Changing Password script.

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
NightFall
Forum Newbie
Posts: 7
Joined: Tue Mar 13, 2012 9:18 am

Changing Password script.

Post by NightFall »

I'm trying to create a script to change a password in a SQL DB. I've made the forms, and another page changepassword.php, but the script doesn't work.

Code: Select all

      
 <?
include 'db.php';

$username=$_POST['username'];
$old_password=$_POST['old_password'];
$new_password=$_POST['new_password'];
$check_password=$_POST['check_password'];

$username=stripslashes($username);
$old_password=stripslashes($old_password);
$new_password=stripslashes($new_password);
$check_password=stripslashes($check_password);

if ((!$username) ||(!$old_password) || (!$new_password) || (!$check_password))
{
if (!$username){ echo "Nu ati introdus Username-ul <br>";
}
if (!$old_password){echo "Nu ati introdus Vechea Parola<br>";
}
if(!($new_password==$check_password))
{
echo "Parolele introduse nu corespund<br>";
unset($new_password);
unset($old_password);
}

include 'chpass.php';

exit();
}



$sql_username = mysql_query("SELECT username FROM users WHERE username='$username'");
$sql_password = mysql_query("SELECT password FROM users WHERE username='md5($old_password)'");

if(($sql_username>0) & ($sql_username>0)){
mysql_query("UPDATE users SET password=sql_password
WHERE username=$sql_username");
		}
		else{

if ($username==0) {
echo " Username-ul introdus nu se afla in baza de date,br>";
unset($username);
}

if($sql_password == 0) {
echo" Vechea parola introdusa nu este corecta. Reincercati<br>";
unset($old_password);
}
}
?>

Can anyone see what's wrong and help me out?
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: Changing Password script.

Post by Celauran »

What's going on here?

Code: Select all

$sql_username = mysql_query("SELECT username FROM users WHERE username='$username'");
$sql_password = mysql_query("SELECT password FROM users WHERE username='md5($old_password)'");

if(($sql_username>0) & ($sql_username>0)){
NightFall
Forum Newbie
Posts: 7
Joined: Tue Mar 13, 2012 9:18 am

Re: Changing Password script.

Post by NightFall »

I'm checking if the username and the password are in the data base.
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: Changing Password script.

Post by Celauran »

No, you're not. Look closer.

Code: Select all

$sql_password = mysql_query("SELECT password FROM users WHERE username='md5($old_password)'");
This should almost certainly read as

Code: Select all

$sql_password = mysql_query("SELECT password FROM users WHERE password='md5($old_password)'");
I'm not sure what you're trying to do with the bitwise comparison here.

Code: Select all

f(($sql_username>0) & ($sql_username>0)){
NightFall
Forum Newbie
Posts: 7
Joined: Tue Mar 13, 2012 9:18 am

Re: Changing Password script.

Post by NightFall »

You're right here, I wanted to pot password, not username.

Code: Select all

$sql_password = mysql_query("SELECT password FROM users WHERE username='md5($old_password)'");
And with that comparison I'm checking if the username and the password are in the DB. At least that's what I tried to do.
Can you give me an idea about how to update the new password? Even if you erase that "if".
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: Changing Password script.

Post by Celauran »

Code: Select all

<?php

include 'db.php';

$username       = mysql_real_escape_string($_POST['username']);
// We're hashing these anyway
$old_password   = $_POST['old_password'];
$new_password   = $_POST['new_password'];
$check_password = $_POST['check_password'];

if ((!$username) || (!$old_password) || (!$new_password) || (!$check_password))
{
    if (!$username)
    {
        echo "Nu ati introdus Username-ul <br>";
    }
    if (!$old_password)
    {
        echo "Nu ati introdus Vechea Parola<br>";
    }
    if (!($new_password == $check_password))
    {
        echo "Parolele introduse nu corespund<br>";
        unset($new_password);
        unset($old_password);
    }

    include 'chpass.php';

    exit();
}


/*
$sql_username = mysql_query("SELECT username FROM users WHERE username='$username'");
$sql_password = mysql_query("SELECT password FROM users WHERE username='md5($old_password)'");
 * 
 */

// Let's do this in one step.
$query = "SELECT COUNT(username) FROM users WHERE username = '{$username}' AND password = 'MD5({$password})'";
list($count) = mysql_fetch_row(mysql_query($query));

// We've found a match, so let's update the password
if ($count)
{
    $query = "UPDATE users SET password = 'MD5({$new_password})' WHERE username = '{$username}'";
    mysql_query($query);
}
else
{
    // Error condition. Don't tell them specifically if username or password weren't found.
}
?>
NightFall
Forum Newbie
Posts: 7
Joined: Tue Mar 13, 2012 9:18 am

Re: Changing Password script.

