Jump to content

Need help with this script

joshm101

By joshm101
in PHP Coding Help

 Share

Recommended Posts

joshm101 Member

joshm101

Posted
Posted

Hello, I am new here. Looking for some help please.

I am trying to work around the hashed password once the update button has been refreshed. e.g. if the form field is empty, then the $sql statement does not run with $param_password.

If the form field has any characters, then run the other statement. Not sure if my syntax is correct, it seems to just hash it every time. Any help would be great thanks.

if($stmt->rowCount() > 0)
                {
                    
                    $param_password = password_hash($this->password, PASSWORD_DEFAULT); // Creates a password hash    

                if(empty(['password']))
                    {
                        $sql = "UPDATE users SET username = '$this->username', status = '$this->status' WHERE id = $this->id";                            
                    }
                    
                    else 
                        {
                            $sql = "UPDATE users SET username = '$this->username', password = '$param_password', status = '$this->status' WHERE id = $this->id";
                        }
                    
                    
                    
                    
                    $stmt = $this->db->prepare($sql);
                    $result = $stmt->execute();

 

Link to comment
https://forums.phpfreaks.com/topic/308734-need-help-with-this-script/
Share on other sites
requinix Prolific Member

requinix

Posted
Posted

That doesn't quite seem right. Why are you storing this... whatever it is, in the session? Surely the decision to update the password does not depend on the session but on what the user is trying to tell your system to do - ie, what's in $_POST?

ginerjm Prolific Member

ginerjm

Posted
Posted

IMHO - the password entry should only be occurring when you present the user with a "login" page.  That is, make sure the user goes thru an authorization process where you check their id and password against a database entry and then set some kind of session variable to provide your future pages/scripts with proof that this user/session is ok to proceed.

Now you don't have to worry about passwords and hashes again until this session ends.  Don't confuse the "use" of your app with the "authorization" of it.

joshm101 Member

joshm101

Posted
  • Author
Posted

I have a College Project which is to create a backend system that can manipulate the logged in users information. I wanted to have update functionality as an admin to manipulate the users details.

Therefore the hashed password was giving me troubles.

If I update the users details when the password field is empty, I don't want it to run the SQL wiith the password field. But if there is something in that field, I would like to execute the sql statement with the hashed password field.

maxxd Prolific Member

maxxd

Posted
Posted

For the limited scope you're describing, what you're using will - theoretically and for the most part - be fine. However, I think what requinix was referring to is that the password value should be coming from $_POST, not $_SESSION. When a form is submitted, the data is passed to the receiving PHP script via a $_POST array (or $_GET, but this has to do with passwords so ignore $_GET for now). $_SESSION is a completely different thing, typically used for different reasons entirely.

So, instead of 

if(empty($_SESSION['password']))

you'll want 

if(empty($_POST['password']))

This is assuming the value of the 'name' attribute on the password field in the HTML form is 'password' - the name of the field becomes the value's index in the $_POST array.

mac_gyver Prolific Member

mac_gyver

Posted
Posted

because you are putting external/unknown values directly into the sql query, it is open to sql injection. if someone managed to create a username containing sql when they registered, the posted code/query could allow them to set any user's record to anything they want, which could allow them to take over an administrator's account.

while you are using prepare/execute statements, you aren't using  place-holders in the sql query for the values. have you read the documentation for prepared queries?

 

joshm101 Member

joshm101

Posted
  • Author
Posted

Thanks maxxd,

I wasn't knocking your logic I just didn't give you enough information.(My fault).

 

However I do have another question. Please see my scripts attached. 

 

Every time I seem to access the database through xampp when running a script, it logs me out of my logged in session. I can't find the problem.

Any help would be much appreciated thanks. 

https://www.dropbox.com/sh/gabmonzk0rbawhm/AAAZPJIFJPV9aM-yUGMPfitoa?dl=0

 

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.