Solved

Leaving field unchanged on UPDATE in php

Posted on 2010-09-20
15
396 Views
Last Modified: 2013-12-12
Hi,

I'm designing a user register system and am doing the admin update part for users at the moment.

However i have become stuck on something i thought would be simple.

When the admin updates a user they have a choice to change the password of that user. They can't see the password so obviously the box is left blank however i want it to be that if they do enter a new password then the password field updates. I have the code below, however what is happening at the moment is when the admin changes the password it all works fine, however if the admin leaves the password box empty, then the password is still changed to just a blank space.

I want it so that if the password box is left blank it doesn't change the current password?

Thanks, Alex
function userUpdate() {

	if (!$_POST['username'] | !$_POST['email'] | !$_POST['firstname'] | !$_POST['lastname'] | !$_POST['dd'] | !$_POST['mm'] | !$_POST['yyyy']) {
 		die('You did not complete all of the required fields');
 	}
 
  	$_POST['password'] = md5($_POST['password']);
 	if (!get_magic_quotes_gpc()) {
 		$_POST['password'] = addslashes($_POST['password']);
 		$_POST['username'] = addslashes($_POST['username']);
 	}
	
	$username = $_POST['username'];
	$email = $_POST['email'];
	$password = $_POST['password'];
	$firstname = $_POST['firstname'];
	$lastname = $_POST['lastname'];
	$enabled = $_POST['enabled'];
	$usergroup = $_POST['usergroup'];
	$id = $_POST["id"];

	$dd = $_POST['dd'];
	$mm = $_POST['mm'];
	$yyyy = $_POST['yyyy'];
	
	$dob = "".$yyyy."".$mm."".$dd."";

	
	$query = "UPDATE user SET username=\"" . $username . "\", email=\"" . $email . "\", firstname=\"" . $firstname . "\", lastname=\"" . $lastname . "\", dob=\"" . $dob . "\", enabled=\"" . $enabled . "\", usergroup_id=\"" . $usergroup . "\"  WHERE id=$id";
	$result = mysql_query($query);
	
	if (!$password) {
		header("Location:index.php");
	} else {
		$query2 = "UPDATE user SET password=\"" . $password . "\" WHERE id=$id";
		$result2 = mysql_query($query2);
		header("Location:index.php");
	}
	
	
}

Open in new window

0
Comment
Question by:echocpt
  • 4
  • 3
  • 3
  • +3
15 Comments
 
LVL 36

Expert Comment

by:Loganathan Natarajan
ID: 33715169
try like this,
<?
function userUpdate() {

	if (!$_POST['username'] | !$_POST['email'] | !$_POST['firstname'] | !$_POST['lastname'] | !$_POST['dd'] | !$_POST['mm'] | !$_POST['yyyy']) {
 		die('You did not complete all of the required fields');
 	}
 
  	$_POST['password'] = md5($_POST['password']);
 	if (!get_magic_quotes_gpc()) {
 		$_POST['password'] = addslashes($_POST['password']);
 		$_POST['username'] = addslashes($_POST['username']);
 	}
	
	$username = $_POST['username'];
	$email = $_POST['email'];
	$password = $_POST['password'];
	$firstname = $_POST['firstname'];
	$lastname = $_POST['lastname'];
	$enabled = $_POST['enabled'];
	$usergroup = $_POST['usergroup'];
	$id = $_POST["id"];

	$dd = $_POST['dd'];
	$mm = $_POST['mm'];
	$yyyy = $_POST['yyyy'];
	
	$dob = "".$yyyy."".$mm."".$dd."";

	
	if (empty($password)) {
	
	$query1 = "UPDATE user SET username=\"" . $username . "\", email=\"" . $email . "\", firstname=\"" . $firstname . "\", lastname=\"" . $lastname . "\", dob=\"" . $dob . "\", enabled=\"" . $enabled . "\", usergroup_id=\"" . $usergroup . "\"  WHERE id=$id";
	
	} else {
	
	$query2 = "UPDATE user SET username=\"" . $username . "\", email=\"" . $email . "\", firstname=\"" . $firstname . "\", lastname=\"" . $lastname . "\", dob=\"" . $dob . "\", enabled=\"" . $enabled . "\", usergroup_id=\"" . $usergroup . "\", password=\"" . $password . "\"  WHERE id=$id";
	}
	
