Change Password

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
noobkris
Forum Newbie
Posts: 1
Joined: Wed Mar 07, 2012 1:01 am

Change Password

Post by noobkris »

Hi! Im new in php and i try to make a registration system.I have this code that i used that i got from different tutorial site.But my problem is my change password script doesnt work. Please help me.I wanna learn!

change2.php (My change password script)

Code: Select all

 <?php
   
   if(isset($_COOKIE['ID_my_site']))


 //if there is, it logs you in and directes you to the members page

 { 
 	$username = $_COOKIE['ID_my_site']; 

 	$pass = $_COOKIE['Key_my_site'];
include ('data_con.php');


    if (isset($_POST['submit'])) {
	if (!$_POST['username'] | !$_POST['pass'] | !$_POST['pass2'] ) {

 		die('You did not complete all of the required fields.<a href="change2.php">Back.</a>');

 	}
	
 	



 	if ($_POST['pass'] != $_POST['pass2']) {

 		die('Your passwords did not match. ');

 	}





 	$_POST['pass'] = ($_POST['pass2']);
	if (!get_magic_quotes_gpc()) {
	$_POST['pass'] = addslashes($_POST['pass2']);
	$_POST['username'] = addslashes($_POST['username']);
	}



 
	
    $insert = "INSERT INTO users (username,pass,pass2)
			   VALUES('".$_POST['username']."','".$_POST['pass']."','".$_POST['pass']."','2')";
			   mysql_query($insert);
			   ?>
			   <?php
    } else {
    ?>
	<?php
	echo "<form method=post name=f1 action='editsavepass.php'>";
					echo "<input name = username id = username readonly  type='hidden' ><br><br><br>";

			echo "<center>";		
				//echo "Enrollment no  :  " . "$row[1]  <br><br><br>";
				echo "<font color = red> New Password </font> :  " . "<input type=password name=pass size=40 maxlength=40><br><br><br>";
				
				//echo "Street  :  " . "$row[12]  <br><br><br>";
				echo "<font color = red> Confirm Password </font> :  " . "<input type=password name=pass2 size=40 maxlength=40><br><br><br>";
				
				
				
                echo "<input type=submit value=Submit>";
			echo "</center>";
			
echo "</form>";
				}	
			
			}	
				
			
			else
			{
				
			}	
			
			
		
			
			
				
					?>
			
			  
editsavepass.php (My verification)

Code: Select all




    <?php 
	 $username=$_REQUEST['username'];
 
	 $pass=$_REQUEST['pass']; 
     $pass2=$_REQUEST['pass2'];

	 
	 
	 $link=mysql_connect("localhost","root","") or die("Cannot Connect to the database!");
	
	 mysql_select_db("nstpreg",$link) or die ("Cannot select the database!");
	 $Query="UPDATE users SET  pass='".$pass."', pass2='".$pass2."' WHERE username='".$username."'";
		
		  if(!mysql_query($Query,$link))
		  {die ("An unexpected error occured while saving the record, Please try again!<a href='all.php'>Go Back </a>");}
		  else
		 {
		  echo "Record updated successfully!<a href='profile.php'>Go Back </a>";}
	 ?>

      
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: Change Password

Post by requinix »

Oh dear, let me count the problems with those scripts.

change2.php
  • User's password is stored in plaintext in a cookie
  • Will trigger PHP warnings if the username, pass, or pass2 were not passed in the form
  • Will fail if the username or either password is the string "0"
  • Error messages are handled with die()s
  • Uses addslashes() instead of mysql_real_escape_string()
  • Does an INSERT into the users table when it should probably be UPDATEing
  • INSERT query names three columns but provides four values
  • Puts the username whose password you're changing right into the form
  • Doesn't validate that the username is the logged-in user's
  • Uses <center> and <font> tags
  • Doesn't name the submit button when the code expects it to
  • Does absolutely nothing if the user isn't logged in
editsavepass.php
  • Leading whitespace before the opening <?php
  • Includes the database connection stuff manually rather than use the data_con.php which (I assume) it should
  • Doesn't validate anything: not the username, passwords, cookies, anything
  • Vulnerable to SQL injection
  • Error message is handled with a die()
If you're going to learn then find a different tuto-- no, a different site to get code from.
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: Change Password

Post by social_experiment »

noobkris wrote:But my problem is my change password script doesnt work
You will have to be a bit more specific about what is / isn't happening; looking at the code it seems the script is creating a new row each time instead of updating existing ones;

have a look at the list by requinix; the script is sub-standard and it might be better if you create a new script, the only things you are likely to learn from this script is bad coding habits
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
Post Reply