Page 1 of 2

updating database with password

Posted: Tue Oct 17, 2006 1:28 pm
by franknu
I want the user to update his data which is in a row on table business_info. Once he type in his password and user name which is already store in the database the user should be able to change all the data in his row. The problem is that i have an user and password in the database, it should work, i dont see why it is not working please help.

this is the message i am getting

Incorrect Password or User Name Try again


this is my code

Code: Select all

<?
         
 $host = "localhost";
$username = "localhost";
$password = "abc123";
$database = "contacts";




 
$db = mysql_connect($host, $username, $password); 
mysql_select_db($database); 
$BusinessName = (isset($_POST['BusinessName']) ? $_POST['BusinessName'] : ""); 

 $Slogan = (isset($_POST['Slogan']));
 $Business_Address = (isset($_POST['Business_Address']));
 $Tel = (isset($_POST['Tel']));
 $Website = (isset($_POST['Website']));
 $Email = (isset($_POST['Email']));
 $Member_Status = (isset($_POST['Member_Status']));
 $Fax =(isset($_POST['Fax']));
 $type = (isset($_POST['type']));
 $make = (isset($_POST['make']));
 $Categories = (isset($_POST['Categories']));
 $Keyword = (isset($_POST['Keyword']));
 $Picture1 =  (isset($_POST['Picture1']));
 $Headline =  (isset($_POST['Headline']));
 $Slogan2 = (isset($_POST['Slogan2']));
 $Description1 = (isset($_POST['Description1']));
 $Description2 = (isset($_POST['Description2']));
 $Description3= (isset($_POST['Description3']));
 $Contact2 = (isset($_POST['Contact2']));
 $Picture2 =  (isset($_POST['Picture2']));
 $Picture3 = (isset($_POST['Picture3']));
 $Picture4 =  (isset($_POST['Picture4']));
 $User_Name = (isset($_POST['User_Name']));
 $Password = (isset($_POST['Password']));
 





$checkp = mysql_query("SELECT `Password` FROM `Business_Info` WHERE `User_Name` = '$User_Name'"); 
$Password1 = mysql_fetch_row($checkp);
$Password2 = $Password1['Password'];




if($Password === $Password2) 

{

$query = "UPDATE  Business_Info SET 
`BusinessName`= '$BusinessName',
 `Slogan`='$Slogan', 
 `Business_Address`='$Business_Address', 
 `Tel`='$Tel',
 `Website`='$Website', 
 `Email`='$Email',
 `Member_Status`='$Member_Status', 
`Fax`='$Fax', 
`type`='$type', 
`make`='$make', 
`Categories`='$Categories', 
`Keyword`='$Keyword', 
`Picture1`='$Picture1',
 `Headline`='$Headline', 
 `Slogan2`='$Slogan2', 
 `Description1`='$Description1', 
`Description2`='$Description2', 
`Description3`= '$Description3',
 `Contact2`='$Contact2', 
 `Picture2`='$Picture2',
 `Picture3`='$Picture3',
  `User_Name` ='User_Name',
 `Password`='$Password' WHERE `User_Name`='$User_Name'";

 $result = mysql_query($query) or die (mysql_error());


  } 


    else 

    { 
     
  echo "Incorrect Password or User Name Try again "; 
  exit; 
} 




?>

Posted: Tue Oct 17, 2006 1:36 pm
by RobertGonzalez
First remark of mine is 'Why are you storing passwords in plain text?'. Next thing, this conditional:

Code: Select all

if ($Password === $Password2)
Is evaluating to false. I would maybe check their values to make sure they are matching up. This is why you are getting the notice you are getting.

Posted: Tue Oct 17, 2006 1:42 pm
by franknu
what i am storing is simple data so i dont need any security.

