'];
	$enabled = $_POST['enabled'];
	$usergroup = $_POST['usergroup'];
	$id = $_POST["id"];

	$dd = $_POST['dd'];
	$mm = $_POST['mm'];
	$yyyy = $_POST['yyyy'];
	
	$dob = "".$yyyy."".$mm."".$dd."";

	
	if (!empty($password)) {
	
	$query = "UPDATE user SET username=\"" . $username . "\", email=\"" . $email . "\", firstname=\"" . $firstname . "\", lastname=\"" . $lastname . "\", dob=\"" . $dob . "\", enabled=\"" . $enabled . "\", usergroup_id=\"" . $usergroup . "\", password=\"" . $password . "\"  WHERE id=$id";
	
	} else {
	
	
	
	$query = "UPDATE user SET username=\"" . $username . "\", email=\"" . $email . "\", firstname=\"" . $firstname . "\", lastname=\"" . $lastname . "\", dob=\"" . $dob . "\", enabled=\"" . $enabled . "\", usergroup_id=\"" . $usergroup . "\"  WHERE id=$id";
	}
	
	$result = mysql_query($query) or die(mysql_error());
	
	header("Location:index.php");
	
	
}
?>

Open in new window

0
 
LVL 58

Accepted Solution

by:
cyberkiwi earned 350 total points
ID: 33715183

function userUpdate() {

	if (!$_POST['username'] | !$_POST['email'] | !$_POST['firstname'] | !$_POST['lastname'] | !$_POST['dd'] | !$_POST['mm'] | !$_POST['yyyy']) {
 		die('You did not complete all of the required fields');
 	}
 
        $password = $_POST['password'];
        $password = $password=="" ? "" : md5($password);
 	if (!get_magic_quotes_gpc()) {
                $password = $password=="" ? "" : addslashes($password);
 		$_POST['username'] = addslashes($_POST['username']);
 	}
	
	$username = $_POST['username'];
	$email = $_POST['email'];
	$firstname = $_POST['firstname'];
	$lastname = $_POST['lastname'];
	$enabled = $_POST['enabled'];
	$usergroup = $_POST['usergroup'];
	$id = $_POST["id"];

	$dd = $_POST['dd'];
	$mm = $_POST['mm'];
	$yyyy = $_POST['yyyy'];
	
	$dob = "".$yyyy."".$mm."".$dd."";

	
	$query = "UPDATE user SET username=\"" . $username . "\", email=\"" . $email . "\", firstname=\"" . $firstname . "\", lastname=\"" . $lastname . "\", dob=\"" . $dob . "\", enabled=\"" . $enabled . "\", usergroup_id=\"" . $usergroup . "\"  WHERE id=$id";
	$result = mysql_query($query);
	
	if (!$password) {
		header("Location:index.php");
	} else {
		$query2 = "UPDATE user SET password=\"" . $password . "\" WHERE id=$id";
		$result2 = mysql_query($query2);
		header("Location:index.php");
	}
	
	
}

Open in new window

0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 109

Expert Comment

by:Ray Paseur
ID: 33715190
It is a logic error.  The code is making an md5 hash before testing for a blank field.  You should test for the blank field before making the hash, or test for the blank field in the original input $_POST.

Then you should build the query string dynamically.

There are many things wrong (and some dangerous) with the sample code.  Please buy this book and work through the examples.  You will come out years ahead!
http://www.sitepoint.com/books/phpmysql4/

I will try to post a better example for you in a moment.

Best regards, ~Ray
0
 

Expert Comment

by:ANMOL28
ID: 33715191
fine
0
 
LVL 32

Expert Comment

by:DrDamnit
ID: 33715249
There are two things to look at here.

The first is how you setup your MySQL table. In some cases, depending on how you set it up, it will update the password field whenever that record is updated, which would explain this behavior or MySQL.

So, you can either figure that one out, or...

Grab the password for safe keeping before the update (see below).

I also re-write your queries. The if statement creates a query depeding on if you need to use the saved password or not rather than creating two separate queries.

I moved the mysql_query() function and the header() function below the if statement so that we only have to write it once.

I also change the way you form your query to make it easier to read using the sprintf function (http://php.net/manual/en/function.sprintf.php).

function userUpdate() {

	if (!$_POST['username'] | !$_POST['email'] | !$_POST['firstname'] | !$_POST['lastname'] | !$_POST['dd'] | !$_POST['mm'] | !$_POST['yyyy']) {
 		die('You did not complete all of the required fields');
 	}
 
  	$_POST['password'] = md5($_POST['password']);
 	if (!get_magic_quotes_gpc()) {
 		$_POST['password'] = addslashes($_POST['password']);
 		$_POST['username'] = addslashes($_POST['username']);
 	}
	
	$username = $_POST['username'];
	$email = $_POST['email'];
	$password = $_POST['password'];
	$firstname = $_POST['firstname'];
	$lastname = $_POST['lastname'];
	$enabled = $_POST['enabled'];
	$usergroup = $_POST['usergroup'];
	$id = $_POST["id"];

	$dd = $_POST['dd'];
	$mm = $_POST['mm'];
	$yyyy = $_POST['yyyy'];
	
	$dob = "".$yyyy."".$mm."".$dd."";

	$query = "SELECT password "\" WHERE id=$id";
	$result = mysql_query($query);
	$row = mysql_fetch_array($result);
	$current_password = $row[0];
	
	if (!$password) {	
	$query = sprintf(' UPDATE `user` SET username="%s", email="%s", firstname="%s", lastname="%s", dob="%s", enabled="%s", usergroup_id = "%s", password="%s WHERE id="%s""', $username, $email, $firstname, $lastname, $dob, $enabled, $usergroup_id, $current_password, $id);
	} else {
			$query = sprintf(' UPDATE `user` SET username="%s", email="%s", firstname="%s", lastname="%s", dob="%s", enabled="%s", usergroup_id = "%s", password="%s WHERE id="%s""', $username, $email, $firstname, $lastname, $dob, $enabled, $usergroup_id, $password, $id);
	}
		$result = mysql_query($query);
		header("Location:index.php");	
}

Open in new window

0
 
LVL 109

Assisted Solution

by:Ray Paseur
Ray Paseur earned 75 total points
ID: 33715261
I think this might work, but I cannot test it because I do not have your data base.  But it should be right in principle.

