Page 1 of 1

Take a look at this ugly code.

Posted: Wed Jun 30, 2010 8:14 pm
by Smudly
Currently I'm having troubles getting my Password validation to work properly for my profile page. The user is supposed to be able to change their password after typing in their password. It's currently giving me the error "Invalid Password" no matter what I type. Here is the code. Any help appreciated. (I'm not getting any sql errors)

Code: Select all

<?php
session_start();
include('inc/connect.php');

$username = isset($_SESSION['username']) ? $_SESSION['username'] : ''; 

$edit = (isset($_POST['edit']));
$passchange = (isset($_POST['passchange']));

if (!empty($username))
{ 
	//if user is logged in 

    $sql = mysql_query("SELECT * FROM `users` WHERE `username`='$username'"); 
    $row = mysql_fetch_assoc($sql); 

    $dbfname = $row['fname']; 
    $dblname = $row['lname']; 
    $dbemail = $row['email']; 
    $dbpassword = $row['password'];
	$password = md5($_POST['password']); 
	
	$error = "";
	
	if ($edit)
	{
	
		$fnamenew = mysql_real_escape_string(strtolower(strip_tags($_POST['fname']))); 
        $lnamenew = mysql_real_escape_string(strtolower(strip_tags($_POST['lname']))); 
        $emailnew = mysql_real_escape_string(strip_tags($_POST['email'])); 
		
		$update = "UPDATE `users` SET `fname`='$fnamenew', `lname`='$lnamenew', `email`='$emailnew' WHERE `username`='$username'";
		mysql_query($update);
		
	
	//////////// Email Validation ////////////
	function validEmail($email)
	{
	   $isValid = true;
	   $atIndex = strrpos($email, "@");
	   if (is_bool($atIndex) && !$atIndex)
	   {
		  $isValid = false;
	   }
	   else
	   {
		  $domain = substr($email, $atIndex+1);
		  $local = substr($email, 0, $atIndex);
		  $localLen = strlen($local);
		  $domainLen = strlen($domain);
		  if ($localLen < 1 || $localLen > 64)
		  {
			 // local part length exceeded
			 $isValid = false;
		  }
		  else if ($domainLen < 1 || $domainLen > 255)
		  {
			 // domain part length exceeded
			 $isValid = false;
		  }
		  else if ($local[0] == '.' || $local[$localLen-1] == '.')
		  {
			 // local part starts or ends with '.'
			 $isValid = false;
		  }
		  else if (preg_match('/\\.\\./', $local))
		  {
			 // local part has two consecutive dots
			 $isValid = false;
		  }
		  else if (!preg_match('/^[A-Za-z0-9\\-\\.]+$/', $domain))
		  {
			 // character not valid in domain part
			 $isValid = false;
		  }
		  else if (preg_match('/\\.\\./', $domain))
		  {
			 // domain part has two consecutive dots
			 $isValid = false;
		  }
		  else if
		(!preg_match('/^(\\\\.|[A-Za-z0-9!#%&`_=\\/$\'*+?^{}|~.-])+$/',
						 str_replace("\\\\","",$local)))
		  {
			 // character not valid in local part unless 
			 // local part is quoted
			 if (!preg_match('/^"(\\\\"|[^"])+"$/',
				 str_replace("\\\\","",$local)))
			 {
				$isValid = false;
			 }
		  }
		  if ($isValid && !(checkdnsrr($domain,"MX") || checkdnsrr($domain,"A")))
		  {
			 // domain not found in DNS
			 $isValid = false;
		  }
	   }
	   return $isValid;
	}
	//////////// End Email Validation /////////
	
	
	
	$dbfname = $fnamenew; 
    $dblname = $lnamenew; 
    $dbemail = $emailnew; 
	
	
	$success = "Success!";
	