I try using

If (Password=== Password)

i was still getting the same message i have done everything, i could..

i was also noticing do i need to create another HTML form for updates or would this automaticly go to the database itself and update from there

Posted: Tue Oct 17, 2006 1:47 pm
by RobertGonzalez
This:

Code: Select all

$Password = (isset($_POST['Password']));
... is setting $Password to either true or false, as are all the other vars that are being assigned a value of isset($_POST['fieldname']). What you need to do with this is:

Code: Select all

$Password = isset($_POST['Password']) ? $_POST['Pasword'] : '';

Posted: Tue Oct 17, 2006 2:00 pm
by Obadiah
this is the way i did it

Code: Select all

session_start();
  include("functions_main.inc");
  $table_name = "Customer";
  $next_program = "../Log_In/yea/that_place.php";
  
  switch (@$_POST['Button'])
  {
    case "Login":
      $cxn = Connect_to_db("trove.inc");
      $sql = "SELECT user_name FROM $table_name 
              WHERE user_name='$_POST[fusername]'";
      $result = mysqli_query($cxn,$sql)
                  or die("Couldn't execute query 1");
      $num = mysqli_num_rows($result);
      if($num == 1)
      {
         $sql = "SELECT user_name FROM $table_name 
              WHERE user_name='".mysqli_real_escape_string($cxn,$_POST['fusername'])."'
              AND password=md5('$_POST[fpassword]')";
         $result2 = mysqli_query($cxn,$sql)
                   or die("Couldn't execute query 2.");  
         $row = mysqli_fetch_assoc($result2);
         if($row)
         {
           $_SESSION['auth']="yes";
           $_SESSION['logname'] = mysqli_real_escape_string($cxn,$_POST['fusername']);
           header("Location: $next_program?user='.$user_name");
         }
         else
         {
           $message_1="The Login Name, '$_POST[fusername]' 
                   exists, but you have not entered the 
                   correct password! Please try again.<br>";
           extract($_POST);
           
         }
      }
      elseif ($num == 0)  // login name not found
      {
         $message_1 = "The User Name you entered does not 
                       exist! Please try again.<br>";
         
      }
    break;
in the head you can create a function that will open up a connection to the databace like so

Code: Select all

function doDB()
{
	$conn = mysql_connect("localhost","Obi","thepassword") or die(mysql_error());
	mysql_select_db("customerdirectory",$conn) or die(mysql_error());
	return $conn;
}
i just chose to do it as a seperate file....either should work fine though

Posted: Tue Oct 17, 2006 2:14 pm
by franknu
i made changes

Code: Select all

<?
         
 $host = "localhost";
$username = "localhost";
$password = "abc123";
$database = "contacts";




 
$db = mysql_connect($host, $username, $password); 
mysql_select_db($database); 
$BusinessName = (isset($_POST['BusinessName']) ? $_POST['BusinessName'] : ""); 

 $Slogan = (isset($_POST['Slogan']));
 $Business_Address = (isset($_POST['Business_Address']));
 $Tel = (isset($_POST['Tel']));
 $Website = (isset($_POST['Website']));
 $Email = (isset($_POST['Email']));
 $Member_Status = (isset($_POST['Member_Status']));
 $Fax =(isset($_POST['Fax']));
 $type = (isset($_POST['type']));
 $make = (isset($_POST['make']));
 $Categories = (isset($_POST['Categories']));
 $Keyword = (isset($_POST['Keyword']));
 $Picture1 =  (isset($_POST['Picture1']));
 $Headline =  (isset($_POST['Headline']));
 $Slogan2 = (isset($_POST['Slogan2']));
 $Description1 = (isset($_POST['Description1']));
 $Description2 = (isset($_POST['Description2']));
 $Description3= (isset($_POST['Description3']));
 $Contact2 = (isset($_POST['Contact2']));
 $Picture2 =  (isset($_POST['Picture2']));
 $Picture3 = (isset($_POST['Picture3']));
 $Picture4 =  (isset($_POST['Picture4']));
 $User_Name = (isset($_POST['User_Name']));

 $Password = isset($_POST['Password']) ? $_POST['Password'] : '';





$checkp = mysql_query("SELECT `Password` FROM `Business_Info` WHERE `User_Name` = '$User_Name'"); 
$Password1 = mysql_fetch_row($checkp);
$Password2 = $Password1['Password'];




if($Password === $Password) 

