Leaving field unchanged on UPDATE in php
Hi,
I'm designing a user register system and am doing the admin update part for users at the moment.
However i have become stuck on something i thought would be simple.
When the admin updates a user they have a choice to change the password of that user. They can't see the password so obviously the box is left blank however i want it to be that if they do enter a new password then the password field updates. I have the code below, however what is happening at the moment is when the admin changes the password it all works fine, however if the admin leaves the password box empty, then the password is still changed to just a blank space.
I want it so that if the password box is left blank it doesn't change the current password?
Thanks, Alex
I'm designing a user register system and am doing the admin update part for users at the moment.
However i have become stuck on something i thought would be simple.
When the admin updates a user they have a choice to change the password of that user. They can't see the password so obviously the box is left blank however i want it to be that if they do enter a new password then the password field updates. I have the code below, however what is happening at the moment is when the admin changes the password it all works fine, however if the admin leaves the password box empty, then the password is still changed to just a blank space.
I want it so that if the password box is left blank it doesn't change the current password?
Thanks, Alex
function userUpdate() {
if (!$_POST['username'] | !$_POST['email'] | !$_POST['firstname'] | !$_POST['lastname'] | !$_POST['dd'] | !$_POST['mm'] | !$_POST['yyyy']) {
die('You did not complete all of the required fields');
}
$_POST['password'] = md5($_POST['password']);
if (!get_magic_quotes_gpc()) {
$_POST['password'] = addslashes($_POST['password']);
$_POST['username'] = addslashes($_POST['username']);
}
$username = $_POST['username'];
$email = $_POST['email'];
$password = $_POST['password'];
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$enabled = $_POST['enabled'];
$usergroup = $_POST['usergroup'];
$id = $_POST["id"];
$dd = $_POST['dd'];
$mm = $_POST['mm'];
$yyyy = $_POST['yyyy'];
$dob = "".$yyyy."".$mm."".$dd."";
$query = "UPDATE user SET username=\"" . $username . "\", email=\"" . $email . "\", firstname=\"" . $firstname . "\", lastname=\"" . $lastname . "\", dob=\"" . $dob . "\", enabled=\"" . $enabled . "\", usergroup_id=\"" . $usergroup . "\" WHERE id=$id";
$result = mysql_query($query);
if (!$password) {
header("Location:index.php");
} else {
$query2 = "UPDATE user SET password=\"" . $password . "\" WHERE id=$id";
$result2 = mysql_query($query2);
header("Location:index.php");
}
}
corrected script,
<?
function userUpdate() {
if (!$_POST['username'] | !$_POST['email'] | !$_POST['firstname'] | !$_POST['lastname'] | !$_POST['dd'] | !$_POST['mm'] | !$_POST['yyyy']) {
die('You did not complete all of the required fields');
}
//$_POST['password'] = md5($_POST['password']);
if (!get_magic_quotes_gpc()) {
$_POST['password'] = addslashes($_POST['password']);
$_POST['username'] = addslashes($_POST['username']);
}
if (!empty($_POST['password'])
{
$password = md5($_POST['password']);
}
$username = $_POST['username'];
$email = $_POST['email'];
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$enabled = $_POST['enabled'];
$usergroup = $_POST['usergroup'];
$id = $_POST["id"];
$dd = $_POST['dd'];
$mm = $_POST['mm'];
$yyyy = $_POST['yyyy'];
$dob = "".$yyyy."".$mm."".$dd."";
if (!empty($password)) {
$query = "UPDATE user SET username=\"" . $username . "\", email=\"" . $email . "\", firstname=\"" . $firstname . "\", lastname=\"" . $lastname . "\", dob=\"" . $dob . "\", enabled=\"" . $enabled . "\", usergroup_id=\"" . $usergroup . "\", password=\"" . $password . "\" WHERE id=$id";
} else {
$query = "UPDATE user SET username=\"" . $username . "\", email=\"" . $email . "\", firstname=\"" . $firstname . "\", lastname=\"" . $lastname . "\", dob=\"" . $dob . "\", enabled=\"" . $enabled . "\", usergroup_id=\"" . $usergroup . "\" WHERE id=$id";
}
$result = mysql_query($query) or die(mysql_error());
header("Location:index.php");
}
?>
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
It is a logic error. The code is making an md5 hash before testing for a blank field. You should test for the blank field before making the hash, or test for the blank field in the original input $_POST.
Then you should build the query string dynamically.
There are many things wrong (and some dangerous) with the sample code. Please buy this book and work through the examples. You will come out years ahead!
http://www.sitepoint.com/books/phpmysql4/
I will try to post a better example for you in a moment.
Best regards, ~Ray
Then you should build the query string dynamically.
There are many things wrong (and some dangerous) with the sample code. Please buy this book and work through the examples. You will come out years ahead!
http://www.sitepoint.com/books/phpmysql4/
I will try to post a better example for you in a moment.
Best regards, ~Ray
fine
There are two things to look at here.
The first is how you setup your MySQL table. In some cases, depending on how you set it up, it will update the password field whenever that record is updated, which would explain this behavior or MySQL.
So, you can either figure that one out, or...
Grab the password for safe keeping before the update (see below).
I also re-write your queries. The if statement creates a query depeding on if you need to use the saved password or not rather than creating two separate queries.
I moved the mysql_query() function and the header() function below the if statement so that we only have to write it once.
