pasword_hash updating database even with empty form value
I have a page where a user could update their personal details like email, username, password etc. For the password I am using the built in php password_hash, PASSWORD_BCRYPT, [12] which works great when creating a user.
My problem is, let's say that I want to update my details but not change my password. If I submit the form and not input anything into the password fields the password still changes! Obviously that isn't meant to happen. Can I prevent that using this code or do I have to create an if statement that runs 2 SQL queries i.e.: if the password field is empty, run a SQL query that doesn't make mention of the password field and if the password field has a value, run the other SQL query that updates the password field in the database. Surely there must be a more elegant method than that?
My problem is, let's say that I want to update my details but not change my password. If I submit the form and not input anything into the password fields the password still changes! Obviously that isn't meant to happen. Can I prevent that using this code or do I have to create an if statement that runs 2 SQL queries i.e.: if the password field is empty, run a SQL query that doesn't make mention of the password field and if the password field has a value, run the other SQL query that updates the password field in the database. Surely there must be a more elegant method than that?
$user_firstname = $link->real_escape_string($_POST['user_firstname']);
$user_lastname = $link->real_escape_string($_POST['user_lastname']);
$user_username = $link->real_escape_string($_POST['user_username']);
$user_email = $link->real_escape_string($_POST['user_email']);
$user_role = $link->real_escape_string($_POST['user_role']);
$user_password = $link->real_escape_string(password_hash($_POST['user_password'], PASSWORD_BCRYPT, [12]));
$update_user = "UPDATE `users` SET user_firstname = '$user_firstname', user_lastname = '$user_lastname', user_username = '$user_username', user_email = '$user_email', user_role = '$user_role', user_password = '$user_password' WHERE user_id = '$user_id' LIMIT 1";
if($row = $link->query($update_user) === TRUE){
// echo a success message here
}ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This is a method I use on hundreds of pages. Have you turned on 'error_reporting' on that page? Have you verified that you are actually sending the info to the page?
ASKER
On line 2 of your code you had a
I also had to change
to :
and create 2 different values for $user_password and $user_password_hash.
It seems that it wasn't playing nice with the password_hash. It kept changing the password in the database even if I didn't enter anything in the password text fields.
Anyway, it seems to be working now! Even though I had to figure out a lot myself I will still give you all the points because you got me on the right track and who knows if I would have figured it out without you ;)
'I also had to change
if($user_password != '') $update_user .= "', user_password = '$user_password' ";to :
if($user_password != '') $update_user .= ", user_password = '$user_password_hash' ";and create 2 different values for $user_password and $user_password_hash.
It seems that it wasn't playing nice with the password_hash. It kept changing the password in the database even if I didn't enter anything in the password text fields.
Anyway, it seems to be working now! Even though I had to figure out a lot myself I will still give you all the points because you got me on the right track and who knows if I would have figured it out without you ;)
Sorry for the error but glad to help.
ASKER
Open in new window