Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 417
  • Last Modified:

Leaving field unchanged on UPDATE in php

Hi,

I'm designing a user register system and am doing the admin update part for users at the moment.

However i have become stuck on something i thought would be simple.

When the admin updates a user they have a choice to change the password of that user. They can't see the password so obviously the box is left blank however i want it to be that if they do enter a new password then the password field updates. I have the code below, however what is happening at the moment is when the admin changes the password it all works fine, however if the admin leaves the password box empty, then the password is still changed to just a blank space.

I want it so that if the password box is left blank it doesn't change the current password?

Thanks, Alex
function userUpdate() {

	if (!$_POST['username'] | !$_POST['email'] | !$_POST['firstname'] | !$_POST['lastname'] | !$_POST['dd'] | !$_POST['mm'] | !$_POST['yyyy']) {
 		die('You did not complete all of the required fields');
 	}
 
  	$_POST['password'] = md5($_POST['password']);
 	if (!get_magic_quotes_gpc()) {
 		$_POST['password'] = addslashes($_POST['password']);
 		$_POST['username'] = addslashes($_POST['username']);
 	}
	
	$username = $_POST['username'];
	$email = $_POST['email'];
	$password = $_POST['password'];
	$firstname = $_POST['firstname'];
	$lastname = $_POST['lastname'];
	$enabled = $_POST['enabled'];
	$usergroup = $_POST['usergroup'];
	$id = $_POST["id"];

	$dd = $_POST['dd'];
	$mm = $_POST['mm'];
	$yyyy = $_POST['yyyy'];
	
	$dob = "".$yyyy."".$mm."".$dd."";

	
	$query = "UPDATE user SET username=\"" . $username . "\", email=\"" . $email . "\", firstname=\"" . $firstname . "\", lastname=\"" . $lastname . "\", dob=\"" . $dob . "\", enabled=\"" . $enabled . "\", usergroup_id=\"" . $usergroup . "\"  WHERE id=$id";
	$result = mysql_query($query);
	
	if (!$password) {
		header("Location:index.php");
	} else {
		$query2 = "UPDATE user SET password=\"" . $password . "\" WHERE id=$id";
		$result2 = mysql_query($query2);
		header("Location:index.php");
	}
	
	
}

Open in new window

0
echocpt
Asked:
echocpt
  • 4
  • 3
  • 3
  • +3
3 Solutions
 
Loganathan NatarajanLAMP DeveloperCommented:
try like this,
<?
function userUpdate() {

	if (!$_POST['username'] | !$_POST['email'] | !$_POST['firstname'] | !$_POST['lastname'] | !$_POST['dd'] | !$_POST['mm'] | !$_POST['yyyy']) {
 		die('You did not complete all of the required fields');
 	}
 
  	$_POST['password'] = md5($_POST['password']);
 	if (!get_magic_quotes_gpc()) {
 		$_POST['password'] = addslashes($_POST['password']);
 		$_POST['username'] = addslashes($_POST['username']);
 	}
	
	$username = $_POST['username'];
	$email = $_POST['email'];
	$password = $_POST['password'];
	$firstname = $_POST['firstname'];
	$lastname = $_POST['lastname'];
	$enabled = $_POST['enabled'];
	$usergroup = $_POST['usergroup'];
	$id = $_POST["id"];

	$dd = $_POST['dd'];
	$mm = $_POST['mm'];
	$yyyy = $_POST['yyyy'];
	
	$dob = "".$yyyy."".$mm."".$dd."";

	
	if (empty($password)) {
	
	$query1 = "UPDATE user SET username=\"" . $username . "\", email=\"" . $email . "\", firstname=\"" . $firstname . "\", lastname=\"" . $lastname . "\", dob=\"" . $dob . "\", enabled=\"" . $enabled . "\", usergroup_id=\"" . $usergroup . "\"  WHERE id=$id";
	