	$result = mysql_query($query) or die(mysql_error());
	
	header("Location:index.php");
	
	
}
?>

Open in new window

0
 
LVL 36

Expert Comment

by:Loganathan Natarajan
ID: 33715179
corrected script,
<?
function userUpdate() {

	if (!$_POST['username'] | !$_POST['email'] | !$_POST['firstname'] | !$_POST['lastname'] | !$_POST['dd'] | !$_POST['mm'] | !$_POST['yyyy']) {
 		die('You did not complete all of the required fields');
 	}
 
  	//$_POST['password'] = md5($_POST['password']);
 	
	if (!get_magic_quotes_gpc()) {
 		$_POST['password'] = addslashes($_POST['password']);
 		$_POST['username'] = addslashes($_POST['username']);
 	}
	
	if (!empty($_POST['password'])
	{
		$password = md5($_POST['password']);	
	}
	
	
	$username = $_POST['username'];
	$email = $_POST['email'];
	
	$firstname = $_POST['firstname'];
	$lastname = $_POST['lastname'];
	$enabled = $_POST['enabled'];
	$usergroup = $_POST['usergroup'];
	$id = $_POST["id"];

	$dd = $_POST['dd'];
	$mm = $_POST['mm'];
	$yyyy = $_POST['yyyy'];
	
	$dob = "".$yyyy."".$mm."".$dd."";

	
	if (!empty($password)) {
	
	$query = "UPDATE user SET username=\"" . $username . "\", email=\"" . $email . "\", firstname=\"" . $firstname . "\", lastname=\"" . $lastname . "\", dob=\"" . $dob . "\", enabled=\"" . $enabled . "\", usergroup_id=\"" . $usergroup . "\", password=\"" . $password . "\"  WHERE id=$id";
	
	} else {
	
	
	
	$query = "UPDATE user SET username=\"" . $username . "\", email=\"" . $email . "\", firstname=\"" . $firstname . "\", lastname=\"" . $lastname . "\", dob=\"" . $dob . "\", enabled=\"" . $enabled . "\", usergroup_id=\"" . $usergroup . "\"  WHERE id=$id";
	}
	
	$result = mysql_query($query) or die(mysql_error());
	
	header("Location:index.php");
	
	
}
?>

Open in new window

0
 
LVL 58

Accepted Solution

by:
cyberkiwi earned 350 total points
ID: 33715183

function userUpdate() {



	if (!$_POST['username'] | !$_POST['email'] | !$_POST['firstname'] | !$_POST['lastname'] | !$_POST['dd'] | !$_POST['mm'] | !$_POST['yyyy']) {

 		die('You did not complete all of the required fields');

 	}

 

        $password = $_POST['password'];

        $password = $password=="" ? "" : md5($password);

 	if (!get_magic_quotes_gpc()) {

                $password = $password=="" ? "" : addslashes($password);

 		$_POST['username'] = addslashes($_POST['username']);

 	}

	

	$username = $_POST['username'];

	$email = $_POST['email'];

	$firstname = $_POST['firstname'];

	$lastname = $_POST['lastname'];

	$enabled = $_POST['enabled'];

	$usergroup = $_POST['usergroup'];

	$id = $_POST["id"];



	$dd = $_POST['dd'];

	$mm = $_POST['mm'];

	$yyyy = $_POST['yyyy'];

	

	$dob = "".$yyyy."".$mm."".$dd."";



	

	$query = "UPDATE user SET username=\"" . $username . "\", email=\"" . $email . "\", firstname=\"" . $firstname . "\", lastname=\"" . $lastname . "\", dob=\"" . $dob . "\", enabled=\"" . $enabled . "\", usergroup_id=\"" . $usergroup . "\"  WHERE id=$id";

	$result = mysql_query($query);

	

	if (!$password) {

		header("Location:index.php");

	} else {

		$query2 = "UPDATE user SET password=\"" . $password . "\" WHERE id=$id";

		$result2 = mysql_query($query2);

		header("Location:index.php");

	}

	

	

}

Open in new window

0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 33715190
It is a logic error.  The code is making an md5 hash before testing for a blank field.  You should test for the blank field before making the hash, or test for the blank field in the original input $_POST.

