Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 5 of 5
  1. #1
    New Coder
    Join Date
    Apr 2014
    Posts
    13
    Thanks
    3
    Thanked 0 Times in 0 Posts

    How to ignore sending just 1 field if blank

    I have tried hunting around and reading up on it but just can't find something that suits what i am after. So i have a page i have made where people can go in and edit their profile settings. Name, email, password etc. The password is stored as a md5 password so i cant get it and pre-fill it in the field so if they dont change it, it stays the same. That obviously wont work.

    So i guess i'll have to leave the form field for password blank, I need a solution so it skips the password field and doesnt post it UNLESS there is something typed in there other wise its going to be posting blank data to the password column and they wont be able to log back in.

    THE PHP/SQL:

    PHP Code:
    <?php 
    if (!empty($_POST['update'])) {
    }else{}{
    $dbhost 'localhost';
    $dbuser '******';
    $dbpass '******';
    $conn mysql_connect($dbhost$dbuser$dbpass);
    if(! 
    $conn )
      die(
    'Could not connect: ' mysql_error());
    }

    if (!empty(
    $_POST['update'])) {
    $User1 $_POST['Username'];
    $First $_POST['First_Name'];
    $Last $_POST['Last_Name'];
    $Addy $_POST['EmailAddress'];
    $Passy md5($_POST['Password']);
    $sql "UPDATE users SET Username = '$User1', First_Name = '$First', Last_Name = '$Last', EmailAddress = '$Addy', Password = '$Passy' WHERE UserID = '$UserID1'";    
    $retval mysql_query$sql$conn ); //execute the query
    if(! $retval )
    {
      die(
    'Could not update data: ' mysql_error());
    }
    if (!empty(
    $_POST['update'])) {
    $_SESSION['Username'] = $_POST['Username'];
    $_SESSION['First_Name'] = $_POST['First_Name'];
    $_SESSION['Last_Name'] = $_POST['Last_Name'];
    $_SESSION['EmailAddress'] = $_POST['EmailAddress'];
    echo 
    "<div id='alerthider' style='color:#FFF; font-size:12px; font-weight:bold; background-color:#F00; border-radius:5px; padding:15px;'>Saved Data</div></p>
    <script>
    setTimeout(function() {
        $('#alerthider').fadeOut('fast');
    }, 1000); //
    </script>
    <meta http-equiv='refresh' content='2'>
    "
    ;
    }}

    ?>
    The HTML:

    Code:
        <div class="portlet-header">
                                    <div class="caption">Profile Details</div>
                                    <div class="tools"><i class="fa fa-chevron-up"></i><i data-toggle="modal"
                                                                                          data-target="#modal-config"
                                                                                          class="fa fa-cog"></i><i
                                            class="fa fa-refresh"></i><i class="fa fa-times"></i></div>
                                </div>
                                <div class="portlet-body">
                                    <form name="update" role="form" class="form-horizontal" method="post" action="<?php $_PHP_SELF ?>">
                                  
                                        <div class="row">
                                            <div class="col-md-6">
                                                <div class="form-group"><label class="col-md-3 control-label">Username: </label>
    
                                    <div class="col-md-9"><input name="Username" type="text" id="User1" class="form-control" value="<? echo ($_SESSION['Username']) ?>" readonly="readonly"/></div>
                                                </div>
                                                <div class="form-group"><label class="col-md-3 control-label">First Name: </label>
    
                                                    <div class="col-md-9"><input type="text" name="First_Name" id="First" placeholder="<? echo ($_SESSION['First_Name']) ?>" value="<? echo ($_SESSION['First_Name']) ?>" class="form-control"/></div>
                                                </div>
                                                <div class="form-group"><label class="col-md-3 control-label">Surname: </label>
    
                                                    <div class="col-md-9"><input type="text" placeholder="<? echo ($_SESSION['Last_Name']) ?>" name="Last_Name" id="Last" value="<? echo ($_SESSION['Last_Name']) ?>" class="form-control"/></div>
                                                </div>
                                                <div class="form-group"><label class="col-md-3 control-label">Email Address: </label>
    
                                                    <div class="col-md-9">
        <div class="input-group"><span class="input-group-addon"><i class="fa fa-envelope"></i></span><input type="email" name="EmailAddress" placeholder="<? echo ($_SESSION['EmailAddress']) ?>" id="Addy" value="<? echo ($_SESSION['EmailAddress']) ?>" class="form-control"/>
                                                        </div>
                                                    </div>
                                                </div>
                                                <div class="form-group"><label class="col-md-3 control-label">Password</label>
    
                                                    <div class="col-md-9">
                <div class="input-group"><input type="password" name="Password" id="Passy" value="" placeholder="Enter a new password if you want to change it" class="form-control"/><span class="input-group-addon"><i class="fa fa-user"></i></span>
                                                        </div>
                                                    </div>
                                                </div>
                                                <input type="submit" name="update" id="update" class="btn btn-primary" id="update" value="Update" />
        </form>

  • #2
    Regular Coder
    Join Date
    Sep 2011
    Posts
    410
    Thanks
    18
    Thanked 26 Times in 26 Posts
    Let's start off with what NOT to do.
    First off, don't check if the submit button was passed in order to see whether or not the form was submitted. Internet Explorer has glitches with this apparently so it's not a good idea to use it.
    Secondly, SANITIZE YOUR INPUT!! That form is vulnerable to SQLi like no other.

