Jump to content

If statement password validation - not working

samsplug

By samsplug
in PHP Coding Help

 Share

Recommended Posts

samsplug Newbie

samsplug

Posted
Posted 

// Check for a Password and that p1 and p2 match
if (!empty($_POST['pass1'])) {
	if ($_POST['pass1'] != $_POST['pass2']) {
		$errors[] = 'Your new password did not match the confirmed password.';
	} else {
		$np = mysqli_real_escape_string($dbc, trim($_POST['pass1']));
	}
}

 

This code is used to validate a password change, when the password field of the form this is used with is blank - it seems to update the database using SHA1 to encode NULL......

This seems wrong, because the first of the two if statements tells it to do nothing if the first of the two password fields are empty...

 

can anybody see how to correct my problem?

 

Thanks is advance :)

Link to comment
Share on other sites
samsplug Newbie

samsplug

Posted
  • Author
Posted

*I didn't mean to bump this topic - I wanted to add information to make solving my issue easier and their is no edit button available - so my apologies for that*

 

here is the PHP script that the above section is from

the page's purpose is to allow details of the users on my database driven test site to be edited.

 

The issue is that when i submit the form, and leave both password fields blank - it changes the password to a new value. Even though I have included 

if (!empty($_POST['pass1']))

 

<?php # Script 9.3 - edit_user.php

// This page is for editing a user record.
// This page is accessed through view_users.php.

$page_title = 'Edit a User';
include ('includes/header.html');

echo '<h1>Edit a User</h1>';

// Check for a valid user ID, through GET or POST:
if ( (isset($_GET['id'])) && (is_numeric($_GET['id'])) ) { // From view_users.php
$id = $_GET['id'];
} elseif ( (isset($_POST['id'])) && (is_numeric($_POST['id'])) ) { // Form submission.
$id = $_POST['id'];
} else { // No valid ID, kill the script.
echo '<p class="error">This page has been accessed in error.</p>';
include ('includes/footer.html'); 
exit();
}

require_once ('../mysqli_connect.php'); 

// Check if the form has been submitted:
if (isset($_POST['submitted'])) {

$errors = array();

// Check for a first name:
if (empty($_POST['first_name'])) {
	$errors[] = 'You forgot to enter your first name.';
} else {
	$fn = mysqli_real_escape_string($dbc, trim($_POST['first_name']));
}

// Check for a last name:
if (empty($_POST['last_name'])) {
	$errors[] = 'You forgot to enter your last name.';
} else {
	$ln = mysqli_real_escape_string($dbc, trim($_POST['last_name']));
}

// Check for an email address:
if (empty($_POST['email'])) {
	$errors[] = 'You forgot to enter your email address.';
} else {
	$e = mysqli_real_escape_string($dbc, trim($_POST['email']));
}

// Check for a Password and that p1 and p2 match
if (!empty($_POST['pass1'])) {
	if ($_POST['pass1'] != $_POST['pass2']) {
		$errors[] = 'Your new password did not match the confirmed password.';
	} else {
		$np = mysqli_real_escape_string($dbc, trim($_POST['pass1']));
	}
}

if (empty($errors)) { // If everything's OK.

	//  Test for unique email address:
	$q = "SELECT user_id FROM users WHERE email='$e' AND user_id != $id";
	$r = @mysqli_query($dbc, $q);
	if (mysqli_num_rows($r) == 0) {

		// Make the query:
		$q = "UPDATE users SET first_name='$fn', last_name='$ln', email='$e', pass=SHA1('$np') WHERE user_id=$id LIMIT 1";
		$r = @mysqli_query ($dbc, $q);
		if (mysqli_affected_rows($dbc) == 1) { // If it ran OK.

