change password

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
spamyboy
Forum Contributor
Posts: 266
Joined: Sun Nov 06, 2005 11:29 am
Location: Lithuania, vilnius

change password

Post by spamyboy »

Ok, 1st of all. Happy christmas & NewYears !
And here is what i need :)
I creat my own member script (reg/login/member area)
and now only one thing left: I need to creat php script which could allow users change their password. How? Could anyone wrute script ?
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

Could anyone wrute script ?
Nope, but I can certainly give you a push into the right direction. Just so we don't waste time, why don't you start by posting your db structure?
User avatar
spamyboy
Forum Contributor
Posts: 266
Joined: Sun Nov 06, 2005 11:29 am
Location: Lithuania, vilnius

Post by spamyboy »

CREATE TABLE users (
userid int(25) NOT NULL auto_increment,
first_name varchar(25) NOT NULL default '',
last_name varchar(25) NOT NULL default '',
email_address varchar(25) NOT NULL default '',
username varchar(25) NOT NULL default '',
password varchar(255) NOT NULL default '',
info text NOT NULL,
user_level enum('0','1','2','3') NOT NULL default '0',
signup_date datetime NOT NULL default '0000-00-00 00:00:00',
last_login datetime NOT NULL default '0000-00-00 00:00:00',
activated enum('0','1') NOT NULL default '0',
PRIMARY KEY (userid)
)
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

Some steps I would take when changing a users password, is force them to re-enter their current password. Just incase some user gained access to the users account, he would still be unable to lock the user out from his own account unless the malicious user actually knew the plaintext password.

So.. have 3 fields in your form

1) Old Password
2) New Password
3) Repeat New Password

I'm not sure how you are authenticating your users, but I'll assume its done with sessions, since thats the most common method. I'll assume you store the users id from the db in the session to track the user..

So what you want to do when the user submits this form, you have have 2 checks, if the old password the current set password? You'll have to re-query the database and check

2) Are the New Password and Repeat New Password identical?

If those two checks pass, then you'll simply run a update query to modify the password

Code: Select all

$result = mysql_query('UPDATE `users` SET `password` = \''.md5($_POST['password']).'\' WHERE `userid` = \''. $_SESSION['userid'].'\' LIMIT 1');
Notice I used an md5 to hash the password, change that to whatever hasing or encryption you've used in your current setup, if any
User avatar
spamyboy
Forum Contributor
Posts: 266
Joined: Sun Nov 06, 2005 11:29 am
Location: Lithuania, vilnius

Post by spamyboy »

Dam... It's true i used sessions and md5, but it's still to hard for me ;/
I dont know hot to intergrate your wrriten part script...
$result = mysql_query('UPDATE `users` SET `password` = \''.md5($_POST['password']).'\' WHERE `userid` = \''. $_SESSION['userid'].'\' LIMIT 1');
mickd
Forum Contributor
Posts: 397
Joined: Tue Jun 21, 2005 9:05 am
Location: Australia

Post by mickd »

well, basically all you need is one page with the html form in it with 3 inputs, old password, new password and repeat new password.

P.S. the scripts i show from now on i wrote over 3 months ago close to when i first started so there might be some inconsistency/bad practise etc.

page that has the form in it:

Code: Select all

<form method="post" action="handleoptions.php" name="password_change">
        <table width="100%" align="center" border="0">
		<tr>
			<td width="100%" align="center" colspan="2">
				<b>Change Password</b>
			</td>
		</tr>
		<tr>
			<td width="20%" align="left">
				Old Password:
			</td>
			<td width="80%" align="left">
				<input type="password" name="password_old" size="15px" maxlength="12"><br>
			</td>
		</tr>
		<tr>
			<td width="20%" align="left">
				New Password:
			</td>
			<td width="80%" align="left">
				<input type="password" name="password_new" size="15px" maxlength="12"><br>
			</td>
		</tr>
		<tr>
			<td width="20%" align="left">
				Confirm Password:
			</td>
			<td width="80%" align="left">
				<input type="password" name="password_new_confirm" size="15px" maxlength="12"><br>
			</td>
		</tr>
		<tr>
			<td width="100%" align="left" colspan="2">
				<input type="submit" value="Update Password!" name="password_change_submit">
			</td>
		</tr>
	</table></form>
you then have the PHP in another page which the form submits to handle the information and update the database aswell as validate.

keeping in mind this was also written over 3 months ago when i first started.

handle page:

Code: Select all

<?php
	session_start();
		include '../private_html/includes/configuration.php';
		dbconnect();
		checklogin();
		is_dead();
		is_banned();

if(isset($_POST['password_change_submit'])) {

	$login_session = $_SESSION['username_value'];
	$login_cookie = $_COOKIE['username'];
	$check_username = mysql_query("SELECT * FROM accounts WHERE login_session='$login_session' AND login_cookie='$login_cookie'");
	$check_username_assoc = mysql_fetch_assoc($check_username);
	$username = $check_username_assoc['username'];
	$password_old = $_POST['password_old'];
	$password_new = $_POST['password_new'];
	$password_new_confirm = $_POST['password_new_confirm'];
	
	$password_old_md5 = md5($password_old);
	$password_new_md5 = md5($password_new);
	$password_new_confirm_md5 = md5($password_new_confirm);
	
	$select_username_assoc = mysql_query("SELECT * FROM accounts WHERE username='$username'");
	$username_assoc = mysql_fetch_assoc($select_username_assoc);
	
		if($username_assoc['password'] == $password_old_md5) {
			if($password_new_md5 == $password_new_confirm_md5) {
			
			mysql_query("UPDATE accounts SET password='$password_new_md5' WHERE username='$username'");
			mysql_query("UPDATE accounts SET login_session='' WHERE login_session='$login_session'");
			mysql_query("UPDATE accounts SET login_cookie='' WHERE login_cookie='$login_cookie'");
			session_destroy();
			$cookie_username = $_COOKIE['username'];
			setcookie("username", $cookie_username, time()-3600, "/", ".xxxxx.com");
			header("location:http://www.xxxxx.com/index.php?login=4");
			
			} elseif($password_new_md5 != $password_new_confirm_md5) {
			header("location:http://www.xxxxx.com/options.php?error=2");
			die();
			}
		} elseif($username_assoc['password'] != $password_old_md5) {
		header("location:http://www.xxxxx.com/options.php?error=1");
		die();
		}
} elseif(!isset($_POST['password_change_submit'])) {
header("location:http://www.xxxxx.com/options.php");
die();
}
?>
ive got alot of useless stuff in there but it should give you an idea.


ekkk, that codes so ugly.
User avatar
spamyboy
Forum Contributor
Posts: 266
Joined: Sun Nov 06, 2005 11:29 am
Location: Lithuania, vilnius

Post by spamyboy »

Thank you ! :)
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

for even greater security you should email them the new password, with a hash in the link that's also stored in your DB. then when they click the link in their email check to make sure the hash matches the db hash

but the basic steps are good

old password, new password, confirm new password

(afterthought: i guess emailing them the new password is only logical when recovering a lost password.. i was just too lazy to erase it, which is kind of ironic considering how I had the energy to type this big long run-on sentence.)
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Post by josh »

scrotaye wrote:i was just too lazy to erase it, which is kind of ironic considering how I had the energy to type this big long run-on sentence.)
:D :D :D :D



anyways its probably better to instead of emailing them the new password when it is reset, but instead allow them to click a link in their email to take them to the change password form, but don't prompt them for the old password
Post Reply