Jump to content

Need help with this script


joshm101

Recommended Posts

Hello, I am new here. Looking for some help please.

I am trying to work around the hashed password once the update button has been refreshed. e.g. if the form field is empty, then the $sql statement does not run with $param_password.

If the form field has any characters, then run the other statement. Not sure if my syntax is correct, it seems to just hash it every time. Any help would be great thanks.

if($stmt->rowCount() > 0)
                {
                    
                    $param_password = password_hash($this->password, PASSWORD_DEFAULT); // Creates a password hash    

                if(empty(['password']))
                    {
                        $sql = "UPDATE users SET username = '$this->username', status = '$this->status' WHERE id = $this->id";                            
                    }
                    
                    else 
                        {
                            $sql = "UPDATE users SET username = '$this->username', password = '$param_password', status = '$this->status' WHERE id = $this->id";
                        }
                    
                    
                    
                    
                    $stmt = $this->db->prepare($sql);
                    $result = $stmt->execute();

 

Link to comment
Share on other sites

That doesn't quite seem right. Why are you storing this... whatever it is, in the session? Surely the decision to update the password does not depend on the session but on what the user is trying to tell your system to do - ie, what's in $_POST?

Link to comment
Share on other sites

IMHO - the password entry should only be occurring when you present the user with a "login" page.  That is, make sure the user goes thru an authorization process where you check their id and password against a database entry and then set some kind of session variable to provide your future pages/scripts with proof that this user/session is ok to proceed.

Now you don't have to worry about passwords and hashes again until this session ends.  Don't confuse the "use" of your app with the "authorization" of it.

Link to comment
Share on other sites

I have a College Project which is to create a backend system that can manipulate the logged in users information. I wanted to have update functionality as an admin to manipulate the users details.

Therefore the hashed password was giving me troubles.

If I update the users details when the password field is empty, I don't want it to run the SQL wiith the password field. But if there is something in that field, I would like to execute the sql statement with the hashed password field.

Link to comment
Share on other sites

For the limited scope you're describing, what you're using will - theoretically and for the most part - be fine. However, I think what requinix was referring to is that the password value should be coming from $_POST, not $_SESSION. When a form is submitted, the data is passed to the receiving PHP script via a $_POST array (or $_GET, but this has to do with passwords so ignore $_GET for now). $_SESSION is a completely different thing, typically used for different reasons entirely.

So, instead of

if(empty($_SESSION['password']))

you'll want

if(empty($_POST['password']))

This is assuming the value of the 'name' attribute on the password field in the HTML form is 'password' - the name of the field becomes the value's index in the $_POST array.

Link to comment
Share on other sites

because you are putting external/unknown values directly into the sql query, it is open to sql injection. if someone managed to create a username containing sql when they registered, the posted code/query could allow them to set any user's record to anything they want, which could allow them to take over an administrator's account.

while you are using prepare/execute statements, you aren't using  place-holders in the sql query for the values. have you read the documentation for prepared queries?

 

Link to comment
Share on other sites

Thanks maxxd,

I wasn't knocking your logic I just didn't give you enough information.(My fault).

 

However I do have another question. Please see my scripts attached. 

 

Every time I seem to access the database through xampp when running a script, it logs me out of my logged in session. I can't find the problem.

Any help would be much appreciated thanks. 

https://www.dropbox.com/sh/gabmonzk0rbawhm/AAAZPJIFJPV9aM-yUGMPfitoa?dl=0

 

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.