edit_account.php

1. <?php
2.  
3. // First we execute our common code to connection to the database and start the session
4. $commonPath = $_SERVER['DOCUMENT_ROOT'];
5. $commonPath .= "/include/common.php";
6. require($commonPath);
7.  
8. // At the top of the page we check to see whether the user is logged in or not
9. if(empty($_SESSION['user']))
10. {
11. // If they are not, we redirect them to the login page.
12. header("Location: include/login.php");
13.  
14. // Remember that this die statement is absolutely critical. Without it,
15. // people can view your members-only content without logging in.
16. die("Redirecting to login.php");
17. }
18.  
19. // This if statement checks to determine whether the edit form has been submitted
20. // If it has, then the account updating code is run, otherwise the form is displayed
21. if(!empty($_POST))
22. {
23. // Make sure the user entered a valid E-Mail address
24. if(!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL))
25. {
26. die("Invalid E-Mail Address");
27. }
28.  
29. // If the user is changing their E-Mail address, we need to make sure that
30. // the new value does not conflict with a value that is already in the system.
31. // If the user is not changing their E-Mail address this check is not needed.
32. if($_POST['email'] != $_SESSION['user']['email'])
33. {
34. // Define our SQL query
35. $query = "
36. SELECT
37. 1
38. FROM users
39. WHERE
40. email = :email
41. ";
42.  
43. // Define our query parameter values
44. $query_params = array(
45. ':email' => $_POST['email']
46. );
47.  
48. try
49. {
50. // Execute the query
51. $stmt = $db->prepare($query);
52. $result = $stmt->execute($query_params);
53. }
54. catch(PDOException $ex)
55. {
56. // Note: On a production website, you should not output $ex->getMessage().
57. // It may provide an attacker with helpful information about your code.
58. die("Failed to run query: " . $ex->getMessage());
59. }
60.  
61. // Retrieve results (if any)
62. $row = $stmt->fetch();
63. if($row)
64. {
65. die("This E-Mail address is already in use");
66. }
67. }
68.  
69. if($_POST['username'] != $_SESSION['user']['username'])
70. {
71. // Define our SQL query
72. $query = "
73. SELECT
74. 1
75. FROM users
76. WHERE
77. username = :username
78. ";
79.  
80. // Define our query parameter values
81. $query_params = array(
82. ':username' => $_POST['username']
83. );
84.  
85. try
86. {
87. // Execute the query
88. $stmt = $db->prepare($query);
89. $result = $stmt->execute($query_params);
90. }
91. catch(PDOException $ex)
92. {
93. // Note: On a production website, you should not output $ex->getMessage().
94. // It may provide an attacker with helpful information about your code.
95. die("Failed to run query: " . $ex->getMessage());
96. }
97.  
98. // Retrieve results (if any)
99. $row = $stmt->fetch();
100. if($row)
101. {
102. die("This username is already in use");
103. }
104. }
105.  
106. // If the user entered a new password, we need to hash it and generate a fresh salt
107. // for good measure.
108. if(!empty($_POST['password']))
109. {
110. $salt = dechex(mt_rand(0, 2147483647)) . dechex(mt_rand(0, 2147483647));
111. $password = hash('sha256', $_POST['password'] . $salt);
112. for($round = 0; $round < 65536; $round++)
113. {
114. $password = hash('sha256', $password . $salt);
115. }
116. }
117. else
118. {
119. // If the user did not enter a new password we will not update their old one.
120. $password = null;
121. $salt = null;
122. }
123.  
124. // Initial query parameter values
125. $query_params = array(
126. ':email' => $_POST['email'],
127. ':user_id' => $_SESSION['user']['id'],
128. );
129.  
130. // If the user is changing their password, then we need parameter values
131. // for the new password hash and salt too.
132. if($password !== null)
133. {
134. $query_params[':password'] = $password;
135. $query_params[':salt'] = $salt;
136. }
137.  
138. // Note how this is only first half of the necessary update query. We will dynamically
139. // construct the rest of it depending on whether or not the user is changing
140. // their password.
141. $query = "
142. UPDATE users
143. SET
144. email = :email
145. ";
146.  
147. $query = "
148. UPDATE users
149. SET
150. username = :username
151. ";
152.  
153. // If the user is changing their password, then we extend the SQL query
154. // to include the password and salt columns and parameter tokens too.
155. if($password !== null)
156. {
157. $query .= "
158. , password = :password
159. , salt = :salt
160. ";
161. }
162.  
163. // Finally we finish the update query by specifying that we only wish
164. // to update the one record with for the current user.
165. $query .= "
166. WHERE
167. id = :user_id
168. ";
169.  
170. try
171. {
172. // Execute the query
173. $stmt = $db->prepare($query);
174. $result = $stmt->execute($query_params);
175. }
176. catch(PDOException $ex)
177. {
178. // Note: On a production website, you should not output $ex->getMessage().
179. // It may provide an attacker with helpful information about your code.
180. die("Failed to run query: " . $ex->getMessage());
181. }
182.  
183. // Now that the user's E-Mail address has changed, the data stored in the $_SESSION
184. // array is stale; we need to update it so that it is accurate.
185. $_SESSION['user']['email'] = $_POST['email'];
186. $_SESSION['user']['username'] = $_POST['username'];
187.  
188. // This redirects the user back to the members-only page after they register
189. header("Location: include/private.php");
190.  
191. // Calling die or exit after performing a redirect using the header function
192. // is critical. The rest of your PHP script will continue to execute and
193. // will be sent to the user if you do not die or exit.
194. die("Redirecting to private.php");
195. }
196. ?>
197. <!doctype html>
198. <html lang="en">
199. <head>
200. <title>Kieron Sutton - Web Developer</title>
201. <!-- Main Website Stylesheet -->
202. <link rel="stylesheet" type="text/css" href="css/styles.css" />
203. <!-- Google Font -->
204. <link href='http://fonts.googleapis.com/css?family=Open+Sans:400,300' rel='stylesheet' type='text/css'>
205. <!-- Internet Scripts -->
206. <script src="http://code.jquery.com/jquery-1.8.2.js"></script>
207. <script src="http://code.jquery.com/ui/1.9.1/jquery-ui.js"></script>
208. </head>
209.  
210. <body>
211. <?php
212. include ('include/header.php');
213. include ('include/slider.php'); ?>
214. <div id="edit-account">
215. <h1>Edit Account</h1>
216. <center>
217. <form action="edit_account.php" method="post">
218. Username:<br />
219. <b><?php echo htmlentities($_SESSION['user']['username'], ENT_QUOTES, 'UTF-8'); ?></b>
220. <br /><br />
221. Change Username:<br />
222. <input type="text" name="username" value="<?php echo htmlentities($_SESSION['user']['username'], ENT_QUOTES, 'UTF-8'); ?>" /><br />
223. E-Mail Address:<br />
224. <input type="text" name="email" value="<?php echo htmlentities($_SESSION['user']['email'], ENT_QUOTES, 'UTF-8'); ?>" />
225. <br /><br />
226. Password:<br />
227. <input type="password" name="password" value="" /><br />
228. <i>(leave blank if you do not want to change your password)</i>
229. <br /><br />
230. <input type="submit" value="Submit Changes" />
231. </form>
232. </center>
233. </div>
234. <?php
235. include ('include/footer.php');
236. ?>
237. </body>
238. </html>