PHP update users settings

Question

I've made a page on PHP to allow a user to change his details so far, all of it works and so did email(

So what I'm basically trying to do is, allow a user to be able to change his details (password) (email) etc.. Right now a user has to change all his details to change 1 specific thing. I want the user to be able to change his email without having to change his password

My code:

   <title>Honda |</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
<link href='http://fonts.googleapis.com/css?family=Julius+Sans+One' rel='stylesheet' type='text/css'>
<link href="../css/style.css" rel="stylesheet" type="text/css" media="all" />



<?php
session_start();



$username = $_SESSION['sess_user'];

echo '<div class="search1"><h2>'.$username.'</h2></div>';


if (isset($_SESSION['sess_user']))
{
//user is logged in

if (isset($_POST['submit']))
{
//start changing password
//check fields

$oldpassword = md5($_POST['oldpassword']);
$newpassword = md5($_POST['newpassword']);
$email = $_POST['email'];


$repeatnewpassword = md5($_POST['repeatnewpassword']);


//check password against db
include('../includes/config.php');

$queryget = mysql_query("SELECT password FROM login WHERE username='$username'") or die ("change password failed");
$row = mysql_fetch_assoc($queryget);
$oldpassworddb = $row['password'];

//check passwords
if ($oldpassword==$oldpassworddb)
{
//check two new passwords
if ($newpassword==$repeatnewpassword)
{
//successs
//change password in db

$querychange = mysql_query("UPDATE login SET password='$newpassword' WHERE   username='$username'");
$querychange = mysql_query("UPDATE login SET email='$email' WHERE   username='$username'");
die("<div class='successmate'>Your password has been changed. <a href='index2.php'><br><br> Return</a></div>");
}
else 
die("<div class='results'>New password doesn't match!</div>");

}else 
die("<div class='results'>Old password doesn't match!</div>");

}
else
{

echo"
<form class='search1' action='changepassword.php' method='POST'>
<label>Current Password:</label> <input type='password' id='password' name='oldpassword'><p>
<label>New Password:</label> <input type='password' id='password' name='newpassword'><p>
<label>Repeat New Password:</label> <input type='password'  name='repeatnewpassword'><p>
<label>Email:</label> <input type='email'  name='email'><p>
<input type='submit' name='submit' class='submit' value='submit'><br><br><br>
<h2><p><a href='index2.php'>Back</a></p></h2>
</form>
";
 }

 }else 
die ("You must be logged in to change your password");


?>

<img src="../images/main.jpg">

Answer 1

1. Show the pre-filled form first
2. When form is posted, check for the updates in each field
3. Update the record in DB sending just the updated fields

P.S. For password, you may have to check the hashed version against the one stored in DB ( mostly MD5)

Answer 2

Usually to change password, you first create empty fields for them. Than check if they are filled in, if so, check if valid and update password, else, just update any other details.

[html]
<input type="password" name="password" value=""/>
<input type="password" name="password_repeat" value=""/>

[php]
$updates = [];
if (!empty($_POST['password']) && !empty($_POST['password_repeat'])) {
   /* do validation */
   $pswd = sha1($saltString . $_POST['password']);
   $updates['password'] = "password = `{$pswd}`";
}

unset($_POST['password']);
unset($_POST['password_repeat']);

$sql = "UPDATE `tbl_table` SET ";

foreach ($_POST as $columnName => $value) {
    /* mind SQL Injection! */
    $updates[$columnName] = "{$updates} = `{$values}`";
}

if (!empty($updates)) {
    $sql .= implode(', ', $updates);
    mysql_query($sql);
}