Can you please tell me what Im doing wrong?

[forumnz]

This is a snippet of my code. Its used to stop the password field being re-written to the database if the user doesnt want to change it. If i dont have this code then a users password becomes blank on the database and they can no longer log in.

Heres the code:

[code]  if (empty($_POST['password'])) {
  $password = false;
} else {
  $password = base64_encode($_POST['password']);
}[/code]

[Jessica]

You're setting the password to false. Instead of that, if they didn't enter a new password make the query string reflect that, don't set the variable to false. That is why it is blank.

if (empty($_POST['password'])) {
  //Do nothing
} else {
  $password = base64_encode($_POST['password']);
  // SQL to update here.
}

[forumnz]

This is annoying. I tried that but I still cant get it to work:  Heres an example of what happens:

a)User see site and registers
b)User goes to members area and then to edit profile page
c)User wants to change email address but not password
d)User changes email and password field is left blank
e)All fields are updated including password
f)Users password becomes " "

Thats the problem. I cant do an 'auto-fill' for the password because it displays and encrypted one and once its updated the encrypted password becomes encrypted :-\

[Jessica]

In your SQL , do NOT include ANYTHING about the password UNLESS they have entered a password.

if (empty($_POST['password'])) {
  $sql = "UPDATE users SET username = $username"; //EVERYTHING BUT PASSWORD
} else {
  $password = base64_encode($_POST['password']);
  $sql = "UPDATE users SET username = $username, password = $password"; //EVERYTHING INCLUDING PASSWORD
}

The above SQL is NOT complete - don't just copy and paste it. Adapt it to your tables.

[forumnz]

Im really struggling here - I tried that but with no luck.

Maybe you could see my code?

[code]<?php
  session_start();
 
  $con = mysql_connect("localhost","$$$","$$$");
  if (!$con)
  {
    die('Could not connect: ' . mysql_error());
  }

  mysql_select_db("my_db", $con);

if( isset($_POST['Submit']) ) 
{ 
  //Store/validate/escape
  $password = base64_encode($_POST['password']);
  $email = $_POST['email']; 
  $area = $_POST['area']; 
  $phone = $_POST['phone']; 
  $age = $_POST['age']; 
  $message = $_POST['message'];
 
  unset($_POST);
  $id = $_SESSION['userid'];
if (empty($_POST['password'])) {
  $sql = "UPDATE users SET email = $email, area = $area, phone = $phone, age = $age, message = $message"; //EVERYTHING BUT PASSWORD
} else {
  $sql = "UPDATE users SET password = $password, email = $email, area = $area, phone = $phone, age = $age, message = $message"; //EVERYTHING INCLUDING PASSWORD
}
  mysql_query($query);
  //Reset
 
 
 
  //$query = "UPDATE members SET password='$password', email='$email', area='$area', phone='$phone', age='$age', message='$message' WHERE id='$id'";
 
 
  //echo "$query\n\n";
  if( mysql_errno() )
  {
    echo "\n\nERROR: " . mysql_error();
  }

}


  $valid = false;
  if( isset($_SESSION['userid']) )
  {
    //do whatever appropriate validation is necessary on id
    //if we encounter errors abort?
    $id = $_SESSION['userid'];

    //No errors... proceed

    //connect to database

    $query = "SELECT password, email, area, phone, age, message FROM members WHERE id = '$id'";

//echo "$query\n\n";
    $result = mysql_query($query);
if( mysql_errno() )
    {
      echo "\n\nERROR: " . mysql_error();
    }
    $row = mysql_fetch_row($result);

    $password = "";  //echo "PASSWORD: $password\n";
$email = "";  //echo "EMAIL: $email\n";
$area = "";    //echo "AREA: $area\n";
$phone = "";  //echo "PHONE: $phone\n";
$age = "";    //echo "AGE: $age\n";
$message = ""; //echo "MESSAGE: $message\n";

    if( $row )
    {
      $valid = true;
  //$password = $row[0];
      $email = $row[1];
  $area = $row[2];
  $phone = $row[3];
  $age = $row[4];
  $message = $row[5];
    }
    else
    {
      //Invalid username... handle error appropriately
      $valid = false;
    }

    //disconnect from database
  }
  else
  {
    //ERROR - Not logged in....
    //Redirect to login page?
    $valid = false;
  }

  if( !$valid )
  {
      //Errors, redirect....
  }
?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Page to test</title>
</head>

<body>
<p>Edit Profile</p>
<form id="form1" name="form1" method="post" action="edit.php">
<p>Password :
  <?php
  echo "<input name=\"password\" type=\"password\" id=\"password\" value=\"$password\" />\n";
  ?>
  <!--Confirm Password :
  //<input name="password" type="text" id="password" />-->
</p>
<p>Email Address :
  <?php
      echo "<input name=\"email\" type=\"text\" id=\"email\" value=\"$email\" />\n";
  ?>
</p>
<p>Area :
  <?php
      echo "<input name=\"area\" type=\"text\" id=\"area\" value=\"$area\" />\n";
  ?>
</p>
<p>Phone Number :
<?php
echo "<input name=\"phone\" type=\"text\" id=\"phone\" value=\"$phone\" />\n";
?> </p>
<p>Age :
<?php
echo "<input name=\"age\" type=\"text\" id=\"age\" value=\"$age\" />\n";
?>
</p>
<p>Personal Message :
  <?php
  echo "<textarea name=\"message\" id=\"message\">$message</textarea>\n";

?>
</p>
<p>
  <label>
  <input type="submit" name="Submit" value="Go!" />
  </label>
</p>

</form>
<p>&nbsp; </p>
</body>
</html>
[/code]

[forumnz]

please?

[marcus]

You need to add in your sql queries

[code]
WHERE username ='$username'
[/code]

You're just updating nothing

[ShogunWarrior]

For one thing you're unsetting $_POST and then checking if $_POST['password'] is empty. But you've just deleted it.

[marcus]

What your saying Shogun doesn't mean anything. You aren't deleting anything the person is only updating their username back to their actual username. It would only get deleted if the person had update password to pass where username is username.

[forumnz]

Can anyone say it in simpler terms?

[marcus]

Before you end your sql queries add WHERE username ='$whateveryourusernamevariableis'

[Jessica]

[code]if (empty($_POST['password'])) {
  $sql = "UPDATE users SET email = $email, area = $area, phone = $phone, age = $age, message = $message"; //EVERYTHING BUT PASSWORD
} else {
  $sql = "UPDATE users SET password = $password, email = $email, area = $area, phone = $phone, age = $age, message = $message"; //EVERYTHING INCLUDING PASSWORD
}
  mysql_query($query);

[/code]You don't see a problem here? Your variable which contains the SQL is called $sql. Yet you're calling mysql_query with $query.

You also need to add a WHERE or you'll update EVERYTHING, not nothing as was suggested above.
You ALSO need to add some mysql error checking, and quote your strings which I forgot. Go read some more tutorials on mysql ;)
[code]
if (empty($_POST['password'])) {
  $sql = "UPDATE users SET email = '$email', area = '$area', phone = '$phone', age = '$age', message = '$message'"; //EVERYTHING BUT PASSWORD
} else {
  $sql = "UPDATE users SET password = '$password', area = '$area', phone = '$phone', age = '$age', message = '$message'"; $message"; //EVERYTHING INCLUDING PASSWORD
}
  mysql_query($sql);[/code]


Also what Shogun said was right. you have:
[code]unset($_POST);
$id = $_SESSION['userid'];
if (empty($_POST['password'])) {
}[/code]
See a problem there?