samsplug Posted September 3, 2009 Share Posted September 3, 2009 // Check for a Password and that p1 and p2 match if (!empty($_POST['pass1'])) { if ($_POST['pass1'] != $_POST['pass2']) { $errors[] = 'Your new password did not match the confirmed password.'; } else { $np = mysqli_real_escape_string($dbc, trim($_POST['pass1'])); } } This code is used to validate a password change, when the password field of the form this is used with is blank - it seems to update the database using SHA1 to encode NULL...... This seems wrong, because the first of the two if statements tells it to do nothing if the first of the two password fields are empty... can anybody see how to correct my problem? Thanks is advance Quote Link to comment Share on other sites More sharing options...
rhodesa Posted September 3, 2009 Share Posted September 3, 2009 It doesn't set the variables, but it doesn't necessarily stop the mysql statement...where is the rest of the code with the mysql part? Quote Link to comment Share on other sites More sharing options...
samsplug Posted September 3, 2009 Author Share Posted September 3, 2009 *I didn't mean to bump this topic - I wanted to add information to make solving my issue easier and their is no edit button available - so my apologies for that* here is the PHP script that the above section is from the page's purpose is to allow details of the users on my database driven test site to be edited. The issue is that when i submit the form, and leave both password fields blank - it changes the password to a new value. Even though I have included if (!empty($_POST['pass1'])) <?php # Script 9.3 - edit_user.php // This page is for editing a user record. // This page is accessed through view_users.php. $page_title = 'Edit a User'; include ('includes/header.html'); echo '<h1>Edit a User</h1>'; // Check for a valid user ID, through GET or POST: if ( (isset($_GET['id'])) && (is_numeric($_GET['id'])) ) { // From view_users.php $id = $_GET['id']; } elseif ( (isset($_POST['id'])) && (is_numeric($_POST['id'])) ) { // Form submission. $id = $_POST['id']; } else { // No valid ID, kill the script. echo '<p class="error">This page has been accessed in error.</p>'; include ('includes/footer.html'); exit(); } require_once ('../mysqli_connect.php'); // Check if the form has been submitted: if (isset($_POST['submitted'])) { $errors = array(); // Check for a first name: if (empty($_POST['first_name'])) { $errors[] = 'You forgot to enter your first name.'; } else { $fn = mysqli_real_escape_string($dbc, trim($_POST['first_name'])); } // Check for a last name: if (empty($_POST['last_name'])) { $errors[] = 'You forgot to enter your last name.'; } else { $ln = mysqli_real_escape_string($dbc, trim($_POST['last_name'])); } // Check for an email address: if (empty($_POST['email'])) { $errors[] = 'You forgot to enter your email address.'; } else { $e = mysqli_real_escape_string($dbc, trim($_POST['email'])); } // Check for a Password and that p1 and p2 match if (!empty($_POST['pass1'])) { if ($_POST['pass1'] != $_POST['pass2']) { $errors[] = 'Your new password did not match the confirmed password.'; } else { $np = mysqli_real_escape_string($dbc, trim($_POST['pass1'])); } } if (empty($errors)) { // If everything's OK. // Test for unique email address: $q = "SELECT user_id FROM users WHERE email='$e' AND user_id != $id"; $r = @mysqli_query($dbc, $q); if (mysqli_num_rows($r) == 0) { // Make the query: $q = "UPDATE users SET first_name='$fn', last_name='$ln', email='$e', pass=SHA1('$np') WHERE user_id=$id LIMIT 1"; $r = @mysqli_query ($dbc, $q); if (mysqli_affected_rows($dbc) == 1) { // If it ran OK. // Print a message: echo '<p>The user has been edited.</p>'; } elseif (mysqli_affected_rows($dbc) == 0) { // If nothing was changed in the form // Print a message echo '<p class="error">No records have been updated.</p>'; } else { // If it did not run OK. echo '<p class="error">The user could not be edited due to a system error. We apologize for any inconvenience.