?
Solved

pasword_hash updating database even with empty form value

Posted on 2016-09-15
5
Medium Priority
?
71 Views
Last Modified: 2016-09-16
I have a page where a user could update their personal details like email, username, password etc. For the password I am using the built in php password_hash, PASSWORD_BCRYPT, [12] which works great when creating a user.

My problem is, let's say that I want to update my details but not change my password. If I submit the form and not input anything into the password fields the password still changes! Obviously that isn't meant to happen. Can I prevent that using this code or do I have to create an if statement that runs 2 SQL queries i.e.: if the password field is empty, run a SQL query that doesn't make mention of the password field and if the password field has a value, run the other SQL query that updates the password field in the database. Surely there must be a more elegant method than that?

$user_firstname = $link->real_escape_string($_POST['user_firstname']);
				$user_lastname = $link->real_escape_string($_POST['user_lastname']);
				$user_username = $link->real_escape_string($_POST['user_username']);
				$user_email = $link->real_escape_string($_POST['user_email']);
				$user_role = $link->real_escape_string($_POST['user_role']);
				$user_password = $link->real_escape_string(password_hash($_POST['user_password'], PASSWORD_BCRYPT, [12]));
				
				$update_user = "UPDATE `users` SET user_firstname = '$user_firstname', user_lastname = '$user_lastname', user_username = '$user_username', user_email = '$user_email', user_role = '$user_role', user_password = '$user_password' WHERE user_id = '$user_id' LIMIT 1";
				 if($row = $link->query($update_user) === TRUE){
					 
					 // echo a success message here
				 }

Open in new window

0
Comment
Question by:Black Sulfur
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 84

Accepted Solution

by:
Dave Baldwin earned 2000 total points
ID: 41800560
Just don't put " user_password = '$user_password' " in your SQL unless you have something to change.  This is the way I do it.

$update_user = "UPDATE `users` SET user_firstname = '$user_firstname', user_lastname = '$user_lastname', user_username = '$user_username', user_email = '$user_email', user_role = '$user_role' ";
if($user_password != '') $update_user .= "', user_password = '$user_password' ";
$update_user .= " WHERE user_id = '$user_id' LIMIT 1";
				

Open in new window

0
 
LVL 1

Author Comment

by:Black Sulfur
ID: 41801586
Thanks for that. I tried it but nothing happens. No error, no update in the database?

$update_user = "UPDATE `users` SET user_firstname = '$user_firstname', user_lastname = '$user_lastname', user_username = '$user_username', user_email = '$user_email', user_role = '$user_role' ";
				if($user_password != '') $update_user .= "', user_password = '$user_password' ";
				$update_user .= " WHERE user_id = '$user_id' LIMIT 1";
				 if($row = $link->query($update_user) === TRUE){

					 
					 $message = "<div class='alert alert-success'>User info updated successfuly</div>";
				 }
				
			}
			
			else {
				
				$message = "<div class='alert alert-danger'><strong>There were errors in your form:<br></strong>" . $message . "</div>";
				
			}

Open in new window

0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 41801860
This is a method I use on hundreds of pages.  Have you turned on 'error_reporting' on that page?  Have you verified that you are actually sending the info to the page?
0
 
LVL 1

Author Comment

by:Black Sulfur
ID: 41802291
On line 2 of your code you had a
'

Open in new window

that shouldn't be there.

I also had to change  

if($user_password != '') $update_user .= "', user_password = '$user_password' ";

Open in new window


to :

if($user_password != '') $update_user .= ", user_password = '$user_password_hash' ";

Open in new window


and create 2 different values for $user_password and $user_password_hash.

It seems that it wasn't playing nice with the password_hash. It kept changing the password in the database even if I didn't enter anything in the password text fields.

Anyway, it seems to be working now! Even though I had to figure out a lot myself I will still give you all the points because you got me on the right track and who knows if I would have figured it out without you ;)
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 41802366
Sorry for the error but glad to help.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This post contains step-by-step instructions for setting up alerting in Percona Monitoring and Management (PMM) using Grafana.
By, Vadim Tkachenko. In this article we’ll look at ClickHouse on its one year anniversary.
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question