Jump to content

Recommended Posts

This is a snippet of my code. Its used to stop the password field being re-written to the database if the user doesnt want to change it. If i dont have this code then a users password becomes blank on the database and they can no longer log in.

Heres the code:

[code]  if (empty($_POST['password'])) {
  $password = false;
} else {
  $password = base64_encode($_POST['password']);
}[/code]
You're setting the password to false. Instead of that, if they didn't enter a new password make the query string reflect that, don't set the variable to false. That is why it is blank.

if (empty($_POST['password'])) {
  //Do nothing
} else {
  $password = base64_encode($_POST['password']);
  // SQL to update here.
}
This is annoying. I tried that but I still cant get it to work:  Heres an example of what happens:

a)User see site and registers
b)User goes to members area and then to edit profile page
c)User wants to change email address but not password
d)User changes email and password field is left blank
e)All fields are updated including password
f)Users password becomes " "

Thats the problem. I cant do an 'auto-fill' for the password because it displays and encrypted one and once its updated the encrypted password becomes encrypted :-\
In your SQL , do NOT include ANYTHING about the password UNLESS they have entered a password.

if (empty($_POST['password'])) {
  $sql = "UPDATE users SET username = $username"; //EVERYTHING BUT PASSWORD
} else {
  $password = base64_encode($_POST['password']);
  $sql = "UPDATE users SET username = $username, password = $password"; //EVERYTHING INCLUDING PASSWORD
}

The above SQL is NOT complete - don't just copy and paste it. Adapt it to your tables.
Im really struggling here - I tried that but with no luck.

Maybe you could see my code?

[code]<?php
  session_start();
 
  $con = mysql_connect("localhost","$$$","$$$");
  if (!$con)
  {
    die('Could not connect: ' . mysql_error());
  }

  mysql_select_db("my_db", $con);

if( isset($_POST['Submit']) ) 

  //Store/validate/escape
  $password = base64_encode($_POST['password']);
  $email = $_POST['email']; 
  $area = $_POST['area']; 
  $phone = $_POST['phone']; 
  $age = $_POST['age']; 
  $message = $_POST['message'];
 
  unset($_POST);
  $id = $_SESSION['userid'];
if (empty($_POST['password'])) {
  $sql = "UPDATE users SET email = $email, area = $area, phone = $phone, age = $age, message = $message"; //EVERYTHING BUT PASSWORD
} else {
  $sql = "UPDATE users SET password = $password, email = $email, area = $area, phone = $phone, age = $age, message = $message"; //EVERYTHING INCLUDING PASSWORD
}
  mysql_query($query);
  //Reset
 
 
 
  //$query = "UPDATE members SET password='$password', email='$email', area='$area', phone='$phone', age='$age', message='$message' WHERE id='$id'";
 
 
  //echo "$query\n\n";
  if( mysql_errno() )
  {
    echo "\n\nERROR: " . mysql_error();
  }

}


  $valid = false;
  if( isset($_SESSION['userid']) )
  {
    //do whatever appropriate validation is necessary on id
    //if we encounter errors abort?
    $id = $_SESSION['userid'];

    //No errors... proceed

    //connect to database

    $query = "SELECT password, email, area, phone, age, message FROM members WHERE id = '$id'";

//echo "$query\n\n";
    $result = mysql_query($query);
if( mysql_errno() )
    {
      echo "\n\nERROR: " . mysql_error();
    }
    $row = mysql_fetch_row($result);

    $password = "";  //echo "PASSWORD: $password\n";
$email = "";  //echo "EMAIL: $email\n";
$area = "";    //echo "AREA: $area\n";
$phone = "";  //echo "PHONE: $phone\n";
$age = "";    //echo "AGE: $age\n";
$message = ""; //echo "MESSAGE: $message\n";

    if( $row )
    {
      $valid = true;
  //$password = $row[0];
      $email = $row[1];
  $area = $row[2];
  $phone = $row[3];
  $age = $row[4];
  $message = $row[5];
    }
    else
    {
      //Invalid username... handle error appropriately
      $valid = false;
    }

    //disconnect from database
  }
  else
  {
    //ERROR - Not logged in....
    //Redirect to login page?
    $valid = false;
  }

  if( !$valid )
  {
      //Errors, redirect....
  }
?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Page to test</title>
</head>

<body>
<p>Edit Profile</p>
<form id="form1" name="form1" method="post" action="edit.php">
<p>Password :
  <?php
  echo "<input name=\"password\" type=\"password\" id=\"password\" value=\"$password\" />\n";
  ?>
  <!--Confirm Password :
  //<input name="password" type="text" id="password" />-->
</p>
<p>Email Address :
  <?php
      echo "<input name=\"email\" type=\"text\" id=\"email\" value=\"$email\" />\n";
  ?>
</p>
<p>Area :
  <?php
      echo "<input name=\"area\" type=\"text\" id=\"area\" value=\"$area\" />\n";
  ?>
</p>
<p>Phone Number :
<?php
echo "<input name=\"phone\" type=\"text\" id=\"phone\" value=\"$phone\" />\n";
?> </p>
<p>Age :
<?php
echo "<input name=\"age\" type=\"text\" id=\"age\" value=\"$age\" />\n";
?>
</p>
<p>Personal Message :
  <?php
  echo "<textarea name=\"message\" id=\"message\">$message</textarea>\n";

?>
</p>
<p>
  <label>
  <input type="submit" name="Submit" value="Go!" />
  </label>
</p>

</form>
<p>&nbsp; </p>
</body>
</html>
[/code]
What your saying Shogun doesn't mean anything. You aren't deleting anything the person is only updating their username back to their actual username. It would only get deleted if the person had update password to pass where username is username.
[code]if (empty($_POST['password'])) {
  $sql = "UPDATE users SET email = $email, area = $area, phone = $phone, age = $age, message = $message"; //EVERYTHING BUT PASSWORD
} else {
  $sql = "UPDATE users SET password = $password, email = $email, area = $area, phone = $phone, age = $age, message = $message"; //EVERYTHING INCLUDING PASSWORD
}
  mysql_query($query);

[/code]You don't see a problem here? Your variable which contains the SQL is called $sql. Yet you're calling mysql_query with $query.

You also need to add a WHERE or you'll update EVERYTHING, not nothing as was suggested above.
You ALSO need to add some mysql error checking, and quote your strings which I forgot. Go read some more tutorials on mysql ;)
[code]
if (empty($_POST['password'])) {
  $sql = "UPDATE users SET email = '$email', area = '$area', phone = '$phone', age = '$age', message = '$message'"; //EVERYTHING BUT PASSWORD
} else {
  $sql = "UPDATE users SET password = '$password', area = '$area', phone = '$phone', age = '$age', message = '$message'"; $message"; //EVERYTHING INCLUDING PASSWORD
}
  mysql_query($sql);[/code]


Also what Shogun said was right. you have:
[code]unset($_POST);
$id = $_SESSION['userid'];
if (empty($_POST['password'])) {
}[/code]
See a problem there?
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.