Then you should build the query string dynamically.

There are many things wrong (and some dangerous) with the sample code.  Please buy this book and work through the examples.  You will come out years ahead!
http://www.sitepoint.com/books/phpmysql4/

I will try to post a better example for you in a moment.

Best regards, ~Ray
0
 

Expert Comment

by:ANMOL28
ID: 33715191
fine
0
 
LVL 32

Expert Comment

by:DrDamnit
ID: 33715249
There are two things to look at here.

The first is how you setup your MySQL table. In some cases, depending on how you set it up, it will update the password field whenever that record is updated, which would explain this behavior or MySQL.

So, you can either figure that one out, or...

Grab the password for safe keeping before the update (see below).

I also re-write your queries. The if statement creates a query depeding on if you need to use the saved password or not rather than creating two separate queries.

I moved the mysql_query() function and the header() function below the if statement so that we only have to write it once.

I also change the way you form your query to make it easier to read using the sprintf function (http://php.net/manual/en/function.sprintf.php).

function userUpdate() {

	if (!$_POST['username'] | !$_POST['email'] | !$_POST['firstname'] | !$_POST['lastname'] | !$_POST['dd'] | !$_POST['mm'] | !$_POST['yyyy']) {
 		die('You did not complete all of the required fields');
 	}
 
  	$_POST['password'] = md5($_POST['password']);
 	if (!get_magic_quotes_gpc()) {
 		$_POST['password'] = addslashes($_POST['password']);
 		$_POST['username'] = addslashes($_POST['username']);
 	}
	
	$username = $_POST['username'];
	$email = $_POST['email'];
	$password = $_POST['password'];
	$firstname = $_POST['firstname'];
	$lastname = $_POST['lastname'];
	$enabled = $_POST['enabled'];
	$usergroup = $_POST['usergroup'];
	$id = $_POST["id"];

	$dd = $_POST['dd'];
	$mm = $_POST['mm'];
	$yyyy = $_POST['yyyy'];
	
	$dob = "".$yyyy."".$mm."".$dd."";

	$query = "SELECT password "\" WHERE id=$id";
	$result = mysql_query($query);
	$row = mysql_fetch_array($result);
	$current_password = $row[0];
	
	if (!$password) {	
	$query = sprintf(' UPDATE `user` SET username="%s", email="%s", firstname="%s", lastname="%s", dob="%s", enabled="%s", usergroup_id = "%s", password="%s WHERE id="%s""', $username, $email, $firstname, $lastname, $dob, $enabled, $usergroup_id, $current_password, $id);
	} else {
			$query = sprintf(' UPDATE `user` SET username="%s", email="%s", firstname="%s", lastname="%s", dob="%s", enabled="%s", usergroup_id = "%s", password="%s WHERE id="%s""', $username, $email, $firstname, $lastname, $dob, $enabled, $usergroup_id, $password, $id);
	}
		$result = mysql_query($query);
		header("Location:index.php");	
}

Open in new window

0
 
LVL 108

Assisted Solution

by:Ray Paseur
Ray Paseur earned 75 total points
ID: 33715261
I think this might work, but I cannot test it because I do not have your data base.  But it should be right in principle.

HTH, ~Ray
function userUpdate()

{

   // DIE IF NECESSARY FIELDS ARE OMITTED

    if (!$_POST['username'] | !$_POST['email'] | !$_POST['firstname'] | !$_POST['lastname'] | !$_POST['dd'] | !$_POST['mm'] | !$_POST['yyyy']) 

    {

        die('You did not complete all of the required fields');

    } 

    

    // ESCAPE THE DATA FOR USE IN A QUERY

    $username  = mysql_real_escape_string($_POST['username']);

    $email     = mysql_real_escape_string($_POST['email']);

    $password  = mysql_real_escape_string($_POST['password']);

    $firstname = mysql_real_escape_string($_POST['firstname']);

    $lastname  = mysql_real_escape_string($_POST['lastname']);

    $enabled   = mysql_real_escape_string($_POST['enabled']);

    $usergroup = mysql_real_escape_string($_POST['usergroup']);