	} else {
	
	$query2 = "UPDATE user SET username=\"" . $username . "\", email=\"" . $email . "\", firstname=\"" . $firstname . "\", lastname=\"" . $lastname . "\", dob=\"" . $dob . "\", enabled=\"" . $enabled . "\", usergroup_id=\"" . $usergroup . "\", password=\"" . $password . "\"  WHERE id=$id";
	}
	
	$result = mysql_query($query) or die(mysql_error());
	
	header("Location:index.php");
	
	
}
?>

Open in new window

0
 
Loganathan NatarajanLAMP DeveloperCommented:
corrected script,
<?
function userUpdate() {

	if (!$_POST['username'] | !$_POST['email'] | !$_POST['firstname'] | !$_POST['lastname'] | !$_POST['dd'] | !$_POST['mm'] | !$_POST['yyyy']) {
 		die('You did not complete all of the required fields');
 	}
 
  	//$_POST['password'] = md5($_POST['password']);
 	
	if (!get_magic_quotes_gpc()) {
 		$_POST['password'] = addslashes($_POST['password']);
 		$_POST['username'] = addslashes($_POST['username']);
 	}
	
	if (!empty($_POST['password'])
	{
		$password = md5($_POST['password']);	
	}
	
	
	$username = $_POST['username'];
	$email = $_POST['email'];
	
	$firstname = $_POST['firstname'];
	$lastname = $_POST['lastname'];
	$enabled = $_POST['enabled'];
	$usergroup = $_POST['usergroup'];
	$id = $_POST["id"];

	$dd = $_POST['dd'];
	$mm = $_POST['mm'];
	$yyyy = $_POST['yyyy'];
	
	$dob = "".$yyyy."".$mm."".$dd."";

	
	if (!empty($password)) {
	
	$query = "UPDATE user SET username=\"" . $username . "\", email=\"" . $email . "\", firstname=\"" . $firstname . "\", lastname=\"" . $lastname . "\", dob=\"" . $dob . "\", enabled=\"" . $enabled . "\", usergroup_id=\"" . $usergroup . "\", password=\"" . $password . "\"  WHERE id=$id";
	
	} else {
	
	
	
	$query = "UPDATE user SET username=\"" . $username . "\", email=\"" . $email . "\", firstname=\"" . $firstname . "\", lastname=\"" . $lastname . "\", dob=\"" . $dob . "\", enabled=\"" . $enabled . "\", usergroup_id=\"" . $usergroup . "\"  WHERE id=$id";
	}
	
	$result = mysql_query($query) or die(mysql_error());
	
	header("Location:index.php");
	
	
}
?>

Open in new window

0
 
cyberkiwiCommented:

function userUpdate() {

	if (!$_POST['username'] | !$_POST['email'] | !$_POST['firstname'] | !$_POST['lastname'] | !$_POST['dd'] | !$_POST['mm'] | !$_POST['yyyy']) {
 		die('You did not complete all of the required fields');
 	}
 
        $password = $_POST['password'];
        $password = $password=="" ? "" : md5($password);
 	if (!get_magic_quotes_gpc()) {
                $password = $password=="" ? "" : addslashes($password);
 		$_POST['username'] = addslashes($_POST['username']);
 	}
	
	$username = $_POST['username'];
	$email = $_POST['email'];
	$firstname = $_POST['firstname'];
	$lastname = $_POST['lastname'];
	$enabled = $_POST['enabled'];
	$usergroup = $_POST['usergroup'];
	$id = $_POST["id"];

	$dd = $_POST['dd'];
	$mm = $_POST['mm'];
	$yyyy = $_POST['yyyy'];
	
	$dob = "".$yyyy."".$mm."".$dd."";

	
	$query = "UPDATE user SET username=\"" . $username . "\", email=\"" . $email . "\", firstname=\"" . $firstname . "\", lastname=\"" . $lastname . "\", dob=\"" . $dob . "\", enabled=\"" . $enabled . "\", usergroup_id=\"" . $usergroup . "\"  WHERE id=$id";
	$result = mysql_query($query);
	
	if (!$password) {
		header("Location:index.php");
	} else {
		$query2 = "UPDATE user SET password=\"" . $password . "\" WHERE id=$id";
		$result2 = mysql_query($query2);
		header("Location:index.php");
	}
	
	
}

Open in new window

0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
Ray PaseurCommented:
It is a logic error.  The code is making an md5 hash before testing for a blank field.  You should test for the blank field before making the hash, or test for the blank field in the original input $_POST.