I also change the way you form your query to make it easier to read using the sprintf function (http://php.net/manual/en/function.sprintf.php).
The first is how you setup your MySQL table. In some cases, depending on how you set it up, it will update the password field whenever that record is updated, which would explain this behavior or MySQL.
So, you can either figure that one out, or...
Grab the password for safe keeping before the update (see below).
I also re-write your queries. The if statement creates a query depeding on if you need to use the saved password or not rather than creating two separate queries.
I moved the mysql_query() function and the header() function below the if statement so that we only have to write it once.
I also change the way you form your query to make it easier to read using the sprintf function (http://php.net/manual/en/function.sprintf.php).
function userUpdate() {
if (!$_POST['username'] | !$_POST['email'] | !$_POST['firstname'] | !$_POST['lastname'] | !$_POST['dd'] | !$_POST['mm'] | !$_POST['yyyy']) {
die('You did not complete all of the required fields');
}
$_POST['password'] = md5($_POST['password']);
if (!get_magic_quotes_gpc()) {
$_POST['password'] = addslashes($_POST['password']);
$_POST['username'] = addslashes($_POST['username']);
}
$username = $_POST['username'];
$email = $_POST['email'];
$password = $_POST['password'];
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$enabled = $_POST['enabled'];
$usergroup = $_POST['usergroup'];
$id = $_POST["id"];
$dd = $_POST['dd'];
$mm = $_POST['mm'];
$yyyy = $_POST['yyyy'];
$dob = "".$yyyy."".$mm."".$dd."";
$query = "SELECT password "\" WHERE id=$id";
$result = mysql_query($query);
$row = mysql_fetch_array($result);
$current_password = $row[0];
if (!$password) {
$query = sprintf(' UPDATE `user` SET username="%s", email="%s", firstname="%s", lastname="%s", dob="%s", enabled="%s", usergroup_id = "%s", password="%s WHERE id="%s""', $username, $email, $firstname, $lastname, $dob, $enabled, $usergroup_id, $current_password, $id);
} else {
$query = sprintf(' UPDATE `user` SET username="%s", email="%s", firstname="%s", lastname="%s", dob="%s", enabled="%s", usergroup_id = "%s", password="%s WHERE id="%s""', $username, $email, $firstname, $lastname, $dob, $enabled, $usergroup_id, $password, $id);
}
$result = mysql_query($query);
header("Location:index.php");
}
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Also, regarding this statement
if (!$_POST['username'] | !$_POST['email'] | !$_POST['firstname'] | !$_POST['lastname'] | !$_POST['dd'] | !$_POST['mm'] | !$_POST['yyyy'])
Make sure you understand the information on this page. You might want || operators.
http://www.php.net/manual/en/language.operators.precedence.php
Just a thought... ~Ray
if (!$_POST['username'] | !$_POST['email'] | !$_POST['firstname'] | !$_POST['lastname'] | !$_POST['dd'] | !$_POST['mm'] | !$_POST['yyyy'])
Make sure you understand the information on this page. You might want || operators.
http://www.php.net/manual/en/language.operators.precedence.php
Just a thought... ~Ray
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi,
Sorry for the late reply, got pulled into a meeting. Thanks for the replies, they had some good points in that i will be sure to look into (i do consider myself fairly novice still in this) so thats good.
Unfortunately i have tried both your example Ray and yours DrDamnit and neither have worked. I have a feeling that it may be to do with the database then like you said earlier. If so how can i go about making it work?
Regarding the or statement, my bad, should have known better just let it slip but have now changed to ||.
Thanks Alex
Sorry for the late reply, got pulled into a meeting. Thanks for the replies, they had some good points in that i will be sure to look into (i do consider myself fairly novice still in this) so thats good.
Unfortunately i have tried both your example Ray and yours DrDamnit and neither have worked. I have a feeling that it may be to do with the database then like you said earlier. If so how can i go about making it work?
Regarding the or statement, my bad, should have known better just let it slip but have now changed to ||.
Thanks Alex
Try this one http:#a33715183
See how it keeps track of $password
While bettering your code, Ray inadvertently removed the md5 function.
See how it keeps track of $password
While bettering your code, Ray inadvertently removed the md5 function.
ASKER
Hi cyberkiwi,
Not quite sure how i missed your post but have just tried it and it works :)
I noticed Ray had left the md5 out as well, but that was easy fix.
Anyway could you quickly explain what this line does so i know for future reference?:
$password = $password=="" ? "" : md5($password);
I will split the points but weight yours as heavier because you obviously supplied best answer.
Thanks Alex
Not quite sure how i missed your post but have just tried it and it works :)
I noticed Ray had left the md5 out as well, but that was easy fix.
Anyway could you quickly explain what this line does so i know for future reference?:
$password = $password=="" ? "" : md5($password);
I will split the points but weight yours as heavier because you obviously supplied best answer.
Thanks Alex
The ? is a ternary operator taking 3 parts.
<condition> ? <iftrue> : <else>
It is a short form for writing
if <condition> then
<iftrue>
else
<else>
Regards
<condition> ? <iftrue> : <else>
It is a short form for writing
if <condition> then
<iftrue>
else
<else>
Regards
ASKER
Much help,
Thanks,
Alex
Thanks,
Alex
Required reading here:
http://php.net/manual/en/language.expressions.php
Thanks for the points, ~Ray
http://php.net/manual/en/language.expressions.php
Thanks for the points, ~Ray
Open in new window