Page 1 of 1
Changing Password script.
Posted: Tue Mar 13, 2012 9:26 am
by NightFall
I'm trying to create a script to change a password in a SQL DB. I've made the forms, and another page changepassword.php, but the script doesn't work.
Code: Select all
<?
include 'db.php';
$username=$_POST['username'];
$old_password=$_POST['old_password'];
$new_password=$_POST['new_password'];
$check_password=$_POST['check_password'];
$username=stripslashes($username);
$old_password=stripslashes($old_password);
$new_password=stripslashes($new_password);
$check_password=stripslashes($check_password);
if ((!$username) ||(!$old_password) || (!$new_password) || (!$check_password))
{
if (!$username){ echo "Nu ati introdus Username-ul <br>";
}
if (!$old_password){echo "Nu ati introdus Vechea Parola<br>";
}
if(!($new_password==$check_password))
{
echo "Parolele introduse nu corespund<br>";
unset($new_password);
unset($old_password);
}
include 'chpass.php';
exit();
}
$sql_username = mysql_query("SELECT username FROM users WHERE username='$username'");
$sql_password = mysql_query("SELECT password FROM users WHERE username='md5($old_password)'");
if(($sql_username>0) & ($sql_username>0)){
mysql_query("UPDATE users SET password=sql_password
WHERE username=$sql_username");
}
else{
if ($username==0) {
echo " Username-ul introdus nu se afla in baza de date,br>";
unset($username);
}
if($sql_password == 0) {
echo" Vechea parola introdusa nu este corecta. Reincercati<br>";
unset($old_password);
}
}
?>
Can anyone see what's wrong and help me out?
Re: Changing Password script.
Posted: Tue Mar 13, 2012 9:32 am
by Celauran
What's going on here?
Code: Select all
$sql_username = mysql_query("SELECT username FROM users WHERE username='$username'");
$sql_password = mysql_query("SELECT password FROM users WHERE username='md5($old_password)'");
if(($sql_username>0) & ($sql_username>0)){
Re: Changing Password script.
Posted: Tue Mar 13, 2012 9:45 am
by NightFall
I'm checking if the username and the password are in the data base.
Re: Changing Password script.
Posted: Tue Mar 13, 2012 9:57 am
by Celauran
No, you're not. Look closer.
Code: Select all
$sql_password = mysql_query("SELECT password FROM users WHERE username='md5($old_password)'");
This should almost certainly read as
Code: Select all
$sql_password = mysql_query("SELECT password FROM users WHERE password='md5($old_password)'");
I'm not sure what you're trying to do with the bitwise comparison here.
Code: Select all
f(($sql_username>0) & ($sql_username>0)){
Re: Changing Password script.
Posted: Tue Mar 13, 2012 10:05 am
by NightFall
You're right here, I wanted to pot password, not username.
Code: Select all
$sql_password = mysql_query("SELECT password FROM users WHERE username='md5($old_password)'");
And with that comparison I'm checking if the username and the password are in the DB. At least that's what I tried to do.
Can you give me an idea about how to update the new password? Even if you erase that "if".
Re: Changing Password script.
Posted: Tue Mar 13, 2012 10:15 am
by Celauran
Code: Select all
<?php
include 'db.php';
$username = mysql_real_escape_string($_POST['username']);
// We're hashing these anyway
$old_password = $_POST['old_password'];
$new_password = $_POST['new_password'];
$check_password = $_POST['check_password'];
if ((!$username) || (!$old_password) || (!$new_password) || (!$check_password))
{
if (!$username)
{
echo "Nu ati introdus Username-ul <br>";
}
if (!$old_password)
{
echo "Nu ati introdus Vechea Parola<br>";
}
if (!($new_password == $check_password))
{
echo "Parolele introduse nu corespund<br>";
unset($new_password);
unset($old_password);
}
include 'chpass.php';
exit();
}
/*
$sql_username = mysql_query("SELECT username FROM users WHERE username='$username'");
$sql_password = mysql_query("SELECT password FROM users WHERE username='md5($old_password)'");
*
*/
// Let's do this in one step.
