Unable to update password field in my db

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
tsalaki
Forum Newbie
Posts: 19
Joined: Sun Jan 23, 2011 11:54 am

Unable to update password field in my db

Post by tsalaki »

Hello to everybody,

I have this problem. I have attached my code in order to see what I am doing wrong.

Code: Select all

if(isset($_REQUEST['submit'])) {
		$hospital = $_REQUEST['hospital'];
		$name=$_POST[name];
		$surname=$_POST[surname];
		$address=$_POST[address];
		$phone=$_POST[phone];
		$username=$_POST[username];
		$new_password=$_POST[new_password];
			if ($new_password=' ')
			{
				$result = mysql_query("UPDATE users SET address='$address', phone='$phone', username='$username', hospital_id='$hospital' WHERE username='$username'");
				echo "Database updated successfully!";
			}
			else if ($new_password!=' ')
			{
				$result = mysql_query("UPDATE users SET address='$address', phone='$phone', username='$username',  password='sha1($new_password)', hospital_id='$hospital' WHERE username='$username'");
				echo "Database updated successfully!";
			}
			else 
			{
				echo "Unable to update the database!";		
			}
}
What I want to do is to check if the new password field is filled by the user. If it is filled then I have to also update the password field. All the other fields are being updated without any problem. The problem is that I can't update the password field. The new_password variable has the right value (the value I typed in the new password field) but it seemed that it can't be updated with the sha1 encryption! :( :?
Do you have any ideas why is this happening?Have I done something wrong?
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: Unable to update password field in my db

Post by Benjamin »

What error are you receiving?

How do you plan on ensuring those variables are safe to place in queries?
tsalaki
Forum Newbie
Posts: 19
Joined: Sun Jan 23, 2011 11:54 am

Re: Unable to update password field in my db

Post by tsalaki »

I don't receive any error. It doesn't update this specific field.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: Unable to update password field in my db

Post by Benjamin »

The PHP manual will tell you how to retrieve the error message for a failed database query.

How do you plan on ensuring the variables are safe to put in a database query?
cyberfox
Forum Newbie
Posts: 1
Joined: Thu Mar 24, 2011 7:09 pm

Re: Unable to update password field in my db

Post by cyberfox »

First of all you should quote your array keys. Then take a look at http://en.wikipedia.org/wiki/SQL_injection. If there's no message, submit field/button is empty. If not, try mysql_query('...') OR die(mysql_error());
User avatar
califdon
Jack of Zircons
Posts: 4484
Joined: Thu Nov 09, 2006 8:30 pm
Location: California, USA

Re: Unable to update password field in my db

Post by califdon »

And after you have taken care of the issues raised by the other contributors, take a look at this fragment of your SQL statement:

Code: Select all

password='sha1($new_password)'
The single quotes tell PHP that the literal string that you have between the single quotes is exactly what you want to have saved as the value for the password field in the table. I don't think you want to save the literal string: sha1($new_password).
tsalaki
Forum Newbie
Posts: 19
Joined: Sun Jan 23, 2011 11:54 am

Re: Unable to update password field in my db

Post by tsalaki »

Hi to everybody,

Thanks a lot for your help. I make a function in order to prevent sql injection and I found out what was the problem. The problem was that I had put a single = in my if statement instead of == and it never executed the else if! After changing the = everything works fine!


Thanks again a lot for your help!
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: Unable to update password field in my db

Post by Benjamin »

Post your new code and we'll tweak it some more :)
tsalaki
Forum Newbie
Posts: 19
Joined: Sun Jan 23, 2011 11:54 am

Re: Unable to update password field in my db

Post by tsalaki »

Here is my code:

Code: Select all

	//Function to sanitize values received from the form. Prevents SQL injection
	function clean($str) {
		$str = @trim($str);
		if(get_magic_quotes_gpc()) {
			$str = stripslashes($str);
		}
		return mysql_real_escape_string($str);
	}


	if(isset($_REQUEST['submit'])) {
		$hospital = clean($_REQUEST['hospital']);
		$address=clean($_POST[address]);
		$phone=clean($_POST[phone]);
		$username=clean($_POST[username]);
		$new_password=clean($_POST[new_password]);
			if ($new_password=='')
			{
				$result = mysql_query("UPDATE users SET address='$address', phone='$phone', username='$username', hospital_id='$hospital' WHERE username='$username'");
				echo "Database update successfully!";
			}
			else if ($new_password!='')
			{
				$result = mysql_query("UPDATE users SET address='$address', phone='$phone', username='$username',  password='sha1($new_password)', kwd_nos_erg='$hospital' WHERE username='$username'");
				echo "Database update successfully!";
			}
			else 
			{
				echo "Unable tot update the database!";		
			}
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: Unable to update password field in my db

Post by Benjamin »

That's better.

Don't forget to add single quotes around all of your array index keys:

Code: Select all

$address=clean($_POST[address]);
Should be:

Code: Select all

$address=clean($_POST['address']);
tsalaki
Forum Newbie
Posts: 19
Joined: Sun Jan 23, 2011 11:54 am

Re: Unable to update password field in my db

Post by tsalaki »

You are right I have forgotten that part. Thanks a lot for your help!
User avatar
califdon
Jack of Zircons
Posts: 4484
Joined: Thu Nov 09, 2006 8:30 pm
Location: California, USA

Re: Unable to update password field in my db

Post by califdon »

Code: Select all

$result = mysql_query("UPDATE users SET address='$address', phone='$phone', username='$username',  password='sha1($new_password)', kwd_nos_erg='$hospital' WHERE username='$username'");
still won't execute the sha1() function. PHP will interpret simple variables within a double-quoted string, but not functions (or arrays). You must do the sha1() outside the string, like this:

Code: Select all

$pwdhash = sha1($new_password);
$result = mysql_query("UPDATE users SET address='$address', phone='$phone', username='$username',  password='$pwdhash)', kwd_nos_erg='$hospital' WHERE username='$username'");
tsalaki
Forum Newbie
Posts: 19
Joined: Sun Jan 23, 2011 11:54 am

Re: Unable to update password field in my db

Post by tsalaki »

It doesn't seem to have any problem in my database. It stores the password as I want but I will make the changed you told me because I am not so experienced in PHP.

I really appreciate your help!
Post Reply