What is the best way to check an existing value in a table when updating a record?

deucalion0 · February 23, 2012, 5:19pm

Hey guys, I am creating a form that allows a logged in user to enter a new password for their, account, I already have the query set up to update the password, but in my form I have the first input set to take the existing password, which must match the existing value of password in the database before the update will be performed. I cannot figure out how to do this check, the whole thing must be done with one POST submit. Check the entered password matches the one currently in the database and if it matches then updates the current value to that of the passwordnew value. here is my form:

<fieldset>

	<legend>Change Password</legend>

	<form action="changepass.php" method="POST">
			<label>Current Password :</label>
			<input type="password" name="password" /><br />
			<label>New Password :</label>
			<input type="password" name="passwordnew" /><br/>
			<label>Repeat New Password :</label>
			<input type="password" name="passwordnewRepeat" /><br/>
			<input class="signbutt" type="submit" value="Save"/><br />

	</form>

</fieldset>

here is the SQL i have for the password update:

$userid = $_SESSION['userID'];




	$passwordnew=$_POST['passwordnew'];
	$password=$_POST['password'];
	
			
		$password_hash = md5($passwordnew); 	
			
			
			if ($password)
						
				$sql = "UPDATE cryptuser  SET password='" . $password_hash."'  WHERE userID ='" . $userid ."' ";	
				
				
				
				//Check SQL Query		
				$stmt = sqlsrv_query( $conn, $sql,array(), array( "Scrollable" => SQLSRV_CURSOR_KEYSET ));
				if(!$stmt)
				{
					die('An error has occured with your registration. If this is an indeliberate occurance,
						 please report this to us through the contact us page with details of the error.');
				}
				else{
				echo'Your password was changed';
				
				}

I have a third input which I will later use JavaScript to compare the new password with a re-enter.

If anyone can help me figure out how to do this that would be great!

Thanks

StarLion · February 23, 2012, 5:26pm

WHERE password = '“.md5($password).” AND userID = ‘“.$userid.”’";

then add a line for checking if [FPHP]sqlsrv_rows_affected[/FPHP] == 1.

deucalion0 · February 23, 2012, 6:14pm

Hey Starlion, could you please explain the check part I have been trying to get it the way you suggested and I cant output the result: Here is my updated code:

	$passwordnew=$_POST['passwordnew'];
	$password=$_POST['password'];
	
			
		$password_hash = md5($passwordnew); 	
			
			
			
						
				$sql = "UPDATE cryptuser  SET password='" . $password_hash."'  WHERE  password = '".md5($password)."' AND userID ='" . $userid ."' ";	
				
				
				
				//Check SQL Query		
				$stmt = sqlsrv_query( $conn, $sql,array(), array( "Scrollable" => SQLSRV_CURSOR_KEYSET ));
				
				if(!$stmt)
				{
					die('An error has occured with your registration. If this is an indeliberate occurance,
						 please report this to us through the contact us page with details of the error.');
				}
				
				if ($password_hash != md5($passwordnew))
				{
					echo'password not match';
				
				}
				
				elseif ($password_hash == md5($passwordnew)){
				echo'Your password was changed';
				
				}

StarLion · February 23, 2012, 6:22pm

sqlsrv_rows_affected will tell you how many rows were affected by the previous UPDATE query. If the person gave a bad ‘current password’, then the WHERE clause would cause the update query to update 0 rows. If they gave a correct current password, then the UPDATE query would have affected 1 row.

deucalion0 · February 23, 2012, 6:48pm

I think I am almost there I always get password incorrect whether the row was updated or not, any suggestions why?



$passwordnew=$_POST['passwordnew'];
	$password=$_POST['password'];
	
			
		$password_hash = md5($passwordnew); 	
			
			
			
						
				$sql = "UPDATE cryptuser  SET password='" . $password_hash."'  WHERE  password = '".md5($password)."' AND userID ='" . $userid ."' ";	
				
				
				
				//Check SQL Query		
				$stmt = sqlsrv_query( $conn, $sql,array(), array( "Scrollable" => SQLSRV_CURSOR_KEYSET ));
					
				
				
					$rows_affected = sqlsrv_rows_affected( $stmt);
					
					if( $rows_affected == 0) {
						 die('password incorrect');
					} 
					
					if( $rows_affected == 1) {
					
					
					echo'Your password was changed';
					
					}
				
				
				
				if(!$stmt) 
				{
					die('An error has occured with your registration. If this is an indeliberate occurance, 
						 please report this to us through the contact us page with details of the error.');
				}

StarLion · February 23, 2012, 6:56pm

Is the row updating? Have you verified that? Try making it === 0 instead of ==… (Might be returning FALSE)

deucalion0 · February 23, 2012, 7:04pm

The row is definitely updating, I changed it to === now I am just getting a blank screen whether the password is correct or not, but when I enter the correct password it will change the password to the desired new password. I have no idea why the output isn’t working

StarLion · February 23, 2012, 7:10pm

sqlsrv for some reason is returning FALSE, despite actually completing the transaction. (you can verify this by doing var_dump(sqlsrv_rows_affected($stmt)); It should come up as bool(false))

deucalion0 · February 23, 2012, 7:14pm

Yes you are right it is indeed returning bool(false)

I have no idea why because I know the password is changing I am checking it every time.

StarLion · February 23, 2012, 7:18pm

Yes, that’s very strange…I’m going to tag a few people here…
@Cups @r937 @guido2004 : Guys, any idea why this function might be throwing FALSE while still executing?

deucalion0 · February 23, 2012, 7:39pm

I really appreciate your help with this!!

Cheers!

DarthGuido · February 23, 2012, 9:26pm

I never used the sqlsrv extension, but after reading the manual I’d advise you to try what you can see in example #1


$rows_affected = sqlsrv_rows_affected( $stmt);
					
if( $rows_affected === false) {
     die( print_r( sqlsrv_errors(), true));
} elseif( $rows_affected == -1) {
      echo "No information available.<br />";
} else {
      echo $rows_affected." rows were updated.<br />";
}

And see what happens.

deucalion0 · February 23, 2012, 9:32pm

Hi Guido2004, my code originally came from the exact source you suggested. I have tried the exact same code as the manual and it still returns false, even when the password is being updated. Thanks for your input.

DarthGuido · February 23, 2012, 9:45pm

Did you add the if-elseif-else? It should give you an error message if rows_affected is false.

deucalion0 · February 23, 2012, 10:35pm

I did add everything, and nothing changed, but now I deleted the last half of my statement now it is doing something else, it seems to be working, if I could just figure out how to convert it into “The password was changed” or “Incorrect password, try again”

Here is my latest code:

	$passwordnew=$_POST['passwordnew'];
	$password=$_POST['password'];
	
			
		$password_hash = md5($passwordnew); 	

$sql = "UPDATE cryptuser  SET password='" . $password_hash."'  WHERE  password = '".md5($password)."' AND userID ='" . $userid ."' ";	

//Check SQL Query		
$stmt = sqlsrv_query( $conn, $sql);
	var_dump(sqlsrv_rows_affected($stmt));


	$rows_affected = sqlsrv_rows_affected( $stmt);
	
	if( $rows_affected === false) {
		 echo "Password incorrect.<br />";
	} elseif( $rows_affected === true) {
		 
	 
		  echo $rows_affected." Password was changed.<br />";
	}



				?>

So now when the password is successfully changed I see this: int(1) and when it is not changed, I see: int(0)

Perhaps this is because I am still dumping the sqlsrvrows_affected??

Any suggestions how I can get it to output my strings ?

Many thanks for all your help!