Solved

pasword_hash updating database even with empty form value

Posted on 2016-09-15
5
45 Views
Last Modified: 2016-09-16
I have a page where a user could update their personal details like email, username, password etc. For the password I am using the built in php password_hash, PASSWORD_BCRYPT, [12] which works great when creating a user.

My problem is, let's say that I want to update my details but not change my password. If I submit the form and not input anything into the password fields the password still changes! Obviously that isn't meant to happen. Can I prevent that using this code or do I have to create an if statement that runs 2 SQL queries i.e.: if the password field is empty, run a SQL query that doesn't make mention of the password field and if the password field has a value, run the other SQL query that updates the password field in the database. Surely there must be a more elegant method than that?

$user_firstname = $link->real_escape_string($_POST['user_firstname']);
				$user_lastname = $link->real_escape_string($_POST['user_lastname']);
				$user_username = $link->real_escape_string($_POST['user_username']);
				$user_email = $link->real_escape_string($_POST['user_email']);
				$user_role = $link->real_escape_string($_POST['user_role']);
				$user_password = $link->real_escape_string(password_hash($_POST['user_password'], PASSWORD_BCRYPT, [12]));
				
				$update_user = "UPDATE `users` SET user_firstname = '$user_firstname', user_lastname = '$user_lastname', user_username = '$user_username', user_email = '$user_email', user_role = '$user_role', user_password = '$user_password' WHERE user_id = '$user_id' LIMIT 1";
				 if($row = $link->query($update_user) === TRUE){
					 
					 // echo a success message here
				 }

Open in new window

0
Comment
Question by:Black Sulfur
  • 3
  • 2
5 Comments
 
LVL 83

Accepted Solution

by:
Dave Baldwin earned 500 total points
ID: 41800560
Just don't put " user_password = '$user_password' " in your SQL unless you have something to change.  This is the way I do it.

$update_user = "UPDATE `users` SET user_firstname = '$user_firstname', user_lastname = '$user_lastname', user_username = '$user_username', user_email = '$user_email', user_role = '$user_role' ";
if($user_password != '') $update_user .= "', user_password = '$user_password' ";
$update_user .= " WHERE user_id = '$user_id' LIMIT 1";
				

Open in new window

0
 

Author Comment

by:Black Sulfur
ID: 41801586
Thanks for that. I tried it but nothing happens. No error, no update in the database?

$update_user = "UPDATE `users` SET user_firstname = '$user_firstname', user_lastname = '$user_lastname', user_username = '$user_username', user_email = '$user_email', user_role = '$user_role' ";
				if($user_password != '') $update_user .= "', user_password = '$user_password' ";
				$update_user .= " WHERE user_id = '$user_id' LIMIT 1";
				 if($row = $link->query($update_user) === TRUE){

					 
					 $message = "<div class='alert alert-success'>User info updated successfuly</div>";
				 }
				
			}
			
			else {
				
				$message = "<div class='alert alert-danger'><strong>There were errors in your form:<br></strong>" . $message . "</div>";
				
			}

Open in new window

0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 41801860
This is a method I use on hundreds of pages.  Have you turned on 'error_reporting' on that page?  Have you verified that you are actually sending the info to the page?
0
 

Author Comment

by:Black Sulfur
ID: 41802291
On line 2 of your code you had a
'

Open in new window

that shouldn't be there.

I also had to change  

if($user_password != '') $update_user .= "', user_password = '$user_password' ";

Open in new window


to :

if($user_password != '') $update_user .= ", user_password = '$user_password_hash' ";

Open in new window


and create 2 different values for $user_password and $user_password_hash.

It seems that it wasn't playing nice with the password_hash. It kept changing the password in the database even if I didn't enter anything in the password text fields.

Anyway, it seems to be working now! Even though I had to figure out a lot myself I will still give you all the points because you got me on the right track and who knows if I would have figured it out without you ;)
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 41802366
Sorry for the error but glad to help.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Things That Drive Us Nuts Have you noticed the use of the reCaptcha feature at EE and other web sites?  It wants you to read and retype something that looks like this.Insanity!  It's not EE's fault - that's just the way reCaptcha works.  But it is …
This article discusses four methods for overlaying images in a container on a web page
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

896 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now