?
Solved

pasword_hash updating database even with empty form value

Posted on 2016-09-15
5
Medium Priority
?
76 Views
Last Modified: 2016-09-16
I have a page where a user could update their personal details like email, username, password etc. For the password I am using the built in php password_hash, PASSWORD_BCRYPT, [12] which works great when creating a user.

My problem is, let's say that I want to update my details but not change my password. If I submit the form and not input anything into the password fields the password still changes! Obviously that isn't meant to happen. Can I prevent that using this code or do I have to create an if statement that runs 2 SQL queries i.e.: if the password field is empty, run a SQL query that doesn't make mention of the password field and if the password field has a value, run the other SQL query that updates the password field in the database. Surely there must be a more elegant method than that?

$user_firstname = $link->real_escape_string($_POST['user_firstname']);
				$user_lastname = $link->real_escape_string($_POST['user_lastname']);
				$user_username = $link->real_escape_string($_POST['user_username']);
				$user_email = $link->real_escape_string($_POST['user_email']);
				$user_role = $link->real_escape_string($_POST['user_role']);
				$user_password = $link->real_escape_string(password_hash($_POST['user_password'], PASSWORD_BCRYPT, [12]));
				
				$update_user = "UPDATE `users` SET user_firstname = '$user_firstname', user_lastname = '$user_lastname', user_username = '$user_username', user_email = '$user_email', user_role = '$user_role', user_password = '$user_password' WHERE user_id = '$user_id' LIMIT 1";
				 if($row = $link->query($update_user) === TRUE){
					 
					 // echo a success message here
				 }

Open in new window

0
Comment
Question by:Black Sulfur
  • 3
  • 2
5 Comments
 
LVL 84

Accepted Solution

by:
Dave Baldwin earned 2000 total points
ID: 41800560
Just don't put " user_password = '$user_password' " in your SQL unless you have something to change.  This is the way I do it.

$update_user = "UPDATE `users` SET user_firstname = '$user_firstname', user_lastname = '$user_lastname', user_username = '$user_username', user_email = '$user_email', user_role = '$user_role' ";
if($user_password != '') $update_user .= "', user_password = '$user_password' ";
$update_user .= " WHERE user_id = '$user_id' LIMIT 1";
				

Open in new window

0
 
LVL 1

Author Comment

by:Black Sulfur
ID: 41801586
Thanks for that. I tried it but nothing happens. No error, no update in the database?

$update_user = "UPDATE `users` SET user_firstname = '$user_firstname', user_lastname = '$user_lastname', user_username = '$user_username', user_email = '$user_email', user_role = '$user_role' ";
				if($user_password != '') $update_user .= "', user_password = '$user_password' ";
				$update_user .= " WHERE user_id = '$user_id' LIMIT 1";
				 if($row = $link->query($update_user) === TRUE){

					 
					 $message = "<div class='alert alert-success'>User info updated successfuly</div>";
				 }
				
			}
			
			else {
				
				$message = "<div class='alert alert-danger'><strong>There were errors in your form:<br></strong>" . $message . "</div>";
				
			}

Open in new window

0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 41801860
This is a method I use on hundreds of pages.  Have you turned on 'error_reporting' on that page?  Have you verified that you are actually sending the info to the page?
0
 
LVL 1

Author Comment

by:Black Sulfur
ID: 41802291
On line 2 of your code you had a
'

Open in new window

that shouldn't be there.

I also had to change  

if($user_password != '') $update_user .= "', user_password = '$user_password' ";

Open in new window


to :

if($user_password != '') $update_user .= ", user_password = '$user_password_hash' ";

Open in new window


and create 2 different values for $user_password and $user_password_hash.

It seems that it wasn't playing nice with the password_hash. It kept changing the password in the database even if I didn't enter anything in the password text fields.

Anyway, it seems to be working now! Even though I had to figure out a lot myself I will still give you all the points because you got me on the right track and who knows if I would have figured it out without you ;)
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 41802366
Sorry for the error but glad to help.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article discusses how to implement server side field validation and display customized error messages to the client.
In this blog, we’ll look at how improvements to Percona XtraDB Cluster improved IST performance.
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
Suggested Courses
Course of the Month14 days, 1 hour left to enroll

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question