Page 1 of 1

**fixed**help with password change**fixed**

Posted: Sat Apr 03, 2010 3:11 am
by Obadiah
hello devnet, as I told you Ive had to make some new changes to my database and I was trying to use a bit of old coding for a new project...this time im attempting to allow the user to change his password...however for some reason my code is returning a false value and im not quite sure why...can anyone assist me on this?

Code: Select all

$conn = doDB(); 
$sPassword = hash('md5',$_POST['new_password']); 
$sql = "Select user_id, user_pass FROM Users WHERE user_id = '{$_SESSION['logname']}' AND user_pass = '$sPassword'";
$result = mysql_query($sql,$conn) or die(mysql_error()); 
while ($newArray = mysql_fetch_array($result)) 
{ 
        $user_pass = $newArray['user_pass']; 
        $user_id = $newArray['user_id']; 
}

$user_name = null; 
$nPassword = md5($_POST['new_password']); 
if (!is_null($user_name)) { 
  $sql = "UPDATE Users SET user_pass = '$nPassword' WHERE user_pass = '$sPassword' AND user_id= '{$_SESSION['logname']}'" ; 
  $result = mysql_query($sql,$conn) or die(mysql_error()); 
  header("Location: changed.php"); 
  exit;
} 
else 
{ 
	
  echo"incorrect password matchup please try again";
  
} 
ive echoed all the variables to troubleshoot...and i cant figure it out to save my life

Re: help with password change

Posted: Sat Apr 03, 2010 3:16 am
by requinix
Is it just me or are you using the new password hash in that first SELECT?

Code: Select all

$sPassword = hash('md5',$_POST['new_password']);
Should that be, like, "old_password" instead?

Re: help with password change

Posted: Sat Apr 03, 2010 7:24 am
by Obadiah
aaah if life in php was that simple for me...it still doesnt like it

Code: Select all

<form action="password_update.php" method="post">
<table border="1" bgcolor="blue" bordercolor="ivory">
<tr>
<td align="center" width="162" style="color:white; font-size:12px;"> Enter Current Password</td>
</tr>
<tr>
<td><input type="password" name="old_password" size="12"></td>
</tr>
</tr>
<td align="center" width="162" style="color:white; font-size:12px;"> Enter New Password</td>
</tr>
<tr>
<td><input type="password" name="new_password" size="12"></td>
</tr>
</table>
<input type="submit" value="submit">

Code: Select all

$conn = doDB(); 
$sPassword = hash('md5',$_POST['old_password']); 
$sql = "Select user_id, user_pass FROM Users WHERE user_id = '{$_SESSION['logname']}' AND user_pass = '$sPassword'";
$result = mysql_query($sql,$conn) or die(mysql_error()); 
while ($newArray = mysql_fetch_array($result)) 
{ 
        $user_pass = $newArray['user_pass']; 
        $user_id = $newArray['user_id']; 
}

$user_name = null; 
echo"$user_name";
$nPassword = md5($_POST['new_password']); 
if (!is_null($user_name)) { 
  $sql = "UPDATE Users SET user_pass = '$nPassword' WHERE user_pass = '$sPassword' AND user_id= '{$_SESSION['logname']}'" ; 
  $result = mysql_query($sql,$conn) or die(mysql_error()); 
  header("Location: changed.php"); 
  exit;
} 
else 
{ 
	
  echo"incorrect password matchup please try again";
  
} 
it still returns a false value!

Re: help with password change

Posted: Sat Apr 03, 2010 1:14 pm
by requinix
Uh...

Code: Select all

$user_name = null;
if (!is_null($user_name)) {

Re: help with password change

Posted: Sat Apr 03, 2010 4:28 pm
by Obadiah
tasairis wrote:Uh...

Code: Select all

$user_name = null;
if (!is_null($user_name)) {
that user name i was meaning to set to $user_id....which still returns a false value :banghead:

Re: help with password change

Posted: Sat Apr 03, 2010 6:20 pm
by requinix
Rather than guess and check, how about rewriting the code to something much simpler?