Then you should build the query string dynamically.

There are many things wrong (and some dangerous) with the sample code.  Please buy this book and work through the examples.  You will come out years ahead!
http://www.sitepoint.com/books/phpmysql4/

I will try to post a better example for you in a moment.

Best regards, ~Ray
0
 
ANMOL28Commented:
fine
0
 
DrDamnitCommented:
There are two things to look at here.

The first is how you setup your MySQL table. In some cases, depending on how you set it up, it will update the password field whenever that record is updated, which would explain this behavior or MySQL.

So, you can either figure that one out, or...

Grab the password for safe keeping before the update (see below).

I also re-write your queries. The if statement creates a query depeding on if you need to use the saved password or not rather than creating two separate queries.

I moved the mysql_query() function and the header() function below the if statement so that we only have to write it once.

I also change the way you form your query to make it easier to read using the sprintf function (http://php.net/manual/en/function.sprintf.php).

function userUpdate() {

	if (!$_POST['username'] | !$_POST['email'] | !$_POST['firstname'] | !$_POST['lastname'] | !$_POST['dd'] | !$_POST['mm'] | !$_POST['yyyy']) {
 		die('You did not complete all of the required fields');
 	}
 
  	$_POST['password'] = md5($_POST['password']);
 	if (!get_magic_quotes_gpc()) {
 		$_POST['password'] = addslashes($_POST['password']);
 		$_POST['username'] = addslashes($_POST['username']);
 	}
	
	$username = $_POST['username'];
	$email = $_POST['email'];
	$password = $_POST['password'];
	$firstname = $_POST['firstname'];
	$lastname = $_POST['lastname'];
	$enabled = $_POST['enabled'];
	$usergroup = $_POST['usergroup'];
	$id = $_POST["id"];

	$dd = $_POST['dd'];
	$mm = $_POST['mm'];
	$yyyy = $_POST['yyyy'];
	
	$dob = "".$yyyy."".$mm."".$dd."";

	$query = "SELECT password "\" WHERE id=$id";
	$result = mysql_query($query);
	$row = mysql_fetch_array($result);
	$current_password = $row[0];
	
	if (!$password) {	
	$query = sprintf(' UPDATE `user` SET username="%s", email="%s", firstname="%s", lastname="%s", dob="%s", enabled="%s", usergroup_id = "%s", password="%s WHERE id="%s""', $username, $email, $firstname, $lastname, $dob, $enabled, $usergroup_id, $current_password, $id);
	} else {
			$query = sprintf(' UPDATE `user` SET username="%s", email="%s", firstname="%s", lastname="%s", dob="%s", enabled="%s", usergroup_id = "%s", password="%s WHERE id="%s""', $username, $email, $firstname, $lastname, $dob, $enabled, $usergroup_id, $password, $id);
	}
		$result = mysql_query($query);
		header("Location:index.php");	
}

Open in new window

0
 
Ray PaseurCommented:
I think this might work, but I cannot test it because I do not have your data base.  But it should be right in principle.

