Page 1 of 1

Change Password

Posted: Wed Mar 07, 2012 1:13 am
by noobkris
Hi! Im new in php and i try to make a registration system.I have this code that i used that i got from different tutorial site.But my problem is my change password script doesnt work. Please help me.I wanna learn!

change2.php (My change password script)

Code: Select all

 <?php
   
   if(isset($_COOKIE['ID_my_site']))


 //if there is, it logs you in and directes you to the members page

 { 
 	$username = $_COOKIE['ID_my_site']; 

 	$pass = $_COOKIE['Key_my_site'];
include ('data_con.php');


    if (isset($_POST['submit'])) {
	if (!$_POST['username'] | !$_POST['pass'] | !$_POST['pass2'] ) {

 		die('You did not complete all of the required fields.<a href="change2.php">Back.</a>');

 	}
	
 	



 	if ($_POST['pass'] != $_POST['pass2']) {

 		die('Your passwords did not match. ');

 	}





 	$_POST['pass'] = ($_POST['pass2']);
	if (!get_magic_quotes_gpc()) {
	$_POST['pass'] = addslashes($_POST['pass2']);
	$_POST['username'] = addslashes($_POST['username']);
	}



 
	
    $insert = "INSERT INTO users (username,pass,pass2)
			   VALUES('".$_POST['username']."','".$_POST['pass']."','".$_POST['pass']."','2')";
			   mysql_query($insert);
			   ?>
			   <?php
    } else {
    ?>
	<?php
	echo "<form method=post name=f1 action='editsavepass.php'>";
					echo "<input name = username id = username readonly  type='hidden' ><br><br><br>";

			echo "<center>";		
				//echo "Enrollment no  :  " . "$row[1]  <br><br><br>";
				echo "<font color = red> New Password </font> :  " . "<input type=password name=pass size=40 maxlength=40><br><br><br>";
				
				//echo "Street  :  " . "$row[12]  <br><br><br>";
				echo "<font color = red> Confirm Password </font> :  " . "<input type=password name=pass2 size=40 maxlength=40><br><br><br>";
				
				
				
                echo "<input type=submit value=Submit>";
			echo "</center>";
			
echo "</form>";
				}	
			
			}	
				
			
			else
			{
				
			}	
			
			
		
			
			
				
					?>
			
			  
editsavepass.php (My verification)

Code: Select all




    <?php 
	 $username=$_REQUEST['username'];
 
	 $pass=$_REQUEST['pass']; 
     $pass2=$_REQUEST['pass2'];

	 
	 
	 $link=mysql_connect("localhost","root","") or die("Cannot Connect to the database!");
	
	 mysql_select_db("nstpreg",$link) or die ("Cannot select the database!");
	 $Query="UPDATE users SET  pass='".$pass."', pass2='".$pass2."' WHERE username='".$username."'";
		
		  if(!mysql_query($Query,$link))
		  {die ("An unexpected error occured while saving the record, Please try again!<a href='all.php'>Go Back </a>");}
		  else
		 {
		  echo "Record updated successfully!<a href='profile.php'>Go Back </a>";}
	 ?>

      

Re: Change Password

Posted: Wed Mar 07, 2012 4:06 am
by requinix
Oh dear, let me count the problems with those scripts.

change2.php
  • User's password is stored in plaintext in a cookie
  • Will trigger PHP warnings if the username, pass, or pass2 were not passed in the form
  • Will fail if the username or either password is the string "0"
  • Error messages are handled with die()s
  • Uses addslashes() instead of mysql_real_escape_string()
  • Does an INSERT into the users table when it should probably be UPDATEing
  • INSERT query names three columns but provides four values
  • Puts the username whose password you're changing right into the form
  • Doesn't validate that the username is the logged-in user's
  • Uses <center> and <font> tags
  • Doesn't name the submit button when the code expects it to
  • Does absolutely nothing if the user isn't logged in
editsavepass.php
  • Leading whitespace before the opening <?php
  • Includes the database connection stuff manually rather than use the data_con.php which (I assume) it should
  • Doesn't validate anything: not the username, passwords, cookies, anything
  • Vulnerable to SQL injection
  • Error message is handled with a die()
If you're going to learn then find a different tuto-- no, a different site to get code from.

Re: Change Password

Posted: Wed Mar 07, 2012 5:26 am
by social_experiment
noobkris wrote:But my problem is my change password script doesnt work
You will have to be a bit more specific about what is / isn't happening; looking at the code it seems the script is creating a new row each time instead of updating existing ones;

have a look at the list by requinix; the script is sub-standard and it might be better if you create a new script, the only things you are likely to learn from this script is bad coding habits