Something such as

Code: Select all

$conn = doDB();
$old = md5($_POST["old_password"]);
$new = md5($_POST["new_password"]);

mysql_query("UPDATE `Users` SET `user_pass` = '{$new}' WHERE `user_id` = '{$_SESSION['logname']}' AND `user_pass` = '{$old}'", $conn);
if (mysql_affected_rows($conn)) {
	header("Location: changed.php");
	exit;
} else {
	echo "incorrect password matchup please try again";
}
And are you sure that the user_id in the session is called "logname"? It suggests to me that the former is a number and the latter is a username.

I assume you're also checking that the new password isn't too short or even empty...

Re: help with password change

Posted: Sat Apr 03, 2010 7:43 pm
by Obadiah
tasairis wrote:Rather than guess and check, how about rewriting the code to something much simpler?

Something such as

Code: Select all

$conn = doDB();
$old = md5($_POST["old_password"]);
$new = md5($_POST["new_password"]);

mysql_query("UPDATE `Users` SET `user_pass` = '{$new}' WHERE `user_id` = '{$_SESSION['logname']}' AND `user_pass` = '{$old}'", $conn);
if (mysql_affected_rows($conn)) {
	header("Location: changed.php");
	exit;
} else {
	echo "incorrect password matchup please try again";
}
And are you sure that the user_id in the session is called "logname"? It suggests to me that the former is a number and the latter is a username.

I assume you're also checking that the new password isn't too short or even empty...
it returns true...however the password remains the same as the old password

Re: help with password change

Posted: Sat Apr 03, 2010 11:03 pm
by Obadiah
i have changed my entire code around...and EVERYTHING works until it gets to the UPDATE...its like something is blocking the code from changing the password...i have no clue as to what could be causing it not to allow updating..what am I missing?

my fields are as follows

Code: Select all

user_id varchar(8) latin1_swedish_ci  No None                
user_pass char(255) latin1_swedish_ci  No None                
user_mail varchar(55) latin1_swedish_ci  No None                
fusername text latin1_swedish_ci  No None                
user_ext int(4)   No None                
createDate date   No None 

Code: Select all

<?php 
session_start(); 
error_reporting(E_ALL); 
ini_set('display_errors', 1); 

function doDB() 
{ 
    $conn = mysql_connect("localhost","root","") or die(mysql_error()); 
    mysql_select_db("helpdata",$conn) or die(mysql_error()); 
    return $conn; 
} 
$user = $_SESSION['logname'];
if ($user)
{
	//user is logged in
	//echo"$user ";
	if ($_POST['submit'])
	{
		//echo"test ";
		//check fields
		$oldpassword = md5($_POST['oldpassword']);
		$newpassword = md5($_POST['newpassword']);
		$repeatnewpassword = md5($_POST['repeatnewpassword']);
		//echo "<br>$oldpassword<br>$newpassword<br>$repeatnewpassword";
		
		//check password against db
		
		//connect to db
		$conn = doDB();
		$queryget = mysql_query("SELECT user_pass FROM users WHERE user_id='$user'") or die("Query is broken");
		$row = mysql_fetch_assoc($queryget);
		
		$oldpassworddb = $row['user_pass'];
		
			//check passwords
		if($oldpassword==$oldpassworddb)
		{
			//check 2 new passwords
			if ($newpassword==$repeatnewpassword)
			{
				//success
				//change password in database
				//echo "<br>success";
				
				
				//this is where its broken? but why
				$querychange=mysql_query("UPDATE users SET password='$newpassword' WHERE user_id='$user'");
				session_destroy();
				die("Your password has been changed.<a href='index.php'>Return</a>to the login");
			}
			else
				die("New passwords do not match...please try again");
		}
		
		else
			die("old password doesent match");
	}
	else
	{
	echo"
	<form action='password_update2.php' method='POST'>
			Old password:<input type='text' name='oldpassword'><p>
			New password:<input type='password' name='newpassword'><br>
			Repeat new password:<input type='password' name='repeatnewpassword'><br>
			<input type ='submit' name='submit' value='Change Password'>
	";
	}
}
else
	die("you must be logged in to change your password")
?>

Re: help with password change

Posted: Sat Apr 03, 2010 11:21 pm
by Obadiah
:crazy: once again devnet....im a dum dum...ive got it working...LOL :drunk: