Page 1 of 1
Unable to update password field in my db
Posted: Sat Jul 30, 2011 1:27 pm
by tsalaki
Hello to everybody,
I have this problem. I have attached my code in order to see what I am doing wrong.
Code: Select all
if(isset($_REQUEST['submit'])) {
$hospital = $_REQUEST['hospital'];
$name=$_POST[name];
$surname=$_POST[surname];
$address=$_POST[address];
$phone=$_POST[phone];
$username=$_POST[username];
$new_password=$_POST[new_password];
if ($new_password=' ')
{
$result = mysql_query("UPDATE users SET address='$address', phone='$phone', username='$username', hospital_id='$hospital' WHERE username='$username'");
echo "Database updated successfully!";
}
else if ($new_password!=' ')
{
$result = mysql_query("UPDATE users SET address='$address', phone='$phone', username='$username', password='sha1($new_password)', hospital_id='$hospital' WHERE username='$username'");
echo "Database updated successfully!";
}
else
{
echo "Unable to update the database!";
}
}
What I want to do is to check if the new password field is filled by the user. If it is filled then I have to also update the password field. All the other fields are being updated without any problem. The problem is that I can't update the password field. The new_password variable has the right value (the value I typed in the new password field) but it seemed that it can't be updated with the sha1 encryption!
Do you have any ideas why is this happening?Have I done something wrong?
Re: Unable to update password field in my db
Posted: Sat Jul 30, 2011 1:32 pm
by Benjamin
What error are you receiving?
How do you plan on ensuring those variables are safe to place in queries?
Re: Unable to update password field in my db
Posted: Sat Jul 30, 2011 1:36 pm
by tsalaki
I don't receive any error. It doesn't update this specific field.
Re: Unable to update password field in my db
Posted: Sat Jul 30, 2011 2:32 pm
by Benjamin
The PHP manual will tell you how to retrieve the error message for a failed database query.
How do you plan on ensuring the variables are safe to put in a database query?
Re: Unable to update password field in my db
Posted: Sat Jul 30, 2011 5:16 pm
by cyberfox
First of all you should quote your array keys. Then take a look at
http://en.wikipedia.org/wiki/SQL_injection. If there's no message, submit field/button is empty. If not, try mysql_query('...') OR die(mysql_error());
Re: Unable to update password field in my db
Posted: Sat Jul 30, 2011 8:08 pm
by califdon
And after you have taken care of the issues raised by the other contributors, take a look at this fragment of your SQL statement:
The single quotes tell PHP that the
literal string that you have between the single quotes is
exactly what you want to have saved as the value for the password field in the table. I don't think you want to save the literal string:
sha1($new_password).
Re: Unable to update password field in my db
Posted: Sun Jul 31, 2011 12:30 pm
by tsalaki
Hi to everybody,
Thanks a lot for your help. I make a function in order to prevent sql injection and I found out what was the problem. The problem was that I had put a single = in my if statement instead of == and it never executed the else if! After changing the = everything works fine!
Thanks again a lot for your help!
Re: Unable to update password field in my db
Posted: Sun Jul 31, 2011 12:36 pm
by Benjamin
Post your new code and we'll tweak it some more

Re: Unable to update password field in my db
Posted: Sun Jul 31, 2011 12:47 pm
by tsalaki
Here is my code:
Code: Select all
//Function to sanitize values received from the form. Prevents SQL injection
function clean($str) {
$str = @trim($str);
if(get_magic_quotes_gpc()) {
$str = stripslashes($str);
}
return mysql_real_escape_string($str);
}
if(isset($_REQUEST['submit'])) {
$hospital = clean($_REQUEST['hospital']);
$address=clean($_POST[address]);
$phone=clean($_POST[phone]);
$username=clean($_POST[username]);
$new_password=clean($_POST[new_password]);
if ($new_password=='')
{
$result = mysql_query("UPDATE users SET address='$address', phone='$phone', username='$username', hospital_id='$hospital' WHERE username='$username'");
echo "Database update successfully!";
}
else if ($new_password!='')
{
$result = mysql_query("UPDATE users SET address='$address', phone='$phone', username='$username', password='sha1($new_password)', kwd_nos_erg='$hospital' WHERE username='$username'");
echo "Database update successfully!";
}
else
{
echo "Unable tot update the database!";
}
Re: Unable to update password field in my db
Posted: Sun Jul 31, 2011 1:06 pm
by Benjamin
That's better.
Don't forget to add single quotes around all of your array index keys:
Should be:
Code: Select all
$address=clean($_POST['address']);
Re: Unable to update password field in my db
Posted: Sun Jul 31, 2011 1:07 pm
by tsalaki
You are right I have forgotten that part. Thanks a lot for your help!
Re: Unable to update password field in my db
Posted: Sun Jul 31, 2011 1:15 pm
by califdon
Code: Select all
$result = mysql_query("UPDATE users SET address='$address', phone='$phone', username='$username', password='sha1($new_password)', kwd_nos_erg='$hospital' WHERE username='$username'");
still won't execute the sha1() function. PHP will interpret simple variables within a double-quoted string, but not functions (or arrays). You must do the sha1()
outside the string, like this:
Code: Select all
$pwdhash = sha1($new_password);
$result = mysql_query("UPDATE users SET address='$address', phone='$phone', username='$username', password='$pwdhash)', kwd_nos_erg='$hospital' WHERE username='$username'");
Re: Unable to update password field in my db
Posted: Sun Jul 31, 2011 1:23 pm
by tsalaki
It doesn't seem to have any problem in my database. It stores the password as I want but I will make the changed you told me because I am not so experienced in PHP.
I really appreciate your help!