{

$query = "UPDATE  Business_Info SET 
`BusinessName`= '$BusinessName',
 `Slogan`='$Slogan', 
 `Business_Address`='$Business_Address', 
 `Tel`='$Tel',
 `Website`='$Website', 
 `Email`='$Email',
 `Member_Status`='$Member_Status', 
`Fax`='$Fax', 
`type`='$type', 
`make`='$make', 
`Categories`='$Categories', 
`Keyword`='$Keyword', 
`Picture1`='$Picture1',
 `Headline`='$Headline', 
 `Slogan2`='$Slogan2', 
 `Description1`='$Description1', 
`Description2`='$Description2', 
`Description3`= '$Description3',
 `Contact2`='$Contact2', 
 `Picture2`='$Picture2',
 `Picture3`='$Picture3',
  `User_Name` ='User_Name',
 `Password`='$Password' WHERE `User_Name`='$User_Name'";

 $result = mysql_query($query) or die (mysql_error());


  } 


    else 

    { 
     
  echo "Incorrect Password or User Name Try again "; 
  exit; 
} 




?>

when i type in the password it seems to go through and then a blank page appears

anything i need to do

Posted: Tue Oct 17, 2006 2:18 pm
by RobertGonzalez
Everah wrote:This:

Code: Select all

$Password = (isset($_POST['Password']));
... is setting $Password to either true or false, as are all the other vars that are being assigned a value of isset($_POST['fieldname']). What you need to do with this is:

Code: Select all

$Password = isset($_POST['Password']) ? $_POST['Pasword'] : '';
You need to change every variable assignment in that group of vars. Right now almost everything is being set to true or false. Even $User_Name.

Posted: Tue Oct 17, 2006 2:40 pm
by franknu
that is what i did as you can see in the new code i sent you....

Posted: Tue Oct 17, 2006 2:47 pm
by feyd
You didn't do every single one.

Posted: Tue Oct 17, 2006 3:29 pm
by RobertGonzalez
This is a snip of your code, with comments...

Code: Select all

<?php
$BusinessName = (isset($_POST['BusinessName']) ? $_POST['BusinessName'] : ""); // Sets to either empty or $_POST['BusinessName']
$Slogan = (isset($_POST['Slogan'])); // sets to true or false - probably true
$Business_Address = (isset($_POST['Business_Address'])); // sets to true or false - probably true
$Tel = (isset($_POST['Tel'])); // sets to true or false - probably true
$Website = (isset($_POST['Website'])); // sets to true or false - probably true
$Email = (isset($_POST['Email'])); // sets to true or false - probably true
$Member_Status = (isset($_POST['Member_Status'])); // sets to true or false - probably true
$Fax =(isset($_POST['Fax'])); // sets to true or false - probably true
$type = (isset($_POST['type'])); // sets to true or false - probably true
$make = (isset($_POST['make'])); // sets to true or false - probably true
$Categories = (isset($_POST['Categories'])); // sets to true or false - probably true
$Keyword = (isset($_POST['Keyword'])); // sets to true or false - probably true
$Picture1 =  (isset($_POST['Picture1'])); // sets to true or false - probably true
$Headline =  (isset($_POST['Headline'])); // sets to true or false - probably true
$Slogan2 = (isset($_POST['Slogan2'])); // sets to true or false - probably true
$Description1 = (isset($_POST['Description1'])); // sets to true or false - probably true
$Description2 = (isset($_POST['Description2'])); // sets to true or false - probably true
$Description3= (isset($_POST['Description3'])); // sets to true or false - probably true
$Contact2 = (isset($_POST['Contact2'])); // sets to true or false - probably true
$Picture2 =  (isset($_POST['Picture2'])); // sets to true or false - probably true
$Picture3 = (isset($_POST['Picture3'])); // sets to true or false - probably true
$Picture4 =  (isset($_POST['Picture4'])); // sets to true or false - probably true
$User_Name = (isset($_POST['User_Name'])); // sets to true or false - probably true
$Password = isset($_POST['Password']) ? $_POST['Password'] : ''; // sets to either empty or $_POST['Password']
?>

Posted: Tue Oct 17, 2006 6:18 pm
by franknu
new changes made

Code: Select all

<?
         
