I'm trying to give an error message if the first-typed password and the retyped password do not match, but it still gets successfully changed to the first-typed password even if they are different.
The 'One or more required fields were left blank.' message also for some reason only appears when the old-password field is left blank, but not for any of the others.
Lastly, after a successful password change, it redirects to the correct page but doesn't send out the e-mail. I don't think there's anything wrong with the mail code, because it works fine in other pages.
Here's the relevant bit:
Code: Select all
<?
session_start();
$uname = $_SESSION['uname'];
include 'common.php';
if ($_SERVER['REQUEST_METHOD'] == 'POST'){
$oldpass = $_POST['password1'];
$newpass = $_POST['password2'];
$newpass2 = $_POST['password3'];
if(get_magic_quotes_gpc()) {
$uname = stripslashes($uname);
$oldpass = stripslashes($oldpass);
$newpass = stripslashes($newpass);
$newpass2 = stripslashes($newpass);
} else {
$uname = $uname;
$oldpass = $oldpass;
$newpass = $newpass;
$newpass2 = $newpass2;
}
if ($oldpass=='' or $newpass=='' or $newpass2=='') {
error('One or more required fields were left blank. Please fill them in and try again.');
}
elseif ($newpass != $newpass2) {
error('New passwords do not match.');
}
else {
// connect to database
include 'db.php';
$pword = md5($oldpass);
$newpass = md5($newpass);
$newpass = mysql_real_escape_string($newpass);
$sql = "SELECT * FROM logintest WHERE uname='$uname' AND pword='$pword'";
$result = mysql_query($sql) or die (mysql_error());
$num_rows = mysql_num_rows($result);
if ($result) {
if ($num_rows > 0) {
$sql = "UPDATE logintest SET pword='$newpass' WHERE uname = '$uname' AND pword='$pword'";
$result = mysql_query($sql) or die (mysql_error());
if ($result) {
header ("Location: passchanged.htm");
$message = "Hi!
This e-mail is to confirm that your password has been changed.
Your revised login details:
Username: $uname
Password: $newpass";
mail($email, "Forgotten Password", $message, 'From: admin@mysite.net');
}
else {
error('A database error occured during submission');
}
}
else {
error('The old password you entered is incorrect');
}
}
else {
error('A database error occured during submission');
}
mysql_close($db_handle);
}
}
?>