Post by NightFall »

It's not working. I get this message
A system error occurred. We apologize for the inconvenience.
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: Changing Password script.

Post by Celauran »

I don't see any obvious mistakes and that error message is useless.

EDIT: Looks like I buggered up the quotes in the MD5 call. Move them inside MD5().
NightFall
Forum Newbie
Posts: 7
Joined: Tue Mar 13, 2012 9:18 am

Re: Changing Password script.

Post by NightFall »

Do you mean like this?

Code: Select all

$query = "SELECT COUNT(username) FROM users WHERE username = '{$username}' AND password = MD5('{$password}')";

Code: Select all

$query = "UPDATE users SET password = MD5('{$new_password}') WHERE username = '{$username}'";
It still doesn't work. I don't see any mistake.
Anyway, I apreciate your help. :)
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: Changing Password script.

Post by Celauran »

Yes, I meant like that. What do you mean by "it doesn't work"? Same uninformative error message as before, or something else?
NightFall
Forum Newbie
Posts: 7
Joined: Tue Mar 13, 2012 9:18 am

Re: Changing Password script.

Post by NightFall »

It's the same error. Can it be an error form my server or it's the script the one who's not working?
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: Changing Password script.

Post by Celauran »

There's no error like that in the script itself. Have you checked your server logs to see if there's any additional information provided?
NightFall
Forum Newbie
Posts: 7
Joined: Tue Mar 13, 2012 9:18 am

Re: Changing Password script.

Post by NightFall »

My server moves really slow, i'll try this script on localhost, hopefully it'll work. Thanks a lot. :)
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: Changing Password script.

Post by Celauran »

I've modified it slightly so I could test it on my machine, but it's working fine for me.

Code: Select all

<?php

// include 'db.php';
mysql_connect('localhost', '*****', '*****');
mysql_select_db('*****');

if (!empty($_POST))
{
    $username       = mysql_real_escape_string($_POST['username']);
    // We're hashing these anyway
    $old_password   = $_POST['old_password'];
    $new_password   = $_POST['new_password'];
    $check_password = $_POST['check_password'];

    if ((!$username) || (!$old_password) || (!$new_password) || (!$check_password))
    {
        if (!$username)
        {
            echo "Nu ati introdus Username-ul <br>";
        }
        if (!$old_password)
        {
            echo "Nu ati introdus Vechea Parola<br>";
        }
        if (!($new_password == $check_password))
        {
            echo "Parolele introduse nu corespund<br>";
            unset($new_password);
            unset($old_password);
        }

        // include 'chpass.php';

        exit();
    }


    /*
      $sql_username = mysql_query("SELECT username FROM users WHERE username='$username'");
      $sql_password = mysql_query("SELECT password FROM users WHERE username='md5($old_password)'");
     *
     */

    // Let's do this in one step.
    $query = "SELECT COUNT(username) FROM users WHERE username = '{$username}' AND password = MD5('{$old_password}')";
    list($count) = mysql_fetch_row(mysql_query($query));

    // We've found a match, so let's update the password
    if ($count)
    {
        $query = "UPDATE users SET password = MD5('{$new_password}') WHERE username = '{$username}'";
        mysql_query($query);
    }
    else
    {
        // Error condition. Don't tell them specifically if username or password weren't found.
        echo "Errors. Rawr!!";
    }
}
?>
<!DOCTYPE html>
<html>
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
        <title>Debug</title>
    </head>
    <body>
        <form action="" method="post">
            Username: <input type="text" name="username" />
            Old Password: <input type="password" name="old_password" />
            New Password: <input type="password" name="new_password" />
            Confirm Password: <input type="password" name="check_password" />
            <input type="submit" value="Submit" />
        </form>
    </body>
</html>
Post Reply