[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

pasword_hash updating database even with empty form value

Posted on 2016-09-15
5
Medium Priority
?
74 Views
Last Modified: 2016-09-16
I have a page where a user could update their personal details like email, username, password etc. For the password I am using the built in php password_hash, PASSWORD_BCRYPT, [12] which works great when creating a user.

My problem is, let's say that I want to update my details but not change my password. If I submit the form and not input anything into the password fields the password still changes! Obviously that isn't meant to happen. Can I prevent that using this code or do I have to create an if statement that runs 2 SQL queries i.e.: if the password field is empty, run a SQL query that doesn't make mention of the password field and if the password field has a value, run the other SQL query that updates the password field in the database. Surely there must be a more elegant method than that?

$user_firstname = $link->real_escape_string($_POST['user_firstname']);
				$user_lastname = $link->real_escape_string($_POST['user_lastname']);
				$user_username = $link->real_escape_string($_POST['user_username']);
				$user_email = $link->real_escape_string($_POST['user_email']);
				$user_role = $link->real_escape_string($_POST['user_role']);
				$user_password = $link->real_escape_string(password_hash($_POST['user_password'], PASSWORD_BCRYPT, [12]));
				
				$update_user = "UPDATE `users` SET user_firstname = '$user_firstname', user_lastname = '$user_lastname', user_username = '$user_username', user_email = '$user_email', user_role = '$user_role', user_password = '$user_password' WHERE user_id = '$user_id' LIMIT 1";
				 if($row = $link->query($update_user) === TRUE){
					 
					 // echo a success message here
				 }

Open in new window

0
Comment
Question by:Black Sulfur
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 84

Accepted Solution

by:
Dave Baldwin earned 2000 total points
ID: 41800560
Just don't put " user_password = '$user_password' " in your SQL unless you have something to change.  This is the way I do it.

$update_user = "UPDATE `users` SET user_firstname = '$user_firstname', user_lastname = '$user_lastname', user_username = '$user_username', user_email = '$user_email', user_role = '$user_role' ";
if($user_password != '') $update_user .= "', user_password = '$user_password' ";
$update_user .= " WHERE user_id = '$user_id' LIMIT 1";
				

Open in new window

0
 
LVL 1

Author Comment

by:Black Sulfur
ID: 41801586
Thanks for that. I tried it but nothing happens. No error, no update in the database?

$update_user = "UPDATE `users` SET user_firstname = '$user_firstname', user_lastname = '$user_lastname', user_username = '$user_username', user_email = '$user_email', user_role = '$user_role' ";
				if($user_password != '') $update_user .= "', user_password = '$user_password' ";
				$update_user .= " WHERE user_id = '$user_id' LIMIT 1";
				 if($row = $link->query($update_user) === TRUE){

					 
					 $message = "<div class='alert alert-success'>User info updated successfuly</div>";
				 }
				
			}
			
			else {
				
				$message = "<div class='alert alert-danger'><strong>There were errors in your form:<br></strong>" . $message . "</div>";
				
			}

Open in new window

0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 41801860
This is a method I use on hundreds of pages.  Have you turned on 'error_reporting' on that page?  Have you verified that you are actually sending the info to the page?
0
 
LVL 1

Author Comment

by:Black Sulfur
ID: 41802291
On line 2 of your code you had a
'

Open in new window

that shouldn't be there.

I also had to change  

if($user_password != '') $update_user .= "', user_password = '$user_password' ";

Open in new window


to :

if($user_password != '') $update_user .= ", user_password = '$user_password_hash' ";

Open in new window


and create 2 different values for $user_password and $user_password_hash.

It seems that it wasn't playing nice with the password_hash. It kept changing the password in the database even if I didn't enter anything in the password text fields.

Anyway, it seems to be working now! Even though I had to figure out a lot myself I will still give you all the points because you got me on the right track and who knows if I would have figured it out without you ;)
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 41802366
Sorry for the error but glad to help.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . In business circles, we sometimes hear that today is the “age of the customer.” And so it is. Thanks to the enormous advances over the past few years in consumer techno…
In this blog, we’ll look at how improvements to Percona XtraDB Cluster improved IST performance.
The viewer will learn how to count occurrences of each item in an array.
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question