Page 2 of 2

Re: UPDATE WHERE???

Posted: Sun Apr 11, 2010 10:17 am
by Mister_Bob
Basically this is an update details form so if they do not put in new details i wish the original details they gave to stay in place.

Thanks

Bob

Re: UPDATE WHERE???

Posted: Sun Apr 11, 2010 12:07 pm
by cpetercarter
You need to test values such as $email, $password to see whether they contain data. A way to do this is, first, to remove any leading or trailing blank spaces with trim(); then to test whether what is left has a value, using empty().

Code: Select all

$email = trim($email);
if (empty($email))  {
//do something
Note that empty(trim($email)) won't work, as $empty() tests only variables.
Then you have a choice. You can either construct your SQL UPDATE statement so that it contains only the values that you want to update (ie so that it omits any empty values); or you can read the relevant database row with a SELECT query, and replace any blank values in your user inputs with the existing values, before doing your UPDATE.
I had better say this now, because other forum members most certainly will. Once you have a basic working model, you need to think hard about data validation. Your script will need to reject user inputs that are either inappropriate or insecure. You might, to choose a simple example, want to reject any $email input which does not contain '@'.(There are more complex tests for email addresses which a Google search will find for you.) As regards security, you need to be aware that a user might try to poison or even completely delete your database with an SQL injection attack, or might try to place some malicious html/Javascript in your database. As a minimum, you should strip all html tags from user inputs (strip_tags()) and escape all user input with mysql_real_escape_string() when (or immediately before) you place it in an SQL query.

Re: UPDATE WHERE???

Posted: Sun Apr 11, 2010 12:34 pm
by Mister_Bob
Thankyou for your advice on validation and security. These will be put in place and there will be alot of security on the site.

My current page is as follows:

Code: Select all

<?php

	session_start();
	

	require_once('dbconfig.php');
	

	$errmsg_arr = array();
	

	$errflag = false;
	

	$link = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD);
	if(!$link) {
		die('Failed to connect to server: ' . mysql_error());
	}
	

	$db = mysql_select_db(DB_DATABASE);
	if(!$db) {
		die("Unable to select database");
	}
	

	function clean($str) {
		$str = str_replace(" ", "", $str);
		$str = @trim($str);
		if(get_magic_quotes_gpc()) {
			$str = stripslashes($str);
		}
		return mysql_real_escape_string($str);
	}
	

	$password = clean($_POST['password']);
	$cpassword = clean($_POST['cpassword']);
	$email= clean($_POST['email']);
	$cemail = clean($_POST['cemail']);
	$pemail = clean($_POST['pemail']);

	if( strcmp($password, $cpassword) != 0 ) {
		$errmsg_arr[] = 'Passwords do not match';
		$errflag = true;
	}
	if( strcmp($email, $cemail) != 0 ) {
		$errmsg_arr[] = 'Emails do not match';
		$errflag = true;
	}
		

	if($errflag) {
		$_SESSION['ERRMSG_ARR'] = $errmsg_arr;
		session_write_close();
		header("location: edit-details.php");
		exit();
	}

$qry =  '
        UPDATE
                Users
        SET
                PaypalEmail="'.mysql_real_escape_string($pemail).'",
                Email="'.mysql_real_escape_string($email).'",
                Password=md5("'.$_POST['password'].'")
        WHERE
                `username` = "'.$_SESSION['SESS_Username'].'"';
	$result = @mysql_query($qry);
	

	if($result) {
		header("location: edit-details.php");
		exit();
	}else {
		die($qry.'<br>'.mysql_error());
	}
?>
Would my best option be to either:
1. Have the current values put into the form to begin with and then have everything resubmitted to the form including anything they change
2. have the code stated above and send each piece of information sent seperatly ie. if email is empty send session data where email is already stored else send posted data from form and so on for password etc?

Thankyou all for your help and advice.

Bob

Re: UPDATE WHERE???

Posted: Sun Apr 11, 2010 5:47 pm
by cpetercarter
Placing the current values in the form would be a good idea, since it would remind the user what the existing values are. (You cannot populate the "password" field from the database, however, since the database contains the md5 encoding of the password, not the password itself). However, a user could replace one of the current values with a blank space, and so submit an empty field. My inclination would be to replace any empty submitted data with the existing value.

Your code includes a function clean() which you then use to "clean" submitted data. The function runs the data through mysql_real_escape_string(), so there is no need to do so again in constructing the SQL query.

Re: UPDATE WHERE???

Posted: Sun Apr 11, 2010 7:04 pm
by Mister_Bob
Thankyou all for your help :D

Bob