HTH, ~Ray
function userUpdate()
{
   // DIE IF NECESSARY FIELDS ARE OMITTED
    if (!$_POST['username'] | !$_POST['email'] | !$_POST['firstname'] | !$_POST['lastname'] | !$_POST['dd'] | !$_POST['mm'] | !$_POST['yyyy']) 
    {
        die('You did not complete all of the required fields');
    } 
    
    // ESCAPE THE DATA FOR USE IN A QUERY
    $username  = mysql_real_escape_string($_POST['username']);
    $email     = mysql_real_escape_string($_POST['email']);
    $password  = mysql_real_escape_string($_POST['password']);
    $firstname = mysql_real_escape_string($_POST['firstname']);
    $lastname  = mysql_real_escape_string($_POST['lastname']);
    $enabled   = mysql_real_escape_string($_POST['enabled']);
    $usergroup = mysql_real_escape_string($_POST['usergroup']);
    $id        = mysql_real_escape_string($_POST["id"]);

    // CONSTRUCT A DATE STRING (BETTER SEE:http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_201-Handling-date-and-time-in-PHP-and-MySQL.html)
    $dd = $_POST['dd'];
    $mm = $_POST['mm'];
    $yyyy = $_POST['yyyy'];
    $dob = "".$yyyy."".$mm."".$dd."";

    // CONSTRUCT A QUERY TO UPDATE USER DATA
    $query 
    = "UPDATE user SET username='$username'
    , email='$email'
    , firstname='$firstname'
    , lastname='$lastname'
    , dob='$dob'
    , enabled='$enabled'
    , usergroup_id'$usergroup'
    WHERE id=$id
    LIMIT 1"
    ;
    // RUN THE QUERY AND DIE ON ERROR
    $result = mysql_query($query) or die( mysql_error() );
    
    // IF THE PASSWORD IS NOT SET, REDIRECT
    if (empty($_POST["password"])) 
    {
        header("Location: /index.php");
        exit;
    } 
    
    // IF THE PASSWORD IS SET, UPDATE THE PASSWORD
    else 
    {
        $query2 = "UPDATE user SET password='$password ' WHERE id=$id LIMIT 1";
        $result2 = mysql_query($query2) or die( mysql_error() );
        header("Location: /index.php");
        exit;
    }
}

Open in new window

0
 
LVL 109

Expert Comment

by:Ray Paseur
ID: 33715283
Also, regarding this statement

if (!$_POST['username'] | !$_POST['email'] | !$_POST['firstname'] | !$_POST['lastname'] | !$_POST['dd'] | !$_POST['mm'] | !$_POST['yyyy'])

Make sure you understand the information on this page.  You might want || operators.
http://www.php.net/manual/en/language.operators.precedence.php

Just a thought... ~Ray
0
 
LVL 32

Assisted Solution

by:DrDamnit
DrDamnit earned 75 total points
ID: 33715315
Ray... good catch.

Because I knew those should be || (or) operators, I therefore literally saw || instead of |.

:-)
0
 

Author Comment

by:echocpt
ID: 33715435
Hi,

Sorry for the late reply, got pulled into a meeting. Thanks for the replies, they had some good points in that i will be sure to look into (i do consider myself fairly novice still in this) so thats good.

Unfortunately i have tried both your example Ray and yours DrDamnit and neither have worked. I have a feeling that it may be to do with the database then like you said earlier. If so how can i go about making it work?

Regarding the or statement, my bad, should have known better just let it slip but have now changed to ||.

Thanks Alex
0
 
LVL 58

Expert Comment

by:cyberkiwi
ID: 33715520
Try this one http:#a33715183
See how it keeps track of $password

While bettering your code, Ray inadvertently removed the md5 function.
0
 

Author Comment

by:echocpt
ID: 33715566
Hi cyberkiwi,

Not quite sure how i missed your post but have just tried it and it works :)

I noticed Ray had left the md5 out as well, but that was easy fix.

Anyway could you quickly explain what this line does so i know for future reference?:

        $password = $password=="" ? "" : md5($password);

I will split the points but weight yours as heavier because you obviously supplied best answer.

Thanks Alex
0
 
LVL 58

Expert Comment

by:cyberkiwi
ID: 33715622
The ? is a ternary operator taking 3 parts.

<condition> ? <iftrue> : <else>

It is a short form for writing

if <condition> then
  <iftrue>
else
  <else>

Regards
0
 

Author Comment

by:echocpt
ID: 33715645
Much help,

Thanks,
Alex
0
 
LVL 109

Expert Comment

by:Ray Paseur
ID: 33716721
Required reading here:
http://php.net/manual/en/language.expressions.php

Thanks for the points, ~Ray
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Insert values are dynamic 11 41
javascript: add id amounts 5 46
BACKUP of mysql database from mysql server - using Coldfusion 9 36
PHP curl issue VERBOSE output 18 37
Author Note: Since this E-E article was originally written, years ago, formal testing has come into common use in the world of PHP.  PHPUnit (http://en.wikipedia.org/wiki/PHPUnit) and similar technologies have enjoyed wide adoption, making it possib…
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

785 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question