			// Print a message:
			echo '<p>The user has been edited.</p>';	}

		elseif (mysqli_affected_rows($dbc) == 0) { // If nothing was changed in the form
			// Print a message
			echo '<p class="error">No records have been updated.</p>';	}

		 else { // If it did not run OK.
			echo '<p class="error">The user could not be edited due to a system error. We apologize for any inconvenience.</p>'; // Public message.
			echo '<p>' . mysqli_error($dbc) . '<br />Query: ' . $q . '</p>'; // Debugging message.
		}

	} else { // Already registered.
		echo '<p class="error">The email address has already been registered.</p>';
	}

} else { // Report the errors.

	echo '<p class="error">The following error(s) occurred:<br />';
	foreach ($errors as $msg) { // Print each error.
		echo " - $msg<br />\n";
	}
	echo '</p><p>Please try again.</p>';

} // End of if (empty($errors)) IF.

} // End of submit conditional.

// Always show the form...

// Retrieve the user's information:
$q = "SELECT first_name, last_name, email FROM users WHERE user_id=$id";		
$r = @mysqli_query ($dbc, $q);

if (mysqli_num_rows($r) == 1) { // Valid user ID, show the form.

// Get the user's information:
$row = mysqli_fetch_array ($r, MYSQLI_NUM);

// Create the form:
echo '<form action="edit_user.php" method="post">
<p>First Name: <input type="text" name="first_name" size="15" maxlength="15" value="';
if (empty($_POST['first_name'])) {
   echo $row[0];
} else {
   echo $_POST['first_name'];
}
echo '" /></p>

<p>Last Name: <input type="text" name="last_name" size="15" maxlength="15" value="';
if (empty($_POST['last_name'])) {
   echo $row[1];
} else {
   echo $_POST['last_name'];
}
echo '" /></p>

<p>Email Address: <input type="text" name="email" size="15" maxlength="30" value="';
if (empty($_POST['email'])) {
   echo $row[2];
} else {
   echo $_POST['email'];
}
echo '" /> </p>

<p>New Password: <input type="password" name="pass1" size="10" maxlength="20" /></p>
<p>Confirm New Password: <input type="password" name="pass2" size="10" maxlength="20" /></p>

<p><input type="submit" name="submit" value="Submit" /></p>
<input type="hidden" name="submitted" value="TRUE" />
<input type="hidden" name="id" value="' . $id . '" />
</form>';

} else { // Not a valid user ID.
echo '<p class="error">This page has been accessed in error.</p>';
}

mysqli_close($dbc);

include ('includes/footer.html');
?>

 

This is one of my very first scripts, I'm learning PHP and MySQL from a book by Larry Ullman. This is one of the extension tasks suggested in the book.

:)

 

thanks.

Link to comment
Share on other sites
samsplug Newbie

samsplug

Posted
  • Author
Posted

It doesn't set the variables, but it doesn't necessarily stop the mysql statement...where is the rest of the code with the mysql part?

Ahh lol, i think you posted as i was adding further details...

 

I've posted the full PHP script and html form for that page now so hopefully you'll be able to help :P

 

hope so XD, let me know if you need more info - thanks

 

you are updating EVERYTHING here:

// Make the query:
$q = "UPDATE users SET first_name='$fn', last_name='$ln', email='$e', pass=SHA1('$np') WHERE user_id=$id LIMIT 1";

 

you need to omit ", pass=SHA1('$np')" if there is no password submitted

 

OHH, I think i approached this wrong :P

 

I think I need an if statement to decide on which query to use... That should work - do you think?

Link to comment
Share on other sites
samsplug Newbie

samsplug

Posted
  • Author
Posted

Thanks man, I changed the line you quoted to:

			// Choose query:
	if (!empty($_POST['pass1'])) {
		$q = "UPDATE users SET first_name='$fn', last_name='$ln', email='$e', pass=SHA1('$np') WHERE user_id=$id LIMIT 1";
	} else {
		$q = "UPDATE users SET first_name='$fn', last_name='$ln', email='$e' WHERE user_id=$id LIMIT 1";
	}

 

yay, fixed.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.