Page 1 of 1

form won't update db user info

Posted: Thu Apr 24, 2008 3:04 pm
by ndjustin20
I am trying to create a form that updates a users password. I am really new to php/mysql. The following is the form I am using though the select query always returns zero results for some reason though I know the results shouldn't always be zero.

Code: Select all

 
 
<?php # password.php
// This page lets a user change their password.
 
// Set the page title and include the HTML header.
$page_title = 'Change Your Password';
include ('./includes/Header.html');  
 
// Check if the form has been submitted.
if (isset($_POST['submitted'])) {
 
    require_once('mysql_connect.php');
 
    $errors = array();// Initialize error array.
 
    // Check for an email address.
    if (empty($_POST['email'])) {
        $errors[] = 'You forgot to enter your email address.';
    } else {
        $e = escape_data($_POST['email']);
    }
    
    // Check for an existing password
    if (empty($_POST['password'])) {
        $errors[] = 'You forgot to enter your existing password.';
    } else {
        $p = escape_data($_POST['password']); 
    }
 
    // Check for a password and match against the confirmed password.
    if (!empty($_POST['password1'])) {
        if ($_POST['password1'] != $_POST['password2']) {
            $errors[] = 'Your new password did not match the
            confirmed new password.';
        } else {
            $np = escape_data($_POST['password1']);
        }
    } else {
      
        $errors[] = 'You forgot to enter your new password.';
    }
 
    if (empty($errors)) { // If everything's OK.
 
        //Check that they've entered the right email address/password combination.
        $query = "SELECT userid FROM users WHERE (email='$e' AND
        password=SHA('$p') )";
        $result = mysql_query($query);
        $num = mysql_num_rows($result);
        if (mysql_num_rows($result) == 1) { // Match was made.
 
            // Get the user_id.
            $row = mysql_fetch_array($result, MYSQL_NUM); 
 
            // Make the UPDATE query.
            $query = "UPDATE users SET password=SHA('$np') WHERE userid=$row[0]";
            $result = @mysql_query ($query);
            if (mysql_affected_rows() == 1) { // If it ran OK.
 
                // Send an email, if desired.
 
                //Print a message.
                echo '<h1 id="mainhead">Thank you!</h1>
                <p>Your password has been updated.</p><p><br/></p>';
 
                // Include the footer and quit the script (to not show the form).
                include ('./includes/footer.html');
                exit();
 
            } else { // If it did not run OK.
                echo '<h1 id="mainhead">System Error</h1>
                <p class="error">Your password could not be changed due to a
                system error.
                We apologize for any inconvenience.</p>'; //Public message.
                echo '<p>' . mysql_error() . '<br />
                <br />Query: ' . $query . '</p>'; // Debugging message.
                include ('./includes/footer.html');
                exit();
    }
 
        } else { // Invalid email address/password combination.
            echo '<h1 id="mainhead">Error!</h1>
            <p class="error">The email address and password do not match
            those on file.</p>';
 
        } 
 
    } else { // Report the errors.
 
        echo '<h1 id="mainhead">Error!</h1>
        <p class="error">The following error(s) occurred:<br />';
        foreach ($errors as $msg) { // Print each error.
            echo " - $msg<br />\n";
        }
        echo '</p><p>Please try again.</p><p><br /></p>';
 
    } // End of if (empty($errors)) IF.
 
    mysql_close(); // Close the database connection.
 
} // End of the main Submit conditional.
?>
<h2>Change Your Password</h2>
<form action="password2.php" method="post">
    <p>Email Address: <input type="text" name="email" size="20" maxlength="40"
        value="<?php if (isset($_POST['email'])) echo $_POST['email']; ?>" /> </p>
    <p>Current Password: <input type="password" name="password"
        size="10" maxlength="20" /></p>
    <p>New Password: <input type="password" name="password1"
        size="10" maxlength="20" /></p>
    <p>Confirm New Password: <input type="password" name="password2"
        size="10" maxlength="20" /></p>
    <p><input type="submit" name="submit" value="Register"/></p>
    <input type="hidden" name="submitted" value="TRUE" />
</form>
<?php
include ('./includes/Footer.html');
?>
 
 

Re: form won't update db user info

Posted: Thu Apr 24, 2008 4:36 pm
by andym01480

Code: Select all

       
$query = "SELECT userid FROM users WHERE email='$e' AND password=SHA('$p') ";
echo $query.'<br/>';//so you can see what is happening
$result = mysql_query($query) OR DIE(mysql_error());//flag up any error
 
 

Re: form won't update db user info

Posted: Thu Apr 24, 2008 4:48 pm
by ndjustin20
I did this but no errors come back and the sql query shows. I don't understand what I am doing wrong.