 $host = "localhost";
$username = "localhost";
$password = "abc123";
$database = "contacts";




 
$db = mysql_connect($host, $username, $password); 
mysql_select_db($database); 
$BusinessName = (isset($_POST['BusinessName']) ? $_POST['BusinessName'] : ''); 
 $Slogan = (isset($_POST['Slogan']) ? $_POST['Slogan']:'');
 $Business_Address = (isset($_POST['Business_Address']) ? $_POST['Business_Address']:'');
 $Tel = (isset($_POST['Tel']) ? $_POST['Tel']:'');
 $Website = (isset($_POST['Website']) ? $_POST['Website']:"");
 $Email = (isset($_POST['Email']) ? $_POST['Email']:'');
 $Member_Status = (isset($_POST['Member_Status']) ? $_POST['Member_Status']:'');
 $Fax =(isset($_POST['Fax']) ? $_POST['Fax']:'');
 $type = (isset($_POST['type']) ? $_POST['type']:'');
 $make = (isset($_POST['make']) ? $_POST['make']:'');
 $Categories = (isset($_POST['Categories']) ? $_POST['Categories']:'');
 $Keyword = (isset($_POST['Keyword']) ? $_POST['Keyword']:'');
 $Picture1 =  (isset($_POST['Picture1']) ? $_POST['Picture1']:'');
 $Headline =  (isset($_POST['Headline']) ? $_POST['Headline']:'');
 $Slogan2 = (isset($_POST['Slogan2']) ? $_POST['Slogan2']:'');
 $Description1 = (isset($_POST['Description1']) ? $_POST['Description1']:'');
 $Description2 = (isset($_POST['Description2']) ? $_POST['Description2'] :'');
 $Description3= (isset($_POST['Description3']) ? $_POST['Description3']:'');
 $Contact2 = (isset($_POST['Contact2']) ? $_POST['Contact2']:'');
 $Picture2 =  (isset($_POST['Picture2']) ? $_POST['Picture3']:'');
 $Picture3 = (isset($_POST['Picture3']) ? $_POST['Picture3']:'');
 $Picture4 =  (isset($_POST['Picture4']) ? $_POST['Picture4']:'');
 $User_Name = (isset($_POST['User_Name'])? $_POST['User_Name']:'');
 $Password = (isset($_POST['Password']) ? $_POST['Password'] : '');





$checkp = mysql_query("SELECT `Password` FROM `Business_Info` WHERE `User_Name` = '$User_Name'"); 
$Password1 = mysql_fetch_row($checkp);
$Password2 = $Password1['Password'];




if($Password === $Password) 

{

$query = "UPDATE  Business_Info SET 
`BusinessName`= '$BusinessName',
 `Slogan`='$Slogan', 
 `Business_Address`='$Business_Address', 
 `Tel`='$Tel',
 `Website`='$Website', 
 `Email`='$Email',
 `Member_Status`='$Member_Status', 
`Fax`='$Fax', 
`type`='$type', 
`make`='$make', 
`Categories`='$Categories', 
`Keyword`='$Keyword', 
`Picture1`='$Picture1',
 `Headline`='$Headline', 
 `Slogan2`='$Slogan2', 
 `Description1`='$Description1', 
`Description2`='$Description2', 
`Description3`= '$Description3',
 `Contact2`='$Contact2', 
 `Picture2`='$Picture2',
 `Picture3`='$Picture3',
  `User_Name` ='User_Name',
 `Password`='$Password' WHERE `User_Name`='$User_Name'";

 $result = mysql_query($query) or die (mysql_error());


  } 


    else 

    { 
     
  echo "Incorrect Password or User Name Try again "; 
  exit; 
} 




?>
when i type in password and user

just a blank page came up please help

Posted: Tue Oct 17, 2006 6:55 pm
by feyd

Code: Select all

if($Password === $Password)
is pretty much always true.

Posted: Tue Oct 17, 2006 7:23 pm
by RobertGonzalez
A blank page is a syntax error. Check for unclosed parens, brackets, braces or missing semicolons.

Posted: Tue Oct 17, 2006 8:38 pm
by franknu
i made all the necessary changes

here is the code:

Code: Select all

<?
         
