开发者

How to prevent double md5-ing of password field on update form?

开发者 https://www.devze.com 2023-02-20 16:58 出处:网络
On my user info update form, i let users update the pass along with other things.If they don\'t want to update the password in the form, they leave it blank, as in the field is left empty.On the pr开发

On my user info update form, i let users update the pass along with other things. If they don't want to update the password in the form, they leave it blank, as in the field is left empty. On the pr开发者_如何学JAVAocess page, if the field is blank i insert their existing password from the db (its md5) and if they changed it i want the new password in. Below is what i am using to try and accomplish that, but it is double md5-ing no matter what:

      if (!get_magic_quotes_gpc()) {

$newpass = mysql_escape_string($_POST['password']);
$newpass = md5($_POST['password']);

    }

    // If $dob is empty
    if (empty($newpass)) {

    $newpass = "$passis"; //$passis = the password stored in db which is md5
        }


$newpass will never be empty because md5 converts the empty string to a hash. So this condition will not work: if (empty($newpass)) {

Instead you have to do

 if (empty($_POST['password'])) {

UPDATE

 if (!get_magic_quotes_gpc()) {

$newpass = mysql_escape_string($_POST['password']);
$newpass = md5($_POST['password']);

}

// If $dob is empty
if (empty($_POST['password'])) { 
   $newpass = "$passis"; //$passis = the password stored in db which is md5
}


Just a little reworking of your code:

  $newpass = $_POST['password'];

  if (!get_magic_quotes_gpc()) {
      $newpass = mysql_escape_string($newpass);
  }

  if(empty($newpass)) {
    $newpass = "$passis"; //$passis = existing md5'd password already stored in db
  }
  else {
    $newpass = md5($newpass); //$newpass = newly provided password needs to be md5'd before updating db
  }     


You code is strange because it performes md5 only if the magic_quotes_gpc directive is set.
Another think is that the md5 of the empty string is not the empty string.

Here is a code that should work nicer:

$newpass = isset($_POST['password']) ? $_POST['password'] : '';
if ($newpass=='') {
  $newpass = $passis; // $passis = the password stored in db which is md5
} else {
  if (get_magic_quotes_gpc()) $newpass = stripslashes($newpass); // take off slashes added by PHP if any
  $newpass = md5($newpass);
}
0

精彩评论

暂无评论...
验证码 换一张
取 消