    Here's what you should do:
    Check for submission by a field name rather the submit button. They are always submitted (unless its a checkbox).
    Wrap the data with mysql_real_escape_string() to help sanitize the data.

    For example:
    PHP Code:
     <?php 
    $dbhost 
    'localhost';
    $dbuser '******';
    $dbpass '******';
    $conn mysql_connect($dbhost$dbuser$dbpass);
    if(!
    $conn)
        die(
    'Could not connect: ' mysql_error());

    if(!empty(
    $_POST['Username']))
    {
        
    #To run a query, consider building an array of arguments and then parsing it into a query string
        
    $data = array();
        
    $update = array();
        
    #Check if there is a value to set
        #If there is, add it to the array where the key is the column and the value is what should be set
        
    if(!empty($_POST['Username']) || $_POST['Username'] == $_SESSION['Username']) $data['Username'] = $_POST['Username'];
        if(!empty(
    $_POST['First_Name']) || $_POST['First_Name'] == $_SESSION['First_Name']) $data['First_Name'] = $_POST['First_Name'];
        if(!empty(
    $_POST['Last_Name']) || $_POST['Last_Name'] == $_SESSION['Last_Name']) $data['Last_Name'] = $_POST['Last_Name'];
        if(!empty(
    $_POST['EmailAddress']) || $_POST['EmailAddress'] == $_SESSION['EmailAddress']) $data['EmailAddress'] = $_POST['EmailAddress'];
        if(!empty(
    $_POST['Password'])) $data['Password'] = md5($_POST['Password']); //md5 isn't the best way, consider adding a mix if it with sha1 and even a salt (user or global salt) but it's enough for basic verification
        
    if(empty($data))
        {
            
    /* Do something here for no updates (all fields empty) */
        
    }
        else
        {
            
    #Add the data to an array which we will tie together later
            
    foreach($data as $key => $value)
                
    #Sanitize the input values
                
    $update[] = '`'.$key.'`=\''.mysql_real_escape_string($value).'\'';
            
    #String the update together with commas
            
    $update implode(', '$update);
            
    #Prepare the query
            
    $query "UPDATE users SET ".$update."' WHERE UserID = '".mysql_escape_string($UserID1)."'";    
            
    $retval mysql_query($query$conn); //execute the query
            
    if(mysql_errno())
                die(
    'Could not update data: ' mysql_error());
            
    $_SESSION['Username'] = $_POST['Username'];
            
    $_SESSION['First_Name'] = $_POST['First_Name'];
            
    $_SESSION['Last_Name'] = $_POST['Last_Name'];
            
    $_SESSION['EmailAddress'] = $_POST['EmailAddress'];
            echo 
    "<div id='alerthider' style='color:#FFF; font-size:12px; font-weight:bold; background-color:#F00; border-radius:5px; padding:15px;'>Saved Data</div></p>
    <script>
    setTimeout(function() {
        $('#alerthider').fadeOut('fast');
    }, 1000); //
    </script>
    <meta http-equiv='refresh' content='2'>
    "
    ;
        }
    }
    ?>
    Edit:
    I'd also recommend to recheck the user's password whenever they are changing it. This way someone can't just go onto someone else's account and change it without knowing the original (if they left it logged in or something).

    Also, if you wanted to you could check the updated data to see if it's changing to both lower query running (usually better when the update is a larger array) and to also throw an exception if nothing is updated.

    If you want the fields to be updated when it's empty, simply remove the empty($_POST[{field_name}]) || part and it will always update. The second part of the if statement will cause it to only update if the data is different.

    Modify this as you please to get the wanted results.
    Last edited by Dubz; 04-26-2014 at 08:09 AM.

  • Users who have thanked Dubz for this post:

    elgoots (04-27-2014)

  • #3
    New Coder
    Join Date
    Apr 2014
    Posts
    13
    Thanks
    3
    Thanked 0 Times in 0 Posts
    Wow, Thank you for that awesome reply Dubz!

    When i submit the form now, i get this: Could not update data: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1'' at line 1

    Would that be due to the email address or do i need to use " instead of ' somewhere?

  • #4
    Regular Coder
    Join Date
    Sep 2011
    Posts
    410
    Thanks
    18
    Thanked 26 Times in 26 Posts
    There's an extra apostrophe in the query after $update, just delete it. Whenever you have an error with your query, print it out before the execution to see what it's sending and then look for the error. Also, errors like this may show if you copy and paste it into phpMyAdmin's query tab because PMA uses syntax highlighting, so you'll be able to see where it messes up (sometimes).

  • Users who have thanked Dubz for this post:

    elgoots (04-27-2014)

  • #5
    New Coder
    Join Date
    Apr 2014
    Posts
    13
    Thanks
    3
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by Dubz View Post
    There's an extra apostrophe in the query after $update, just delete it. Whenever you have an error with your query, print it out before the execution to see what it's sending and then look for the error. Also, errors like this may show if you copy and paste it into phpMyAdmin's query tab because PMA uses syntax highlighting, so you'll be able to see where it messes up (sometimes).
    Thank you Dubz! That worked great. Thank you for the tips on avoiding SQL injection too, im still new at this so forgive me for the bad coding


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •