9
Replies
Ok then! 
There are two files, the user_list.php and the update_user.php.
When you load user_list.php it shows a list of users and next to each user there are 2 links, the "edit" and "delete".
When you press the "EDIT" it gets you to the update_user.php and it loads in the input fields the "First Name" , "Family name" and "Username".
There is one correction for sure that should apply in update_user.php. In the recordset are currently selected the columns user_id, first_name, family_name and username. In the book's corrections page mentions that "password" column should be selected as well.
As said before the problem is that anytime I try to EDIT a user it returns me an error " Notice: Undefined index: password in D:\EasyPHP\www\phpcs5\lesson06\workfiles\update_user.php on line 46"
This is what I have in lines 42-47
42: if(isset($_POST['password']) && empty($_POST['password'])){
43:
44: $_POST['password'] = $row_getUser['password'];
45: } else {
46: $_POST['password'] = sha1($_POST['password']);
47: }
The code of those files is taken from the Completed directory from the cd and are like this..
user_list.php
<?php require_once('Connections/cs5read.php'); ?>
<?php
if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")
{
if (PHP_VERSION < 6) {
$theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
}
$theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);
switch ($theType) {
case "text":
$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
break;
case "long":
case "int":
$theValue = ($theValue != "") ? intval($theValue) : "NULL";
break;
case "double":
$theValue = ($theValue != "") ? doubleval($theValue) : "NULL";
break;
case "date":
$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
break;
case "defined":
$theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
break;
}
return $theValue;
}
}
$maxRows_getUsers = 10;
$pageNum_getUsers = 0;
if (isset($_GET['pageNum_getUsers'])) {
$pageNum_getUsers = $_GET['pageNum_getUsers'];
}
$startRow_getUsers = $pageNum_getUsers * $maxRows_getUsers;
mysql_select_db($database_cs5read, $cs5read);
$query_getUsers = "SELECT user_id, first_name, family_name, username FROM users ORDER BY family_name ASC";
$query_limit_getUsers = sprintf("%s LIMIT %d, %d", $query_getUsers, $startRow_getUsers, $maxRows_getUsers);
$getUsers = mysql_query($query_limit_getUsers, $cs5read) or die(mysql_error());
$row_getUsers = mysql_fetch_assoc($getUsers);
if (isset($_GET['totalRows_getUsers'])) {
$totalRows_getUsers = $_GET['totalRows_getUsers'];
} else {
$all_getUsers = mysql_query($query_getUsers);
$totalRows_getUsers = mysql_num_rows($all_getUsers);
}
$totalPages_getUsers = ceil($totalRows_getUsers/$maxRows_getUsers)-1;
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Registered Users</title>
<link href="../../styles/users.css" rel="stylesheet" type="text/css" />
</head>
<body>
<h1>Registered Users</h1>
<table>
<tr>
<th scope="col">Real name</th>
<th scope="col">Username</th>
<th scope="col"> </th>
<th scope="col"> </th>
</tr>
<?php do { ?>
<tr>
<td><?php echo $row_getUsers['first_name']; ?> <?php echo $row_getUsers['family_name']; ?></td>
<td><?php echo $row_getUsers['username']; ?></td>
<td><a href="update_user.php?user_id=<?php echo $row_getUsers['user_id']; ?>">EDIT</a></td>
<td><a href="delete_user.php?user_id=<?php echo $row_getUsers['user_id']; ?>">DELETE</a></td>
</tr>
<?php } while ($row_getUsers = mysql_fetch_assoc($getUsers)); ?>
</table>
</body>
</html>
<?php
mysql_free_result($getUsers);
?>
update_user.php
<?php require_once('Connections/cs5write.php'); ?>
<?php
if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")
{
if (PHP_VERSION < 6) {
$theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
}
$theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);
switch ($theType) {
case "text":
$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
break;
case "long":
case "int":
$theValue = ($theValue != "") ? intval($theValue) : "NULL";
break;
case "double":
$theValue = ($theValue != "") ? doubleval($theValue) : "NULL";
break;
case "date":
$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
break;
case "defined":
$theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
break;
}
return $theValue;
}
}
$colname_getUser = "-1";
if (isset($_GET['user_id'])) {
$colname_getUser = $_GET['user_id'];
}
mysql_select_db($database_cs5write, $cs5write);
$query_getUser = sprintf("SELECT user_id, first_name, family_name, username FROM users WHERE user_id = %s", GetSQLValueString($colname_getUser, "int"));
$getUser = mysql_query($query_getUser, $cs5write) or die(mysql_error());
$row_getUser = mysql_fetch_assoc($getUser);
$totalRows_getUser = mysql_num_rows($getUser);
if (isset($_POST['password']) && empty($_POST['password'])) {
$_POST['password'] = $row_getUser['password'];
} else {
$_POST['password'] = sha1($_POST['password']);
}
$editFormAction = $_SERVER['PHP_SELF'];
if (isset($_SERVER['QUERY_STRING'])) {
$editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);
}
if ((isset($_POST["MM_update"])) && ($_POST["MM_update"] == "form1")) {
$updateSQL = sprintf("UPDATE users SET first_name=%s, family_name=%s, username=%s, password=%s WHERE user_id=%s",
GetSQLValueString($_POST['first_name'], "text"),
GetSQLValueString($_POST['surname'], "text"),
GetSQLValueString($_POST['username'], "text"),
GetSQLValueString($_POST['password'], "text"),
GetSQLValueString($_POST['user_id'], "int"));
mysql_select_db($database_cs5write, $cs5write);
$Result1 = mysql_query($updateSQL, $cs5write) or die(mysql_error());
$updateGoTo = "user_list.php";
if (isset($_SERVER['QUERY_STRING'])) {
$updateGoTo .= (strpos($updateGoTo, '?')) ? "&" : "?";
$updateGoTo .= $_SERVER['QUERY_STRING'];
}
header(sprintf("Location: %s", $updateGoTo));
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Update user details</title>
<link href="../../styles/users.css" rel="stylesheet" type="text/css" />
</head>
<body>
<h1>Update User Record</h1>
<form id="form1" name="form1" method="POST" action="<?php echo $editFormAction; ?>">
