Submit to database

[forumnz]

This script is for users to edit their information.

I have made it so that nothing shows up in the password box, but now when the user resubmits their information (without changing the password), the database is edited and they now dont have a password.

What can I do to prevent the password to be sent if they dont want to change it?

Code:
[code]<?php
  session_start();
 
  $con = mysql_connect("localhost","$$$","$$$");
  if (!$con)
  {
    die('Could not connect: ' . mysql_error());
  }

  mysql_select_db("my_db", $con);

if( isset($_POST['Submit']) ) 
{ 
  //Store/validate/escape
  $password = base64_encode($_POST['password']);
  $email = $_POST['email']; 
  $area = $_POST['area']; 
  $phone = $_POST['phone']; 
  $age = $_POST['age']; 
  $message = $_POST['message'];
 
  //Reset
  unset($_POST);
 
  $id = $_SESSION['userid'];
  $query = "UPDATE members SET password='$password', email='$email', area='$area', phone='$phone', age='$age', message='$message' WHERE id='$id'";
  mysql_query($query);
 
  //echo "$query\n\n";
  if( mysql_errno() )
  {
    echo "\n\nERROR: " . mysql_error();
  }

}


  $valid = false;
  if( isset($_SESSION['userid']) )
  {
    //do whatever appropriate validation is necessary on id
    //if we encounter errors abort?
    $id = $_SESSION['userid'];

    //No errors... proceed

    //connect to database

    $query = "SELECT password, email, area, phone, age, message FROM members WHERE id = '$id'";

//echo "$query\n\n";
    $result = mysql_query($query);
if( mysql_errno() )
    {
      echo "\n\nERROR: " . mysql_error();
    }
    $row = mysql_fetch_row($result);

    $password = "";  //echo "PASSWORD: $password\n";
$email = "";  //echo "EMAIL: $email\n";
$area = "";    //echo "AREA: $area\n";
$phone = "";  //echo "PHONE: $phone\n";
$age = "";    //echo "AGE: $age\n";
$message = ""; //echo "MESSAGE: $message\n";

    if( $row )
    {
      $valid = true;
  //$password = $row[0];
      $email = $row[1];
  $area = $row[2];
  $phone = $row[3];
  $age = $row[4];
  $message = $row[5];
    }
    else
    {
      //Invalid username... handle error appropriately
      $valid = false;
    }

    //disconnect from database
  }
  else
  {
    //ERROR - Not logged in....
    //Redirect to login page?
    $valid = false;
  }

  if( !$valid )
  {
      //Errors, redirect....
  }
?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Page to test</title>
</head>

<body>
<p>Edit Profile</p>
<form id="form1" name="form1" method="post" action="edit.php">
<p>Password :
  <?php
  echo "<input name=\"password\" type=\"password\" id=\"password\" value=\"$password\" />\n";
  ?>
  <!--Confirm Password :
  //<input name="password" type="text" id="password" />-->
</p>
<p>Email Address :
  <?php
      echo "<input name=\"email\" type=\"text\" id=\"email\" value=\"$email\" />\n";
  ?>
</p>
<p>Area :
  <?php
      echo "<input name=\"area\" type=\"text\" id=\"area\" value=\"$area\" />\n";
  ?>
</p>
<p>Phone Number :
<?php
echo "<input name=\"phone\" type=\"text\" id=\"phone\" value=\"$phone\" />\n";
?> </p>
<p>Age :
<?php
echo "<input name=\"age\" type=\"text\" id=\"age\" value=\"$age\" />\n";
?>
</p>
<p>Personal Message :
  <?php
  echo "<textarea name=\"message\" id=\"message\">$message</textarea>\n";

?>
</p>
<p>
  <label>
  <input type="submit" name="Submit" value="Go!" />
  </label>
</p>

</form>
<p>&nbsp; </p>
</body>
</html>
[/code]

[btherl]

Just check

[code=php:0]if (empty($_POST['password'])) {
  # Don't update password
} else {
  # Update password
}[/code]


Since no-one can set an empty password, this will work fine.  In your situation, you might need to make 2 versions of the query, one which updates the password and another which doesn't.  Or, you can make the optional password update occur in a seperate query.