Page 1 of 1

Changing Password script.

Posted: Tue Mar 13, 2012 9:26 am
by NightFall
I'm trying to create a script to change a password in a SQL DB. I've made the forms, and another page changepassword.php, but the script doesn't work.

Code: Select all

      
 <?
include 'db.php';

$username=$_POST['username'];
$old_password=$_POST['old_password'];
$new_password=$_POST['new_password'];
$check_password=$_POST['check_password'];

$username=stripslashes($username);
$old_password=stripslashes($old_password);
$new_password=stripslashes($new_password);
$check_password=stripslashes($check_password);

if ((!$username) ||(!$old_password) || (!$new_password) || (!$check_password))
{
if (!$username){ echo "Nu ati introdus Username-ul <br>";
}
if (!$old_password){echo "Nu ati introdus Vechea Parola<br>";
}
if(!($new_password==$check_password))
{
echo "Parolele introduse nu corespund<br>";
unset($new_password);
unset($old_password);
}

include 'chpass.php';

exit();
}



$sql_username = mysql_query("SELECT username FROM users WHERE username='$username'");
$sql_password = mysql_query("SELECT password FROM users WHERE username='md5($old_password)'");

if(($sql_username>0) & ($sql_username>0)){
mysql_query("UPDATE users SET password=sql_password
WHERE username=$sql_username");
		}
		else{

if ($username==0) {
echo " Username-ul introdus nu se afla in baza de date,br>";
unset($username);
}

if($sql_password == 0) {
echo" Vechea parola introdusa nu este corecta. Reincercati<br>";
unset($old_password);
}
}
?>

Can anyone see what's wrong and help me out?

Re: Changing Password script.

Posted: Tue Mar 13, 2012 9:32 am
by Celauran
What's going on here?

Code: Select all

$sql_username = mysql_query("SELECT username FROM users WHERE username='$username'");
$sql_password = mysql_query("SELECT password FROM users WHERE username='md5($old_password)'");

if(($sql_username>0) & ($sql_username>0)){

Re: Changing Password script.

Posted: Tue Mar 13, 2012 9:45 am
by NightFall
I'm checking if the username and the password are in the data base.

Re: Changing Password script.

Posted: Tue Mar 13, 2012 9:57 am
by Celauran
No, you're not. Look closer.

Code: Select all

$sql_password = mysql_query("SELECT password FROM users WHERE username='md5($old_password)'");
This should almost certainly read as

Code: Select all

$sql_password = mysql_query("SELECT password FROM users WHERE password='md5($old_password)'");
I'm not sure what you're trying to do with the bitwise comparison here.

Code: Select all

f(($sql_username>0) & ($sql_username>0)){

Re: Changing Password script.

Posted: Tue Mar 13, 2012 10:05 am
by NightFall
You're right here, I wanted to pot password, not username.

Code: Select all

$sql_password = mysql_query("SELECT password FROM users WHERE username='md5($old_password)'");
And with that comparison I'm checking if the username and the password are in the DB. At least that's what I tried to do.
Can you give me an idea about how to update the new password? Even if you erase that "if".

Re: Changing Password script.

Posted: Tue Mar 13, 2012 10:15 am
by Celauran

Code: Select all

<?php

include 'db.php';

$username       = mysql_real_escape_string($_POST['username']);
// We're hashing these anyway
$old_password   = $_POST['old_password'];
$new_password   = $_POST['new_password'];
$check_password = $_POST['check_password'];

if ((!$username) || (!$old_password) || (!$new_password) || (!$check_password))
{
    if (!$username)
    {
        echo "Nu ati introdus Username-ul <br>";
    }
    if (!$old_password)
    {
        echo "Nu ati introdus Vechea Parola<br>";
    }
    if (!($new_password == $check_password))
    {
        echo "Parolele introduse nu corespund<br>";
        unset($new_password);
        unset($old_password);
    }

    include 'chpass.php';

    exit();
}


/*
$sql_username = mysql_query("SELECT username FROM users WHERE username='$username'");
$sql_password = mysql_query("SELECT password FROM users WHERE username='md5($old_password)'");
 * 
 */

// Let's do this in one step.
$query = "SELECT COUNT(username) FROM users WHERE username = '{$username}' AND password = 'MD5({$password})'";
list($count) = mysql_fetch_row(mysql_query($query));

// We've found a match, so let's update the password
if ($count)
{
    $query = "UPDATE users SET password = 'MD5({$new_password})' WHERE username = '{$username}'";
    mysql_query($query);
}
else
{
    // Error condition. Don't tell them specifically if username or password weren't found.
}
?>

Re: Changing Password script.