<fieldset>
<legend>Leave password blank if no change</legend>
<p>
<label for="first_name">First name:</label>
<input name="first_name" type="text" id="first_name" value="<?php echo $row_getUser['first_name']; ?>" />
</p>
<p>
<label for="surname">Family name:</label>
<input name="surname" type="text" id="surname" value="<?php echo $row_getUser['family_name']; ?>" />
</p>
<p>
<label for="username">Username:</label>
<input name="username" type="text" id="username" value="<?php echo $row_getUser['username']; ?>" />
</p>
<p>
<label for="password">Password:</label>
<input type="password" name="password" id="password" />
</p>
<p>
<label for="conf_password">Confirm password:</label>
<input type="password" name="conf_password" id="conf_password" />
</p>
<p>
<input type="submit" name="add_user" id="add_user" value="Update" />
<input name="user_id" type="hidden" id="user_id" value="<?php echo $row_getUser['user_id']; ?>" />
</p>
</fieldset>
<input type="hidden" name="MM_update" value="form1" />
</form>
</body>
</html>
<?php
mysql_free_result($getUser);
?>
Thank you!
Look at the snippet of code in update_user.php in relation to the rest of your page.
if (isset($_POST['password']) && empty($_POST['password'])) {
$_POST['password'] = $row_getUser['password'];
} else {
$_POST['password'] = sha1($_POST['password']);
}This code is saying that if a user has submitted the form to update the user and the field for the password is empty then set the value for the password to be the users current value since a new value wasn't submitted for the password in the edit user form. Then it says that else, as in if the user hasn't set an empty password field for the edit user form, as in the user HAS entered a value and submitted the form for edit user, then encrypt the value so that it can be updated for the users database column.
The problem with this method is that the first time the page is loaded the form is not submitted. That is why you're getting an error message. Because php is saying hey, you're telling me to do something with the password value that is being submitted from the form, but I don't have a value that's been submitted from the form. 
Fix this by wrapping your code in another if statement that says hey php, only look at this snippet of code and encrypt the password value if the form has been submitted, a'ight?
if (isset($_POST["MM_update"])) {
if (isset($_POST['password']) && empty($_POST['password'])) {
$_POST['password'] = $row_getUser['password'];
} else {
$_POST['password'] = sha1($_POST['password']);
}
}Also query for getuser info should have the password field included like this:
SELECT user_id, first_name, family_name, username, password FROM users... blah blah blahFor security you really should be using user_id from the profile info query instead of passing the user_id to a hidden form field and then using that as the parameter to update the user. Ask the book author for more info on this off topic subject. With your current script hacker could put the form on any page with action pointing to your page then be able to change any user's password by entering whatever id they want in the hidden form field.
the_shocker wrote:
The problem with this method is that the first time the page is loaded the form is not submitted. That is why you're getting an error message. Because php is saying hey, you're telling me to do something with the password value that is being submitted from the form, but I don't have a value that's been submitted from the form.
Fix this by wrapping your code in another if statement that says hey php, only look at this snippet of code and encrypt the password value if the form has been submitted, a'ight?
if (isset($_POST["MM_update"])) { if (isset($_POST['password']) && empty($_POST['password'])) { $_POST['password'] = $row_getUser['password']; } else { $_POST['password'] = sha1($_POST['password']); } }
Yes, that's a mistake in the book. I'm surprised it's taken eight months for anyone to report it. I would simplify the conditional statement like this:
if (isset($_POST['password'])) {
if (empty($_POST['password'])) {
$_POST['password'] = $row_getUser['password'];
} else {
$_POST['password'] = sha1($_POST['password']);
}}
I'll issue a correction to the book. Thanks for looking into this for me. I haven't been around the forums for a few months because I've been insanely busy with projects on a very tight deadline.
Also query for getuser info should have the password field included like this:
SELECT user_id, first_name, family_name, username, password FROM users... blah blah blah
That's also true, but there's an existing correction to the book that would have fixed that problem. Unfortunately, the example files are on a CD, and the publisher doesn't like them being made freely available (although there's nothing wrong with a reader posting the code when asking for help, as has happened here). Maybe I should make just corrected files available on my own website.
For security you really should be using user_id from the profile info query instead of passing the user_id to a hidden form field and then using that as the parameter to update the user. Ask the book author for more info on this off topic subject. With your current script hacker could put the form on any page with action pointing to your page then be able to change any user's password by entering whatever id they want in the hidden form field.
That's a reasonable criticism of the code. It's automatically generated by Dreamweaver's server behaviors. As the introduction to the chapter says: "They have remained essentially unchanged since they were first introduced. Adobe regards them more as a learning tool than as a production-level feature." The chapter also concludes with a warning that server behaviors raise unrealistic expectations.
A later chapter enforces security by sending the user's email address a URL with a unique token that can be used once only to update the password.
AdChoices