$_POST returns a blank value

Question

Im trying to use the following code lines in order to verify a person identity and update his email address but the code reads the value of the email as blank and updates it to blank in the database.

<form method="post">
    <input type="hidden" name="__token" value="exex"/>
    <div class="row">
        <label for="email">Email address</label>
        <div><input type="email" id="email" name="email" value="<?php echo $email; ?>"/></div>
        <br/>
        <div class="notice">Used for lost password recovery. Important!</div>
    </div>
    <div class="row">
        <label for="newpass">New password</label>
        <div><input type="password" id="newpass" name="newpass"/></div>
        <br/>
        <div class="notice">Leave empty if you do not want to change it.</div>
    </div>
    <div class="row">
        <label for="curpass">Current password</label>
        <div><input required type="password" id="curpass" name="curpass"/></div>
        <br/>
        <div class="notice">You must enter your current password to save the settings.</div>
    </div>
    <div class="row"><input type="submit" value="Save settings"/></div>
</form>

Upon submission, in the same page(settings):

if(isset($_POST['email']) && (isset($_POST['curpass']) && $_POST['newpass'] == "")) {
    $email = mysql_real_escape_string($_POST['email']);
    $curpass = strtoupper(hash("whirlpool", $_POST['curpass']));
    $passii = $con->query("SELECT `password` FROM `playerinfo` WHERE `PlayerName` = '{$_SESSION['playername']}';");
    while($row = $passii->fetch()) {
        $curpass1 = $row['password'];
    }
    if($curpass == $curpass1) {
        echo "<div class='flash_success'>Your email has been changed.</div>";
        $con->query("UPDATE `playerinfo` SET `email` = '$email' WHERE `PlayerName` = '{$_SESSION['playername']}'");
    } else {
        echo "<div class='flash_error'>You did not enter your current password correctly. Settings were not saved.</div>";
    }
}

Please do not **roll your own** password hashing scheme. PHP provides [password_hash()](http://php.net/manual/en/function.password-hash.php) and [password_verify()](http://php.net/manual/en/function.password-verify.php) please use them. And here are some [good ideas about passwords](https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet). If you are using a PHP version prior to 5.5 [there is a compatibility pack available here](https://github.com/ircmaxell/password_compat). — John Conde, Aug 09 '17 at 14:10
My question is not a duplicate at all. Why did you mark it as a duplication? I was asking why is the $_POST reading blank and you simply tagged it as a mysql libraries collision ? Im not talking about the password, I'm asking why the email is returned blank. — amit cohen, Aug 09 '17 at 14:11
Some sensible code indentation would be a good idea. It helps us read the code and more importantly it will help **you debug your code**. You may be asked to amend this code in a few weeks/months and you will thank me in the end. — GrumpyCrouton, Aug 09 '17 at 14:14
[Little Bobby](http://bobby-tables.com/) says **[you are at risk for SQL Injection Attacks](https://stackoverflow.com/q/60174/)**. Learn about [Prepared Statements](https://en.wikipedia.org/wiki/Prepared_statement) for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even **[escaping the string](https://stackoverflow.com/q/5741187)** is not safe! I recommend `PDO`, which I [wrote a function for](https://stackoverflow.com/a/45514591) to make it extremely **easy**, very **clean**, and way more **secure** than using non-parameterized queries. — GrumpyCrouton, Aug 09 '17 at 14:15
You are using mysql_real_escape_string() without being connected to mysql because you are using the mysqli library. That's why this is failing. You are mixing APIs which you cannot do. — John Conde, Aug 09 '17 at 14:39

$_POST returns a blank value

0 Answers0