	}
	
	// Change Password
	if ($passchange)
	{
			if($password){
				
				if($password==$dbpassword){
				
					$passwordnew = md5($_POST['passwordnew']); 
					$passwordconf = md5($_POST['passwordconf']);
					
					if (isset($passwordnew) && !empty($passwordnew)){
					
						if (isset($passwordconf) && !empty($passwordconf)){
							
							if ($passwordnew==$passwordconf){
								
							$passupdate = "UPDATE `users` SET `password`='$passwordnew' WHERE `username`='$username'";
							mysql_query($passupdate);
							
							$passsuccess = "Success!";
								
							}
							else{
								$error = "Your passwords do not match!";
							}
						
						}
						else{
							$error = "Please type in your Confirmed Password!";
						}
					 
					}
					else{
						$error = "Please type in your New Password!";
					}
				
				}
				else{
					$error = "Invalid Password";
				}
		
		
		
			}
			else{
				$error = "Please type in your Password!";
			}
	
	
	
	}
	
}

?>

<html> 
<head> 
<title>Profile</title> 


<script type="text/javascript" language="javascript">
function inputLimiter(e,allow) {
var AllowableCharacters = '';

if (allow == 'UserNameChar'){AllowableCharacters='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';}
if (allow == 'UsernameChar'){AllowableCharacters='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890';}

var k;

k=document.all?parseInt(e.keyCode): parseInt(e.which);

if (k!=13 && k!=8 && k!=0){

if ((e.ctrlKey==false) && (e.altKey==false)) {

return (AllowableCharacters.indexOf(String.fromCharCode(k))!=-1);

} else {

return true;

}

} else {

return true;

}

}

</script>
<style>
#container{
	width: 275px;
	margin-left: auto;
	margin-right: auto;
}
#profile{
	width: 222px;
	text-align: right;
	margin-left: auto;
	margin-right: auto;
	
}
#changepassword{
	width: 268px;
	text-align: right;
	margin-left: auto;
	margin-right: auto;
	
}
#centerpro{
	width: 60px;
	margin-left: auto;
	margin-right: auto;
}
#centerpas{
	width: 120px;
	margin-left: auto;
	margin-right: auto;
}
#center{
	width: 150px;
	margin-left: auto;
	margin-right: auto;
	text-align: center;
}
</style>
</head> 
<body> 
<div id="container">
<div id="profile">
	<h3 align="center">Profile</h3>
<form action="newprofile.php" method="POST"> 
    Username: <input type="text" value="<?php echo ucfirst($username); ?>" readonly="readonly"><br /> 
    First Name: <input type="text" maxlength="25" id="UserNameChar" onkeypress="return inputLimiter(event,'UserNameChar')" name="fname" value="<?php echo ucfirst($dbfname); ?>"><br /> 
    Last Name: <input type="text" maxlength="25" id="UserNameChar" onkeypress="return inputLimiter(event,'UserNameChar')" name="lname" value="<?php echo ucfirst($dblname); ?>"><br /> 
    Email: <input type="text" maxlength="64" name="email" value="<?php echo ucfirst($dbemail); ?>"><br />
	<div id="centerpro"><input type="submit" name="edit" value="Submit"></div>
	<div id="center"><?php echo $success; ?></div>
</div>	
	<br />
	<br />
<div id="changepassword">
	<h3 align="center">Change Password</h3>
    Password: <input type="password" maxlength="32" name="password"><br /><br /> 
    New Password: <input type="password" maxlength="32" name="passwordnew"><br /> 
    Confirm Password: <input type="password" maxlength="32" name="passwordconf"><br /> 
	<div id="centerpas"><input type="submit" name="passchange" value="Change Password"></div>
	<div id="center"><?php echo $passsuccess, $error; ?></div>
</form> 
</div>
</div>
</body> 
</html>

Re: Take a look at this ugly code.

Posted: Thu Jul 01, 2010 1:12 am
by Benjamin
If your indentation is correct, it means that $password==$dbpassword is evaluating to false. So, that would be my starting point.

Re: Take a look at this ugly code.

Posted: Thu Jul 01, 2010 7:39 am
by eruna
Have you tried echoing the query to make sure the variables have the variables you think they have?