Solved

pasword_hash updating database even with empty form value

Posted on 2016-09-15
5
68 Views
Last Modified: 2016-09-16
I have a page where a user could update their personal details like email, username, password etc. For the password I am using the built in php password_hash, PASSWORD_BCRYPT, [12] which works great when creating a user.

My problem is, let's say that I want to update my details but not change my password. If I submit the form and not input anything into the password fields the password still changes! Obviously that isn't meant to happen. Can I prevent that using this code or do I have to create an if statement that runs 2 SQL queries i.e.: if the password field is empty, run a SQL query that doesn't make mention of the password field and if the password field has a value, run the other SQL query that updates the password field in the database. Surely there must be a more elegant method than that?

$user_firstname = $link->real_escape_string($_POST['user_firstname']);
				$user_lastname = $link->real_escape_string($_POST['user_lastname']);
				$user_username = $link->real_escape_string($_POST['user_username']);
				$user_email = $link->real_escape_string($_POST['user_email']);
				$user_role = $link->real_escape_string($_POST['user_role']);
				$user_password = $link->real_escape_string(password_hash($_POST['user_password'], PASSWORD_BCRYPT, [12]));
				
				$update_user = "UPDATE `users` SET user_firstname = '$user_firstname', user_lastname = '$user_lastname', user_username = '$user_username', user_email = '$user_email', user_role = '$user_role', user_password = '$user_password' WHERE user_id = '$user_id' LIMIT 1";
				 if($row = $link->query($update_user) === TRUE){
					 
					 // echo a success message here
				 }

Open in new window

0
Comment
Question by:Black Sulfur
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 83

Accepted Solution

by:
Dave Baldwin earned 500 total points
ID: 41800560
Just don't put " user_password = '$user_password' " in your SQL unless you have something to change.  This is the way I do it.

$update_user = "UPDATE `users` SET user_firstname = '$user_firstname', user_lastname = '$user_lastname', user_username = '$user_username', user_email = '$user_email', user_role = '$user_role' ";
if($user_password != '') $update_user .= "', user_password = '$user_password' ";
$update_user .= " WHERE user_id = '$user_id' LIMIT 1";
				

Open in new window

0
 
LVL 1

Author Comment

by:Black Sulfur
ID: 41801586
Thanks for that. I tried it but nothing happens. No error, no update in the database?

$update_user = "UPDATE `users` SET user_firstname = '$user_firstname', user_lastname = '$user_lastname', user_username = '$user_username', user_email = '$user_email', user_role = '$user_role' ";
				if($user_password != '') $update_user .= "', user_password = '$user_password' ";
				$update_user .= " WHERE user_id = '$user_id' LIMIT 1";
				 if($row = $link->query($update_user) === TRUE){

					 
					 $message = "<div class='alert alert-success'>User info updated successfuly</div>";
				 }
				
			}
			
			else {
				
				$message = "<div class='alert alert-danger'><strong>There were errors in your form:<br></strong>" . $message . "</div>";
				
			}

Open in new window

0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 41801860
This is a method I use on hundreds of pages.  Have you turned on 'error_reporting' on that page?  Have you verified that you are actually sending the info to the page?
0
 
LVL 1

Author Comment

by:Black Sulfur
ID: 41802291
On line 2 of your code you had a
'

Open in new window

that shouldn't be there.

I also had to change  

if($user_password != '') $update_user .= "', user_password = '$user_password' ";

Open in new window


to :

if($user_password != '') $update_user .= ", user_password = '$user_password_hash' ";

Open in new window


and create 2 different values for $user_password and $user_password_hash.

It seems that it wasn't playing nice with the password_hash. It kept changing the password in the database even if I didn't enter anything in the password text fields.

Anyway, it seems to be working now! Even though I had to figure out a lot myself I will still give you all the points because you got me on the right track and who knows if I would have figured it out without you ;)
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 41802366
Sorry for the error but glad to help.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Things That Drive Us Nuts Have you noticed the use of the reCaptcha feature at EE and other web sites?  It wants you to read and retype something that looks like this. Insanity!  It's not EE's fault - that's just the way reCaptcha works.  But it i…
Introduction This article is intended for those who are new to PHP error handling (https://www.experts-exchange.com/articles/11769/And-by-the-way-I-am-New-to-PHP.html).  It addresses one of the most common problems that plague beginning PHP develop…
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question