 $host = "localhost";
$username = "localhost";
$password = "abc123";
$database = "contacts";




 
$db = mysql_connect($host, $username, $password); 
mysql_select_db($database); 
$BusinessName = (isset($_POST['BusinessName']) ? $_POST['BusinessName'] : ''); 
 $Slogan = (isset($_POST['Slogan']) ? $_POST['Slogan']:'');
 $Business_Address = (isset($_POST['Business_Address']) ? $_POST['Business_Address']:'');
 $Tel = (isset($_POST['Tel']) ? $_POST['Tel']:'');
 $Website = (isset($_POST['Website']) ? $_POST['Website']:'');
 $Email = (isset($_POST['Email']) ? $_POST['Email']:'');
 $Member_Status = (isset($_POST['Member_Status']) ? $_POST['Member_Status']:'');
 $Fax =(isset($_POST['Fax']) ? $_POST['Fax']:'');
 $type = (isset($_POST['type']) ? $_POST['type']:'');
 $make = (isset($_POST['make']) ? $_POST['make']:'');
 $Categories = (isset($_POST['Categories']) ? $_POST['Categories']:'');
 $Keyword = (isset($_POST['Keyword']) ? $_POST['Keyword']:'');
 $Picture1 =  (isset($_POST['Picture1']) ? $_POST['Picture1']:'');
 $Headline =  (isset($_POST['Headline']) ? $_POST['Headline']:'');
 $Slogan2 = (isset($_POST['Slogan2']) ? $_POST['Slogan2']:'');
 $Description1 = (isset($_POST['Description1']) ? $_POST['Description1']:'');
 $Description2 = (isset($_POST['Description2']) ? $_POST['Description2']:'');
 $Description3= (isset($_POST['Description3']) ? $_POST['Description3']:'');
 $Contact2 = (isset($_POST['Contact2']) ? $_POST['Contact2']:'');
 $Picture2 =  (isset($_POST['Picture2']) ? $_POST['Picture3']:'');
 $Picture3 = (isset($_POST['Picture3']) ? $_POST['Picture3']:'');
 $Picture4 =  (isset($_POST['Picture4']) ? $_POST['Picture4']:'');
 $User_Name = (isset($_POST['User_Name']) ? $_POST['User_Name']:'');
 $Password = (isset($_POST['Password']) ? $_POST['Password']: '');





$checkp = mysql_query("SELECT `Password` FROM `business_info` WHERE `User_Name` = '$User_Name'"); 
$Password1 = mysql_fetch_row($checkp);
$Password2 = $Password1['Password'];




if($Password === $Password1) 

{

$query = "UPDATE  business_info SET 
`BusinessName`= '$BusinessName',
 `Slogan`='$Slogan', 
 `Business_Address`='$Business_Address', 
 `Tel`='$Tel',
 `Website`='$Website', 
 `Email`='$Email',
 `Member_Status`='$Member_Status', 
`Fax`='$Fax', 
`type`='$type', 
`make`='$make', 
`Categories`='$Categories', 
`Keyword`='$Keyword', 
`Picture1`='$Picture1',
 `Headline`='$Headline', 
 `Slogan2`='$Slogan2', 
 `Description1`='$Description1', 
`Description2`='$Description2', 
`Description3`= '$Description3',
 `Contact2`='$Contact2', 
 `Picture2`='$Picture2',
 `Picture3`='$Picture3',
  `User_Name` ='User_Name',
 `Password`='$Password' WHERE `User_Name`='$User_Name'";

 $result = mysql_query($query) or die (mysql_error());


  } 


    else 

    { 
     
  echo "Incorrect Password or User Name Try again "; 
  exit; 
} 




?>
my display is

Incorrect Password or User Name Try again

why

Posted: Tue Oct 17, 2006 8:41 pm
by John Cartwright

Code: Select all

if($Password === $Password1) 
try changing that to

Code: Select all

if($Password === $Password2) 
Also, at minimum when dealing with user input into queries, you should pass the variable through mysql_real_escape_string()

Code: Select all

$checkp = mysql_query("SELECT `Password` FROM `business_info` WHERE `User_Name` = '". mysql_real_escape_string($User_Name)."'");