1

I'm trying to put together a form whereby users can update their 'email address' and 'password'.

I'm trying to incorporate the following scenarios:

  • If the user changes their email address, then I want the existing 'password', 'password hint', and salt fields to be left with their current values.
  • If the user changes their password, I need a new 'salt' value to be created, added to the password field and encrypted with sha1
  • Lastly, if the user changes all fields then the 'email adresss', 'password', 'password' hint and 'salt' fields all need to be updated.

This is the code I've tried to put together:

if (isset($_POST["amendyourdetails"]))  
    {  

$password = $_POST["password"];}
$confirmpassword = $_POST["confirmpassword"];
$passwordhint = $_POST["passwordhint"];
if  ($password >=0){
$salt = uniqid(mt_rand());
$encrypted = sha1($password . $salt);
if ($emailaddress >=0){
$emailaddress = $_POST['emailaddress']; 
            mysql_query("UPDATE `userdetails` SET `emailaddress` = '$emailaddress',`password` = '$encrypted', `passwordhint` = '$passwordhint', `salt` = '$salt' WHERE `userid` = 1");
            $msg = "Your password has been successfully reset.";
            }
            }
            else if ($password == 0 ){
            if (emailaddress > 0){
            mysql_query("UPDATE `userdetails` SET `emailaddress` = '$emailaddress' WHERE `userid` = 1");
            $msg = "Your password has been successfully reset.";
            }
            }
            }
?>
<html> 
<head> 
<title>Amend Your Details</title> 
<style type="text/css">
<!--
.style1 {font-family: Calibri
}
.style9 {   font-family: Calibri;
    font-size: 24px;
    background-color: #78AFC5;
}
.style7 {
    font-family: Calibri;
    font-size: 16px;
    background-color: #FFFFFF;
}   
.style10 {color: #FF0000}
-->
</style>
<script src="gen_validatorv4.js" type="text/javascript"></script>
</head> 
<body>
<div align="center"><span class="style9">Amend Your Details </span></div>
<p class="style7"><span class="style10">
  <?php 
if (isset($msg)) // this is special section for 
// outputing message 
{ 
?>
</span>
<p class="style7">
  <span class="style10">
  <?=$msg?>
  </span>
  <p class="style7"><span class="style10">
  <?php 
} 
?>
  </span>
  <form name="amendyourdetails" id="amendyourdetails" action="amendyourdetails.php" method="post">
  <table width="418" border="1">
    <tr>
      <td width="195"><span class="style1">Email Address:</span></td>
      <td width="220"><span class="style1">
        <input name="emailaddress" type="email" value="<?php echo $emailaddress;?>" size="25"/>
      </span></td>
    </tr>
    <tr>
      <td><span class="style1">New Password:</span></td>
      <td><span class="style1">
        <input name="password" id="password" type="password" size="30"/>
      </span></td>
    </tr>
    <tr>
      <td><span class="style1">Confirm New Password:</span></td>
      <td><span class="style1">
      <input name="confirmpassword" id="confirmpassword" type="password" size="30"/>
      </span></td>
    </tr>
    <tr>
      <td><span class="style1">New Password Hint:</span></td>
      <td><span class="style1">
        <input name="passwordhint" id="passwordhint" type="text" size="30"/>
      </span></td>
    </tr>
  </table>
  <p>
    <input name="amendyourdetails" type="submit" value="Amend Your Details"> 
</p>
</form> 
<script language="JavaScript" type="text/javascript">
var frmvalidator = new Validator("amendyourdetails");
                                frmvalidator.addValidation("emailaddress","email","Please enter a valid email address");
                            //  frmvalidator.addValidation("password","minlen=6", "Minimum length for a password is 6 characters"); 
                                frmvalidator.addValidation("confirmpassword","eqelmnt=password", "The confirmed password is not the same as the password"); 
                            //  frmvalidator.addValidation("passwordhint","req","Please provide a hint for your password"); 
                            </script>
</body>
</html>

The biggest problem I have is that as soon as the page is run, the 'update' action takes place, but values from my 'email address' and 'passwordhint' fields have been deleted and I'm not sure why.

UPDATED CODE

if (isset($_POST["amendyourdetails"])) 
{ 

$emailaddress = $_POST['emailaddress']; 
$password = $_POST["password"];} 
$confirmpassword = $_POST["confirmpassword"]; 
$passwordhint = $_POST["passwordhint"]; 
if ($_POST["password"] isset()
{
$salt = uniqid(mt_rand()); 
$encrypted = sha1($password . $salt);
mysql_query("UPDATE `userdetails` SET `emailaddress` = '$emailaddress',`password` = '$encrypted', `passwordhint` = '$passwordhint', `salt` = '$salt' WHERE `userid` = 1"); 
$msg = "Your password has been successfully reset."; 
} 
}
IRHM
  • 1,326
  • 11
  • 77
  • 130
  • 1
    if you could indent your code, it would make it much easier to read it and help you – Ayush Jan 18 '12 at 16:00
  • 1
    Please read up on [parsing user input](http://stackoverflow.com/questions/60174/best-way-to-stop-sql-injection-in-php), for the sake of your users. – fredley Jan 18 '12 at 16:01
  • 2
    Where are you declaring `$emailaddress`? Edit: It seems you are using it before you declare it. – Markus Hedlund Jan 18 '12 at 16:01
  • Hi, I really appreciate all your comments. I'm still learning, so it's really useful for those more seasoned developers to provide some guidance. – IRHM Jan 18 '12 at 16:28

2 Answers2

1

Do you mean if(strlen($password) >=0){ ?? Or isset??

Whatever, try this:

$password = $_POST['password'];
$confirmpassword = $_POST['confirmpassword'];
$passwordhint = $_POST['passwordhint'];

if(strlen($password) > 0) {
    $salt = uniqid(mt_rand());

    $encrypted = sha1($password.$salt);
}

$emailaddress = $_POST['emailaddress'];

mysql_query("UPDATE `userdetails` SET `emailaddress` = ".((strlen($emailaddress) > 0) ? "'$emailaddress'" : "emailaddress").", `password` =
        ".((strlen($password) > 0) ? "'$encrypted', `passwordhint` = '$passwordhint', `salt` = '$salt'" : "password")." WHERE `userid` = 1");

But: Never thought about SQL Injections?

Btw: Sorry for my bad english.

  • SQL injection is a definite problem with the code as written. – Ilion Jan 18 '12 at 16:16
  • 1
    I know but I just did it as the code above. Maybe he is doing something like $_POST['emailadress'] = mysql_real_escape_string($_Po... ); before the code extract. –  Jan 19 '12 at 17:21
0

You're detecting if $password is more than or equal to 0. This will evaluate to true if it is not defined. You want to check if $_POST["password"] isset().

Ilion
  • 6,772
  • 3
  • 24
  • 47
  • Hi, many thnaks for taking the time to reply to my post. I've tried to implement your suggestion. Clearly I've not done something right because I'm receiving the following error: `Parse error: syntax error, unexpected T_ISSET in /homepages/2/d333603417/htdocs/development/amendyourdetails.php on line 19` I've updated my original post with the new code. Could you perhaps please take a look at this and let me know where I've gone wrong. Many thanks – IRHM Jan 18 '12 at 18:16
  • 1
    on the line `if ($_POST["password"] isset()` it should be `if (isset($_POST["password"]))` – Ilion Jan 18 '12 at 18:58
  • Hi, many thanks for helping me out with this. I couldn't get the code to work using the updated suggestion you posted. But, taking into account what you and others said about SQL injection attacks I went away and re-wrote my code and it's working now as it should. Many thanks – IRHM Jan 21 '12 at 16:12