HTH, ~Ray
function userUpdate()
{
   // DIE IF NECESSARY FIELDS ARE OMITTED
    if (!$_POST['username'] | !$_POST['email'] | !$_POST['firstname'] | !$_POST['lastname'] | !$_POST['dd'] | !$_POST['mm'] | !$_POST['yyyy']) 
    {
        die('You did not complete all of the required fields');
    } 
    
    // ESCAPE THE DATA FOR USE IN A QUERY
    $username  = mysql_real_escape_string($_POST['username']);
    $email     = mysql_real_escape_string($_POST['email']);
    $password  = mysql_real_escape_string($_POST['password']);
    $firstname = mysql_real_escape_string($_POST['firstname']);
    $lastname  = mysql_real_escape_string($_POST['lastname']);
    $enabled   = mysql_real_escape_string($_POST['enabled']);
    $usergroup = mysql_real_escape_string($_POST['usergroup']);
    $id        = mysql_real_escape_string($_POST["id"]);

    // CONSTRUCT A DATE STRING (BETTER SEE:http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_201-Handling-date-and-time-in-PHP-and-MySQL.html)
    $dd = $_POST['dd'];
    $mm = $_POST['mm'];
    $yyyy = $_POST['yyyy'];
    $dob = "".$yyyy."".$mm."".$dd."";

    // CONSTRUCT A QUERY TO UPDATE USER DATA
    $query 
    = "UPDATE user SET username='$username'
    , email='$email'
    , firstname='$firstname'
    , lastname='$lastname'
    , dob='$dob'
    , enabled='$enabled'
    , usergroup_id'$usergroup'
    WHERE id=$id
    LIMIT 1"
    ;
    // RUN THE QUERY AND DIE ON ERROR
    $result = mysql_query($query) or die( mysql_error() );
    
    // IF THE PASSWORD IS NOT SET, REDIRECT
    if (empty($_POST["password"])) 
    {
        header("Location: /index.php");
        exit;
    } 
    
    // IF THE PASSWORD IS SET, UPDATE THE PASSWORD
    else 
    {
        $query2 = "UPDATE user SET password='$password ' WHERE id=$id LIMIT 1";
        $result2 = mysql_query($query2) or die( mysql_error() );
        header("Location: /index.php");
        exit;
    }
}

Open in new window

0
 
Ray PaseurCommented:
Also, regarding this statement

if (!$_POST['username'] | !$_POST['email'] | !$_POST['firstname'] | !$_POST['lastname'] | !$_POST['dd'] | !$_POST['mm'] | !$_POST['yyyy'])

Make sure you understand the information on this page.  You might want || operators.
http://www.php.net/manual/en/language.operators.precedence.php

Just a thought... ~Ray
0
 
DrDamnitCommented:
Ray... good catch.

Because I knew those should be || (or) operators, I therefore literally saw || instead of |.

:-)
0
 
echocptAuthor Commented:
Hi,

Sorry for the late reply, got pulled into a meeting. Thanks for the replies, they had some good points in that i will be sure to look into (i do consider myself fairly novice still in this) so thats good.

Unfortunately i have tried both your example Ray and yours DrDamnit and neither have worked. I have a feeling that it may be to do with the database then like you said earlier. If so how can i go about making it work?

Regarding the or statement, my bad, should have known better just let it slip but have now changed to ||.

Thanks Alex
0
 
cyberkiwiCommented:
Try this one http:#a33715183
See how it keeps track of $password

While bettering your code, Ray inadvertently removed the md5 function.
0
 
echocptAuthor Commented:
Hi cyberkiwi,

Not quite sure how i missed your post but have just tried it and it works :)

I noticed Ray had left the md5 out as well, but that was easy fix.

Anyway could you quickly explain what this line does so i know for future reference?:

        $password = $password=="" ? "" : md5($password);

I will split the points but weight yours as heavier because you obviously supplied best answer.

Thanks Alex
0
 
cyberkiwiCommented:
The ? is a ternary operator taking 3 parts.

<condition> ? <iftrue> : <else>

It is a short form for writing

if <condition> then
  <iftrue>
else
  <else>

Regards
0
 
echocptAuthor Commented:
Much help,

Thanks,
Alex
0
 
Ray PaseurCommented:
Required reading here:
http://php.net/manual/en/language.expressions.php

Thanks for the points, ~Ray
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 4
  • 3
  • 3
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now