Re: form won't update db user info

Posted: Thu Apr 24, 2008 4:52 pm
by ndjustin20
For some strange reason it looks like the password isn't encrypting.

Re: form won't update db user info

Posted: Thu Apr 24, 2008 4:55 pm
by andym01480
Do you want to post the sql query as seen on your browser?
EDIT: (You posted same time as me) Should you be using SHA1/md5?

Just to check your database table could you run the following and post the results please...

<?php
$result = mysql_query("SHOW COLUMNS FROM users");
if (!$result) {
echo 'Could not run query: ' . mysql_error();
exit;
}
if (mysql_num_rows($result) > 0) {
while ($row = mysql_fetch_assoc($result)) {
print_r($row);
}
}
?>

Re: form won't update db user info

Posted: Thu Apr 24, 2008 5:03 pm
by ndjustin20
sorry for the delay here is the returned value and the page is http://www.freedomthinking.com/passwordtest.php


Array ( [Field] => userid [Type] => mediumint(8) unsigned [Null] => [Key] => PRI [Default] => [Extra] => auto_increment ) Array ( [Field] => first_name [Type] => varchar(40) [Null] => [Key] => [Default] => [Extra] => ) Array ( [Field] => last_name [Type] => varchar(40) [Null] => [Key] => [Default] => [Extra] => ) Array ( [Field] => email [Type] => varchar(40) [Null] => [Key] => [Default] => [Extra] => ) Array ( [Field] => password [Type] => varchar(40) [Null] => [Key] => [Default] => [Extra] => ) Array ( [Field] => registration_date [Type] => datetime [Null] => [Key] => [Default] => 0000-00-00 00:00:00 [Extra] => )

Re: form won't update db user info

Posted: Thu Apr 24, 2008 5:07 pm
by ndjustin20
Is it also a little strange that all of my password fields are the same ie da39a3ee5e6b4b0d3255bfef95601890afd80709 shows up for all of them?

Re: form won't update db user info

Posted: Thu Apr 24, 2008 5:10 pm
by ndjustin20
Here is my registration page: http://www.freedomthinking.com/register_new.php I am thinking there may be something strange there because it looks like all my passwords are the same for some reason.

Code: Select all

 
 
<?php
 
$page_title = 'Register Me';
 
echo '<h1 id="mainhead">Register Here</h1>';
 
include('./includes/Header.html');
 
if(isset($_POST['submitted'])) {
 
$errors = array();
 
if(empty($_POST['first_name'])) {
$errors[] = 'You forgot to enter your first name.';
}else{
$fn = $_POST['first_name'];
}
 
if(empty($_POST['last_name'])) {
$errors[] = 'You forgot to enter your last name.';
}else{
$ln = $_POST['last_name'];
}
 
if(empty($_POST['email'])) {
$errors[] = 'You forgot to enter your email address.';
}else{
$e = $_POST['email'];
}
 
if(!empty($_POST['password1'])) {
if($_POST['password1'] != $_POST['password2'])
 
$errors[] = 'Your password and the confirmation password did not match.';
}else{
$p = $_POST['password1'];
}
 
if(empty($errors)) {
 
require_once('mysql_connect.php');
 
$query1 = "SELECT userid FROM users WHERE email='$e'";
$result1 = mysql_query($query1);
$num = mysql_num_rows($result1);
 
 
if ($num == 1){
echo 'Sorry that email address has already been taken';
 
}elseif($num < 1) {//IF THERE WAS NOT AN EMAIL ADDRESS FOUND THAT MATCHED
 
$query2 = "INSERT INTO users(first_name, last_name, email, password, registration_date) VALUES ('$fn',
'$ln', '$e', SHA('$p'), NOW() )";
 