</p>'; // Public message. echo '<p>' . mysqli_error($dbc) . '<br />Query: ' . $q . '</p>'; // Debugging message. } } else { // Already registered. echo '<p class="error">The email address has already been registered.</p>'; } } else { // Report the errors. echo '<p class="error">The following error(s) occurred:<br />'; foreach ($errors as $msg) { // Print each error. echo " - $msg<br />\n"; } echo '</p><p>Please try again.</p>'; } // End of if (empty($errors)) IF. } // End of submit conditional. // Always show the form... // Retrieve the user's information: $q = "SELECT first_name, last_name, email FROM users WHERE user_id=$id"; $r = @mysqli_query ($dbc, $q); if (mysqli_num_rows($r) == 1) { // Valid user ID, show the form. // Get the user's information: $row = mysqli_fetch_array ($r, MYSQLI_NUM); // Create the form: echo '<form action="edit_user.php" method="post"> <p>First Name: <input type="text" name="first_name" size="15" maxlength="15" value="'; if (empty($_POST['first_name'])) { echo $row[0]; } else { echo $_POST['first_name']; } echo '" /></p> <p>Last Name: <input type="text" name="last_name" size="15" maxlength="15" value="'; if (empty($_POST['last_name'])) { echo $row[1]; } else { echo $_POST['last_name']; } echo '" /></p> <p>Email Address: <input type="text" name="email" size="15" maxlength="30" value="'; if (empty($_POST['email'])) { echo $row[2]; } else { echo $_POST['email']; } echo '" /> </p> <p>New Password: <input type="password" name="pass1" size="10" maxlength="20" /></p> <p>Confirm New Password: <input type="password" name="pass2" size="10" maxlength="20" /></p> <p><input type="submit" name="submit" value="Submit" /></p> <input type="hidden" name="submitted" value="TRUE" /> <input type="hidden" name="id" value="' . $id . '" /> </form>'; } else { // Not a valid user ID. echo '<p class="error">This page has been accessed in error.</p>'; } mysqli_close($dbc); include ('includes/footer.html'); ?> This is one of my very first scripts, I'm learning PHP and MySQL from a book by Larry Ullman. This is one of the extension tasks suggested in the book. thanks. Quote Link to comment Share on other sites More sharing options...
rhodesa Posted September 3, 2009 Share Posted September 3, 2009 you are updating EVERYTHING here: // Make the query: $q = "UPDATE users SET first_name='$fn', last_name='$ln', email='$e', pass=SHA1('$np') WHERE user_id=$id LIMIT 1"; you need to omit ", pass=SHA1('$np')" if there is no password submitted Quote Link to comment Share on other sites More sharing options...
samsplug Posted September 3, 2009 Author Share Posted September 3, 2009 It doesn't set the variables, but it doesn't necessarily stop the mysql statement...where is the rest of the code with the mysql part? Ahh lol, i think you posted as i was adding further details... I've posted the full PHP script and html form for that page now so hopefully you'll be able to help hope so XD, let me know if you need more info - thanks you are updating EVERYTHING here: // Make the query: $q = "UPDATE users SET first_name='$fn', last_name='$ln', email='$e', pass=SHA1('$np') WHERE user_id=$id LIMIT 1"; you need to omit ", pass=SHA1('$np')" if there is no password submitted OHH, I think i approached this wrong I think I need an if statement to decide on which query to use... That should work - do you think? Quote Link to comment Share on other sites More sharing options...
samsplug Posted September 3, 2009 Author Share Posted September 3, 2009 Thanks man, I changed the line you quoted to: // Choose query: if (!empty($_POST['pass1'])) { $q = "UPDATE users SET first_name='$fn', last_name='$ln', email='$e', pass=SHA1('$np') WHERE user_id=$id LIMIT 1"; } else { $q = "UPDATE users SET first_name='$fn', last_name='$ln', email='$e' WHERE user_id=$id LIMIT 1"; } yay, fixed. Quote Link to comment Share on other sites More sharing options...
rhodesa Posted September 3, 2009 Share Posted September 3, 2009 usually i build the sql statement...so just add the parts you need to the SQL statement as needed edit: but that works too Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.