verifying user exists before trying to update

app/controllers/users_controller.rb

@@ -1,12 +1,12 @@
 class UsersController < ApplicationController
-  
+
   skip_before_filter :has_info
   skip_before_filter :authenticated, :only => [:new, :create]
-  
+
   def new
     @user = User.new
   end
-  
+
   def create
     user = User.new(params[:user])
     user.build_benefits_data
@@ -19,32 +19,37 @@ class UsersController < ApplicationController
       redirect_to :sign_up
     end
   end
-  
+
   def account_settings
     @user = current_user
   end
-  
+
   def update
     message = false
     #Safest
     # user = current_user
-    
+
     # Still an Insecure DoR vulnerability
     #user = User.find(:first, :conditions => ["user_id = ?", "#{params[:user][:user_id]}"])
-    
+
     user = User.find(:first, :conditions => "user_id = '#{params[:user][:user_id]}'")
-    user.skip_user_id_assign = true
-    user.skip_hash_password = true
-    user.update_attributes(params[:user].reject { |k| %w(password password_confirmation user_id).include? k })
-    if !(params[:user][:password].empty?) && (params[:user][:password] == params[:user][:password_confirmation])
-      user.skip_hash_password = false
-      user.password = params[:user][:password]
-    end 
-    message = true if user.save!
-    respond_to do |format|
-      format.html { redirect_to user_account_settings_path(:user_id => current_user.user_id) }
-      format.json { render :json => {:msg => message ? "success" : "false "} }
+    if user
+      user.skip_user_id_assign = true
+      user.skip_hash_password = true
+      user.update_attributes(params[:user].reject { |k| %w(password password_confirmation user_id).include? k })
+      if !(params[:user][:password].empty?) && (params[:user][:password] == params[:user][:password_confirmation])
+        user.skip_hash_password = false
+        user.password = params[:user][:password]
+      end
+      message = true if user.save!
+      respond_to do |format|
+        format.html { redirect_to user_account_settings_path(:user_id => current_user.user_id) }
+        format.json { render :json => {:msg => message ? "success" : "false "} }
+      end
+    else
+      flash[:error] = "Could not update user!"
+      redirect_to user_account_settings_path(:user_id => current_user.user_id)
     end
   end
-  
-end
+
+end