Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- <?php
- // First we execute our common code to connection to the database and start the session
- $commonPath = $_SERVER['DOCUMENT_ROOT'];
- $commonPath .= "/include/common.php";
- require($commonPath);
- // At the top of the page we check to see whether the user is logged in or not
- if(empty($_SESSION['user']))
- {
- // If they are not, we redirect them to the login page.
- header("Location: include/login.php");
- // Remember that this die statement is absolutely critical. Without it,
- // people can view your members-only content without logging in.
- die("Redirecting to login.php");
- }
- // This if statement checks to determine whether the edit form has been submitted
- // If it has, then the account updating code is run, otherwise the form is displayed
- if(!empty($_POST))
- {
- // Make sure the user entered a valid E-Mail address
- if(!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL))
- {
- die("Invalid E-Mail Address");
- }
- // If the user is changing their E-Mail address, we need to make sure that
- // the new value does not conflict with a value that is already in the system.
- // If the user is not changing their E-Mail address this check is not needed.
- if($_POST['email'] != $_SESSION['user']['email'])
- {
- // Define our SQL query
- $query = "
- SELECT
- 1
- FROM users
- WHERE
- email = :email
- ";
- // Define our query parameter values
- $query_params = array(
- ':email' => $_POST['email']
- );
- try
- {
- // Execute the query
- $stmt = $db->prepare($query);
- $result = $stmt->execute($query_params);
- }
- catch(PDOException $ex)
- {
- // Note: On a production website, you should not output $ex->getMessage().
- // It may provide an attacker with helpful information about your code.
- die("Failed to run query: " . $ex->getMessage());
- }
- // Retrieve results (if any)
- $row = $stmt->fetch();
- if($row)
- {
- die("This E-Mail address is already in use");
- }
- }
- if($_POST['username'] != $_SESSION['user']['username'])
- {
- // Define our SQL query
- $query = "
- SELECT
- 1
- FROM users
- WHERE
- username = :username
- ";
- // Define our query parameter values
- $query_params = array(
- ':username' => $_POST['username']
- );
- try
- {
- // Execute the query
- $stmt = $db->prepare($query);
- $result = $stmt->execute($query_params);
- }
- catch(PDOException $ex)
- {
- // Note: On a production website, you should not output $ex->getMessage().
- // It may provide an attacker with helpful information about your code.
- die("Failed to run query: " . $ex->getMessage());
- }
- // Retrieve results (if any)
- $row = $stmt->fetch();
- if($row)
- {
- die("This username is already in use");
- }
- }
- // If the user entered a new password, we need to hash it and generate a fresh salt
- // for good measure.
- if(!empty($_POST['password']))
- {
- $salt = dechex(mt_rand(0, 2147483647)) . dechex(mt_rand(0, 2147483647));
- $password = hash('sha256', $_POST['password'] . $salt);
- for($round = 0; $round < 65536; $round++)
- {
- $password = hash('sha256', $password . $salt);
- }
- }
- else
- {
- // If the user did not enter a new password we will not update their old one.
- $password = null;
- $salt = null;
- }
- // Initial query parameter values
- $query_params = array(
- ':email' => $_POST['email'],
- ':user_id' => $_SESSION['user']['id'],
- );
- // If the user is changing their password, then we need parameter values
- // for the new password hash and salt too.
- if($password !== null)
- {
- $query_params[':password'] = $password;
- $query_params[':salt'] = $salt;
- }
- // Note how this is only first half of the necessary update query. We will dynamically
- // construct the rest of it depending on whether or not the user is changing
- // their password.
- $query = "
- UPDATE users
- SET
- email = :email
- ";
- $query = "
- UPDATE users
- SET
- username = :username
- ";
- // If the user is changing their password, then we extend the SQL query
- // to include the password and salt columns and parameter tokens too.
- if($password !== null)
- {
- $query .= "
- , password = :password
- , salt = :salt
- ";
- }
- // Finally we finish the update query by specifying that we only wish
- // to update the one record with for the current user.
- $query .= "
- WHERE
- id = :user_id
- ";
- try
- {
- // Execute the query
- $stmt = $db->prepare($query);
- $result = $stmt->execute($query_params);
- }
- catch(PDOException $ex)
- {
- // Note: On a production website, you should not output $ex->getMessage().
- // It may provide an attacker with helpful information about your code.
- die("Failed to run query: " . $ex->getMessage());
- }
- // Now that the user's E-Mail address has changed, the data stored in the $_SESSION
- // array is stale; we need to update it so that it is accurate.
- $_SESSION['user']['email'] = $_POST['email'];
- $_SESSION['user']['username'] = $_POST['username'];
- // This redirects the user back to the members-only page after they register
- header("Location: include/private.php");
- // Calling die or exit after performing a redirect using the header function
- // is critical. The rest of your PHP script will continue to execute and
- // will be sent to the user if you do not die or exit.
- die("Redirecting to private.php");
- }
- ?>
- <!doctype html>
- <html lang="en">
- <head>
- <title>Kieron Sutton - Web Developer</title>
- <!-- Main Website Stylesheet -->
- <link rel="stylesheet" type="text/css" href="css/styles.css" />
- <!-- Google Font -->
- <link href='http://fonts.googleapis.com/css?family=Open+Sans:400,300' rel='stylesheet' type='text/css'>
- <!-- Internet Scripts -->
- <script src="http://code.jquery.com/jquery-1.8.2.js"></script>
- <script src="http://code.jquery.com/ui/1.9.1/jquery-ui.js"></script>
- </head>
- <body>
- <?php
- include ('include/header.php');
- include ('include/slider.php'); ?>
- <div id="edit-account">
- <h1>Edit Account</h1>
- <center>
- <form action="edit_account.php" method="post">
- Username:<br />
- <b><?php echo htmlentities($_SESSION['user']['username'], ENT_QUOTES, 'UTF-8'); ?></b>
- <br /><br />
- Change Username:<br />
- <input type="text" name="username" value="<?php echo htmlentities($_SESSION['user']['username'], ENT_QUOTES, 'UTF-8'); ?>" /><br />
- E-Mail Address:<br />
- <input type="text" name="email" value="<?php echo htmlentities($_SESSION['user']['email'], ENT_QUOTES, 'UTF-8'); ?>" />
- <br /><br />
- Password:<br />
- <input type="password" name="password" value="" /><br />
- <i>(leave blank if you do not want to change your password)</i>
- <br /><br />
- <input type="submit" value="Submit Changes" />
- </form>
- </center>
- </div>
- <?php
- include ('include/footer.php');
- ?>
- </body>
- </html>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement