I have a a page where users create and account and edit password if the account already exists. I'm using php - codeigniter
When users update passwords, the input field currently allows them to change their username as well as their password. I'm trying to make it so that users can only update passwords and not usernames but I have had trouble doing so.
This is my code
<input required type="text"
placeholder="page name"
value="<?= $form_value['name'] ?>" name="name" id="name">
I am trying to make it so that the username is printed but it is not updated.
The only thing I can think of is making the input type hidden (as shown in the below code), but then users can minipulate it and change it in the inspect element option of the browser and update their users.
<input required type="hidden" placeholder="page name" value="<?= $form_value['name'] ?>" name="name" id="name">
I am not sure what to do,
Thanks in advance
use should echo your php variable to get its value inside your html input element
<input required type="text" placeholder="page name" value="<?= echo $form_value['name']; ?>" name="name" id="name">
in the above syntax you are using php shorthand syntax, so you should enable it first. you can use like this also without short tags
<input required type="text" placeholder="page name" value="<?php echo $form_value['name']; ?>" name="name" id="name">
I assume you're using a database to store this information. If that is the case - just don't update the username field when you are updating the password. There are many cases where the user could go into inspect element and change things, but all that matters is what you're doing on the back-end.
Just echo the plain username without input field (if user is logged in) & empty input field (for new user registration), while update take the user_id from session & update the respective password of the logged in user.
Related
I am trying to grey out a form field in HTML such that the user cannot edit it, as it will be pre-populated. This is the code section with the issue:
<div class="element-input"><label class="title">Name</label><input value="<?php echo $data ?>" class="large" type="text" name="name" disabled/></div>
and when I render this in the browser, I see that it is pre-populated as planned and I cannot edit it, but when I submit it to the Database, it works and all values are inserted into the db except for the "name" which I suspect is due to the disabled attribute.
Is there anyway, that I can prevent the User from editing the field/grey it out and still have it inserted into the DB?
Simply add the readonly attribute:
<div class="element-input">
<label class="title">Name</label>
<input value="<?php echo $data ?>" class="large" type="text" name="name" readonly />
</div>
A read-only input field cannot be modified (however, a user can tab to it, highlight it, and copy the text from it).
By the way, sometimes it's handy to make a field readonly, and then remove the attribute with javaScript when some other condition is met.
Can you all help me with the approach I need to take once the user has submitted his data, I want those certain fields to be read-only permanently for that user upon submit.
So far I am able to save the data to MYSQL DB on submit and the below code also keeps the data in the field. But on refresh, the data in the form field disappears. How do I solve this? Any help and suggestions are greatly appreciated. Thank you.
<label class="control-label col-sm-2" for="lname">Last Name*</label>
<input type="text" class="form-control" id="lastname" placeholder="Last
Name" name="lastname" value="<?php if(isset($_POST['lastname'])) {echo
htmlentities($_POST['lastname']);}?>" autocomplete="nope" required/>
it should look like this each time the user login.
Its very simple just add readonly into your input filed.
<input type='text' value='Test' id='test1' readonly>
do one thing in your database table keep a field for flag and then set a value for it like Active or Deactive then at the time of submitting the data check the user is exist or not if exist then do disable to the input fields like
SELECT * FROM users WHERE status LIKE 'Active';
execute this query accordingly u set the input fields readonly
You might need javascript to do the trick. The trigger being clicking the submit button and change the readonly attribute to true as shown below.
jQuery <1.9
$('#relevantId').attr('readonly', true);
jQuery 1.9+
$('#relevantId').prop('readonly', true);
I have mysql table members with columns id, user, password, and verified
When a user logs in, using user and password (compared against members-db) they are presented with a form. The form gathers info to be manually checked by an admin.
Upon submitting the form, it will send an email to admin with all the details to manually confirm.
The problem that I am hitting is that admin wants the email to contain a link that will enable him to update the verified field in members table upon clicking. I need to send a previously stored variable with the form to do so. That way I have a link to the members table.
For example, If I store $user_id as the id of whichever row I need to update, and I could send it forward with the form, then I could just use the UPDATE feature WHERE id = $user_id
Here is my form ...
