I encrypt my pw's the same way but I usually don't include the password on
an "edit my info" page.  I create a separate "change password" screen where
I force them to type in their old password and then type a new one twice. if
the encrypted, salted old password attempt does not match what is in the db,
the form doesn't validate and the password is not changed.

the "lost password" page is a different beast altogether....

but again, the password field is omitted from the "edit" form AND the update
statement so it is never touched in this process.

that goes for any other field you don't want the user to be able to edit too
-- just don't put it in the form or the update and they can't mess with it.
I usually have an "is_admin" (yes/no) field and don't want the user to
change that of course.

-- matt



On Tue, Mar 25, 2008 at 12:24 PM, Jason Pruim <[EMAIL PROTECTED]> wrote:

>
> On Mar 25, 2008, at 1:17 PM, Matt Anderton wrote:
> > I usually pre-populate the form with the values that are already in
> > the
> > record:
> >
> > (... using PEAR's MDB2 package -- http://pear.php.net/packages/MDB2 )
> >
> > $query = "SELECT * FROM member WHERE username = '" .
> > $_POST['username'] .
> > "'";
> > $result = $db->query($query);
> > $member = $result->fetchRow(MDB2_FETCHMODE_ASSOC);
> >
> > foreach ($member as $key => $value) {
> >     $$key = $value;
> > }
> >
> > <form name="member_edit" action="<?= $_SERVER['PHP_SELF'] ?>"
> > method="POST">
> >     <input type="hidden" name="_submit" value="1" />
> >     <input type="text" name="fname" value="<?= $fname ?>" />
> >     <input type="text" name="lname" value="<?= $lname ?>" />
> >     <input type="text" name="email" value="<?= $email ?>" />
> >     ....
> >     ....
> >     ....
> > </form>
> >
> > then when they submit, the record is just repopulated with whatever
> > is in
> > the form when they submit.  ie -- only fields they changed get
> > changed in
> > the db.
> >
> > if($_POST['_submit']) {
> >     $update = "UPDATE member SET ...... blah, blah..."
> > }
> >
> > that way, none of the fields are blank unless they were in the db
> > blank to
> > begin with.  and you can add client or server-side validation to
> > prevent
> > that.
> >
> > -- matt
>
> Hi Matt,
>
> That's what I'm doing for most of the fields, but how would you handle
> a password that has been MD5'ed and includes some variables to make it
> harder to crack? :)
>
> ie: $PW = md5("$salt$password");
>
> I can't undo the MD5 and I don't really want to... Just want to be
> able to change it rather then view what it is.
>
> >
> >
> >
> >
> >
> >
> > On Tue, Mar 25, 2008 at 11:59 AM, Jason Pruim <[EMAIL PROTECTED]>
> > wrote:
> >
> >> Hi everyone,
> >>
> >> I am attempting to update a record for a login system while leaving
> >> certain fields untouched if they arn't changed, and am running into
> >> issues.
> >>
> >> Basically what I want to do, is say I have these fields:
> >>
> >> Field1
> >> Field2
> >> Field3
> >> Field4
> >>
> >> I update Field1 and Field3 but not Field2 and Field4. What I want to
> >> do is change the values in Field1 and Field3 without touching the
> >> values in Field2 and Field4.
> >>
> >> I have tried this code:
> >>               $tab = "\t";
> >>       if (!isset($_POST['txtLoginName']) ||
> >> empty($_POST['txtLoginName'])) {
> >>
> >>                       $loginName =
> >> mysqli_real_escape_string($chpwpostlink,
> >> $_POST['txtLoginName']);
> >>               }
> >>               else
> >>               {
> >>                       $loginName = $tab;
> >>               }
> >>
> >> which works the fields that I've changed, but if I don't submit a
> >> value in the form it sets the field to be blank in MySQL. Which is
> >> what I am trying to avoid. Any ideas?
> >>
> >> --
> >>
> >> Jason Pruim
> >> Raoset Inc.
> >> Technology Manager
> >> MQC Specialist
> >> 3251 132nd ave
> >> Holland, MI, 49424-9337
> >> www.raoset.com
> >> [EMAIL PROTECTED]
> >>
> >>
> >>
> >>
>
> --
>
> Jason Pruim
> Raoset Inc.
> Technology Manager
> MQC Specialist
> 3251 132nd ave
> Holland, MI, 49424-9337
> www.raoset.com
> [EMAIL PROTECTED]
>
>
>
>

Reply via email to