    $id        = mysql_real_escape_string($_POST["id"]);



    // CONSTRUCT A DATE STRING (BETTER SEE:http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_201-Handling-date-and-time-in-PHP-and-MySQL.html)

    $dd = $_POST['dd'];

    $mm = $_POST['mm'];

    $yyyy = $_POST['yyyy'];

    $dob = "".$yyyy."".$mm."".$dd."";



    // CONSTRUCT A QUERY TO UPDATE USER DATA

    $query 

    = "UPDATE user SET username='$username'

    , email='$email'

    , firstname='$firstname'

    , lastname='$lastname'

    , dob='$dob'

    , enabled='$enabled'

    , usergroup_id'$usergroup'

    WHERE id=$id

    LIMIT 1"

    ;

    // RUN THE QUERY AND DIE ON ERROR

    $result = mysql_query($query) or die( mysql_error() );

    

    // IF THE PASSWORD IS NOT SET, REDIRECT

    if (empty($_POST["password"])) 

    {

        header("Location: /index.php");

        exit;

    } 

    

    // IF THE PASSWORD IS SET, UPDATE THE PASSWORD

    else 

    {

        $query2 = "UPDATE user SET password='$password ' WHERE id=$id LIMIT 1";

        $result2 = mysql_query($query2) or die( mysql_error() );

        header("Location: /index.php");

        exit;

    }

}

Open in new window

0
Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

 
LVL 108

Expert Comment

by:Ray Paseur
ID: 33715283
Also, regarding this statement

if (!$_POST['username'] | !$_POST['email'] | !$_POST['firstname'] | !$_POST['lastname'] | !$_POST['dd'] | !$_POST['mm'] | !$_POST['yyyy'])

Make sure you understand the information on this page.  You might want || operators.
http://www.php.net/manual/en/language.operators.precedence.php

Just a thought... ~Ray
0
 
LVL 32

Assisted Solution

by:DrDamnit
DrDamnit earned 75 total points
ID: 33715315
Ray... good catch.

Because I knew those should be || (or) operators, I therefore literally saw || instead of |.

:-)
0
 

Author Comment

by:echocpt
ID: 33715435
Hi,

Sorry for the late reply, got pulled into a meeting. Thanks for the replies, they had some good points in that i will be sure to look into (i do consider myself fairly novice still in this) so thats good.

Unfortunately i have tried both your example Ray and yours DrDamnit and neither have worked. I have a feeling that it may be to do with the database then like you said earlier. If so how can i go about making it work?

Regarding the or statement, my bad, should have known better just let it slip but have now changed to ||.

Thanks Alex
0
 
LVL 58

Expert Comment

by:cyberkiwi
ID: 33715520
Try this one http:#a33715183
See how it keeps track of $password

While bettering your code, Ray inadvertently removed the md5 function.
0
 

Author Comment

by:echocpt
ID: 33715566
Hi cyberkiwi,

Not quite sure how i missed your post but have just tried it and it works :)

I noticed Ray had left the md5 out as well, but that was easy fix.

Anyway could you quickly explain what this line does so i know for future reference?:

        $password = $password=="" ? "" : md5($password);

I will split the points but weight yours as heavier because you obviously supplied best answer.

Thanks Alex
0
 
LVL 58

Expert Comment

by:cyberkiwi
ID: 33715622
The ? is a ternary operator taking 3 parts.

<condition> ? <iftrue> : <else>

It is a short form for writing

if <condition> then
  <iftrue>
else
  <else>

Regards
0
 

Author Comment

by:echocpt
ID: 33715645
Much help,

Thanks,
Alex
0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 33716721
Required reading here:
http://php.net/manual/en/language.expressions.php

Thanks for the points, ~Ray
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Join & Write a Comment

Foreword (July, 2015) Since I first wrote this article, years ago, a great many more people have begun using the internet.  They are coming online from every part of the globe, learning, reading, shopping and spending money at an ever-increasing ra…
Things That Drive Us Nuts Have you noticed the use of the reCaptcha feature at EE and other web sites?  It wants you to read and retype something that looks like this.Insanity!  It's not EE's fault - that's just the way reCaptcha works.  But it is …
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to dynamically set the form action using jQuery.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now