Posted: Tue Mar 13, 2012 10:58 am
by NightFall
It's not working. I get this message
A system error occurred. We apologize for the inconvenience.

Re: Changing Password script.

Posted: Tue Mar 13, 2012 11:07 am
by Celauran
I don't see any obvious mistakes and that error message is useless.

EDIT: Looks like I buggered up the quotes in the MD5 call. Move them inside MD5().

Re: Changing Password script.

Posted: Tue Mar 13, 2012 11:28 am
by NightFall
Do you mean like this?

Code: Select all

$query = "SELECT COUNT(username) FROM users WHERE username = '{$username}' AND password = MD5('{$password}')";

Code: Select all

$query = "UPDATE users SET password = MD5('{$new_password}') WHERE username = '{$username}'";
It still doesn't work. I don't see any mistake.
Anyway, I apreciate your help. :)

Re: Changing Password script.

Posted: Tue Mar 13, 2012 11:34 am
by Celauran
Yes, I meant like that. What do you mean by "it doesn't work"? Same uninformative error message as before, or something else?

Re: Changing Password script.

Posted: Tue Mar 13, 2012 11:35 am
by NightFall
It's the same error. Can it be an error form my server or it's the script the one who's not working?

Re: Changing Password script.

Posted: Tue Mar 13, 2012 11:36 am
by Celauran
There's no error like that in the script itself. Have you checked your server logs to see if there's any additional information provided?

Re: Changing Password script.

Posted: Tue Mar 13, 2012 11:43 am
by NightFall
My server moves really slow, i'll try this script on localhost, hopefully it'll work. Thanks a lot. :)

Re: Changing Password script.

Posted: Tue Mar 13, 2012 11:50 am
by Celauran
I've modified it slightly so I could test it on my machine, but it's working fine for me.

Code: Select all

<?php

// include 'db.php';
mysql_connect('localhost', '*****', '*****');
mysql_select_db('*****');

if (!empty($_POST))
{
    $username       = mysql_real_escape_string($_POST['username']);
    // We're hashing these anyway
    $old_password   = $_POST['old_password'];
    $new_password   = $_POST['new_password'];
    $check_password = $_POST['check_password'];

    if ((!$username) || (!$old_password) || (!$new_password) || (!$check_password))
    {
        if (!$username)
        {
            echo "Nu ati introdus Username-ul <br>";
        }
        if (!$old_password)
        {
            echo "Nu ati introdus Vechea Parola<br>";
        }
        if (!($new_password == $check_password))
        {
            echo "Parolele introduse nu corespund<br>";
            unset($new_password);
            unset($old_password);
        }

        // include 'chpass.php';

        exit();
    }


    /*
      $sql_username = mysql_query("SELECT username FROM users WHERE username='$username'");
      $sql_password = mysql_query("SELECT password FROM users WHERE username='md5($old_password)'");
     *
     */

    // Let's do this in one step.
    $query = "SELECT COUNT(username) FROM users WHERE username = '{$username}' AND password = MD5('{$old_password}')";
    list($count) = mysql_fetch_row(mysql_query($query));

    // We've found a match, so let's update the password
    if ($count)
    {
        $query = "UPDATE users SET password = MD5('{$new_password}') WHERE username = '{$username}'";
        mysql_query($query);
    }
    else
    {
        // Error condition. Don't tell them specifically if username or password weren't found.
        echo "Errors. Rawr!!";
    }
}
?>
<!DOCTYPE html>
<html>
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
        <title>Debug</title>
    </head>
    <body>
        <form action="" method="post">
            Username: <input type="text" name="username" />
            Old Password: <input type="password" name="old_password" />
            New Password: <input type="password" name="new_password" />
            Confirm Password: <input type="password" name="check_password" />
            <input type="submit" value="Submit" />
        </form>
    </body>
</html>