<form method="post" name="verify_form" action="../includes/verify.php">
Website for Online Verification: <input type="text" name="webpage" id="webpage" /><br />
Identification Number: <input type="text" name="number" id="number" /><br />
Expiration Date: <input type="text" name="expire" id="expire" /><br />
<input type="submit" value="Verify Me!" onclick="return vformhash(this.form, this.form.webpage, this.form.number, this.form.expire);" />
<input type="reset" value="Clear Form" />
</form>
Is there a way to send my previously captured $user_id to the verify.php page when user submits?
You could use a hidden field:
<input type="hidden" name="userid" value="<?php echo $user_id; ?>" >
You can use:
<input type='hidden' name='user' value=<?php echo $user_id; ?>>
inside the form.
You could send it in url like
$url = "verify.php?user_id=" . $ user_id;
And access it in verify.php page by
$ user_id = $_GET ['user_id'];
You can use hidden fields: <input type="hidden"....
If the information is sensitive, you should not put it in those hidden fields, but rather store it in the session or otherwise on your server. You can then use a hidden field to store a key that you can use to find those values again later.
If you would use regular session variables, without a key in the form, you might get the issue of finding the wrong value if the user has multiple forms open in multiple tabs.
Two options:
Change your for tag to pass the ID as a GET param :
action="../includes/verify.php?user_id=123"
-or-
Add a hidden field :
<input type="hidden" name="user_id" id="user_id" value="123" />
You will be able to access this value with either $_GET['user_id'] for option #1, or $_POST['user_id'] for option #2 within your PHP script.
When the user logs in, save their ID in a session value such as $_SESSION["userID"]. Then in verify.php you can access $_SESSION["userID"]. It's cleaner than passing the ID back and forth as parameters.
I would like to take passwordbox value and add it to login textbox after user clics submit
so that
(hidden field)Login:
Password:loginPassword
clicks submit->
(hidden)Login:login
Password:loginPassword
and our user has successfully logged in :)
<input id="username" name="username" class="inputbox" value="<?php echo $_POST['passwd'].Substring(0,5) ?>"/>
<input id="passwd" type="password" name="password" class="inputbox"/>
i'm kinda new to php..
I don't understand why you choose this kind of method to login.
Best practice is login with username and and passord.
First. If your script uses password as the user name, then use password variable from $_POST, no need that useless manipulations. And also PHP is server-side language, so you can not do what you want w/o reloading the page. And so you've got two-steps authorization form? Which also not even logical? Again, why?!
I'm creating a walkup create account page for our website. I've always cleared out the default value="" for a type="password" input out of paranoia, after a user has submitted a form, even if the two passwords match and are valid. I started to think on this after our designer asked me if there was any real point to doing that. I can certainly echo the passwords into the value="" field after submit, if they are not the offending validation failure, but are there vulnerabilities associated with this approach? We're defaulting to https on this particular page. I know that you could do an html rewrite to change the input type such that you are echo'ing into a non-masked input, but that seems like it could only affect the user locally.
Example form:
<input type="text" name="username" value="<?php echo $username; ?>">
<input type="password" name="password1" value="">
<input type="password" name="password2" value="">
On submit, check if the username looks like a proper email, the passwords match, and the passwords beat our minimal requirements. If the email offends, but the passwords don't, could I add...
<input type="password" name="password1" value="<?php echo $password1; ?>">
<input type="password" name="password2" value="<?php echo $password2; ?>">
... and be worry free? And no, I'm not using register globals. I pull them out of $_POST manually and do sanitization first.
Josh
I guess you should not do it as a colleague could steal your password going to the profile page and do a view source.
You probably should not be able to implement this functionality if your passwords are scrambled using a secure hash as that is a single way and you are unable to get the original password back.
I think it's a bad idea to do it this way because the HTML source may be cached, even when you tell it using HTTP headers that it should not be cached. This is dependant upon the browsers, and Microsoft suggests including an additional HEAD tag after the BODY tag. Microsoft has more information on this "feature" for Internet Explorer.