$query = "SELECT COUNT(username) FROM users WHERE username = '{$username}' AND password = 'MD5({$password})'";
list($count) = mysql_fetch_row(mysql_query($query));
// We've found a match, so let's update the password
if ($count)
{
$query = "UPDATE users SET password = 'MD5({$new_password})' WHERE username = '{$username}'";
mysql_query($query);
}
else
{
// Error condition. Don't tell them specifically if username or password weren't found.
}
?>
Re: Changing Password script.
Posted: Tue Mar 13, 2012 10:58 am
by NightFall
It's not working. I get this message
A system error occurred. We apologize for the inconvenience.
Re: Changing Password script.
Posted: Tue Mar 13, 2012 11:07 am
by Celauran
I don't see any obvious mistakes and that error message is useless.
EDIT: Looks like I buggered up the quotes in the MD5 call. Move them inside MD5().
Re: Changing Password script.
Posted: Tue Mar 13, 2012 11:28 am
by NightFall
Do you mean like this?
Code: Select all
$query = "SELECT COUNT(username) FROM users WHERE username = '{$username}' AND password = MD5('{$password}')";
Code: Select all
$query = "UPDATE users SET password = MD5('{$new_password}') WHERE username = '{$username}'";
It still doesn't work. I don't see any mistake.
Anyway, I apreciate your help.

Re: Changing Password script.
Posted: Tue Mar 13, 2012 11:34 am
by Celauran
Yes, I meant like that. What do you mean by "it doesn't work"? Same uninformative error message as before, or something else?
Re: Changing Password script.
Posted: Tue Mar 13, 2012 11:35 am
by NightFall
It's the same error. Can it be an error form my server or it's the script the one who's not working?
Re: Changing Password script.
Posted: Tue Mar 13, 2012 11:36 am
by Celauran
There's no error like that in the script itself. Have you checked your server logs to see if there's any additional information provided?
Re: Changing Password script.
Posted: Tue Mar 13, 2012 11:43 am
by NightFall
My server moves really slow, i'll try this script on localhost, hopefully it'll work. Thanks a lot.

Re: Changing Password script.
Posted: Tue Mar 13, 2012 11:50 am
by Celauran
I've modified it slightly so I could test it on my machine, but it's working fine for me.
Code: Select all
<?php
// include 'db.php';
mysql_connect('localhost', '*****', '*****');
mysql_select_db('*****');
if (!empty($_POST))
{
$username = mysql_real_escape_string($_POST['username']);
// We're hashing these anyway
$old_password = $_POST['old_password'];
$new_password = $_POST['new_password'];
$check_password = $_POST['check_password'];
if ((!$username) || (!$old_password) || (!$new_password) || (!$check_password))
{
if (!$username)
{
echo "Nu ati introdus Username-ul <br>";
}
if (!$old_password)
{
echo "Nu ati introdus Vechea Parola<br>";
}
if (!($new_password == $check_password))
{
echo "Parolele introduse nu corespund<br>";
unset($new_password);
unset($old_password);
}
// include 'chpass.php';
exit();
}
/*
$sql_username = mysql_query("SELECT username FROM users WHERE username='$username'");
$sql_password = mysql_query("SELECT password FROM users WHERE username='md5($old_password)'");
*
*/
// Let's do this in one step.
$query = "SELECT COUNT(username) FROM users WHERE username = '{$username}' AND password = MD5('{$old_password}')";
list($count) = mysql_fetch_row(mysql_query($query));
// We've found a match, so let's update the password
if ($count)
{
$query = "UPDATE users SET password = MD5('{$new_password}') WHERE username = '{$username}'";
mysql_query($query);
}
else
{
// Error condition. Don't tell them specifically if username or password weren't found.
echo "Errors. Rawr!!";
}
}
?>
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>Debug</title>
</head>
<body>
<form action="" method="post">
Username: <input type="text" name="username" />
Old Password: <input type="password" name="old_password" />
New Password: <input type="password" name="new_password" />
Confirm Password: <input type="password" name="check_password" />
<input type="submit" value="Submit" />
</form>
</body>
</html>