$result2 = @mysql_query($query2); //run the query
 
echo '<p><h1 id="mainhead">Thank You</h1></p>
      <p>You have now been registered</p>';
      include('./includes/Footer.html');
      exit();
 
}else{
 
echo '<p>We can not register you at this time</p>';
include('./includes/Footer.html');
exit();
}
 
}else{
 
echo '<h1 class="mainhead">ERROR!</h1>';
      foreach($errors as $msg) {
      echo " - $msg<br />\n";
}
}  
}
 
 
?>
 
 
<form action="register_new.php" method="post">
<p><b><font color="#FF0000">First Name:</font></b><input type="text" name="first_name" value="<?php if(isset($_POST['first_name'])) echo $_POST['first_name']; ?>" size="20" maxlength="20" /></p>
<p><b><font color="#00CC00">Last Name:</font></b><input type="text" name="last_name" value="<?php if(isset($_POST['last_name'])) echo $_POST['last_name'];?>" size="20" maxlength="20" /></p>
<p><b><font color="#0000CC">Email Address:</font></b><input type="text" name="email" value="<?php if(isset($_POST['email'])) echo $_POST['email'];?>" size="20"
maxlength="40" /></p>
<p><b><font color="#FF3333">Enter Password:</font></b><input type="password" name="password1" size="20" /></p>
<p><b><font color="#0033FF">Retype Password:</font></b><input type="password" name="password2" size="20" /></p>
<p><input type="submit" name="submit" value="Register" /></p>
<p><input type="hidden" name="submitted" value="TRUE"  /></p>
 
</form>
 
<?php include ('./includes/Footer.html'); ?>
 
 

Re: form won't update db user info

Posted: Thu Apr 24, 2008 5:14 pm
by andym01480
The table looks okay - you are using the right column names in the query - got that wrong myself too many times!!!

I've never used sha -so didn't notice it is not a php function! sha() wont do anything unless you have created your own function to do it. PHP has sha1(). I think that would be your problem.
I would use md5 on the passwords! I know that works!!!!

As a general point echoing the query flagged what was wrong - do that for your registration page
mysql_error() as a die for the query also helps in debugging! - do that for your registration page

EDIT

Code: Select all

 
$query2 = "INSERT INTO users(first_name, last_name, email, password, registration_date) VALUES ('$fn',
'$ln', '$e', SHA('$p'), NOW() )";
in teh registration page

will do your function SHA on $p rather than the contents of the variable $p - loose the single quotes.

Re: form won't update db user info

Posted: Thu Apr 24, 2008 5:32 pm
by ndjustin20
Ok so now I am really confused as md5 does the same thing ie here are the field values from using md5 encryption:

d41d8cd98f00b204e9800998ecf8427e
d41d8cd98f00b204e9800998ecf8427e


how can they be the same? the first password is ui and the second one is ko. Is there something I am doing wrong as the information is being submitted though the encryption process seems not to be working properly.

Re: form won't update db user info

Posted: Thu Apr 24, 2008 5:37 pm
by andym01480
Thousand apologies :oops: . sha is a mysql function.

But the problem is that you are using single quotes ie sha('$p') - which performs the sha hash on $p rather than its contents. Single quotes means it is treated as a string rather than a variable.

the sha of $p is da39a3ee5e6b4b0d3255bfef95601890afd80709 just tried it

and I bet the md5 of $p is what you posted. Loose the single quotes and make it

sha($p) and everything will pop out better, everywhere you use it! Remember though that da39a3ee5e6b4b0d3255bfef95601890afd80709 is currently stored in the db everywhere you have tested!!! Use $p as your old password in the form....

Re: form won't update db user info

Posted: Thu Apr 24, 2008 5:44 pm
by ndjustin20
changing the query to

$query2 = "INSERT INTO users(first_name, last_name, email, password, registration_date) VALUES ('$fn',
'$ln', '$e', SHA($p), NOW() )";

makes the form not submit anything to the database

Re: form won't update db user info

Posted: Thu Apr 24, 2008 5:45 pm
by ndjustin20
I took out the single quotes from SHA($p) and from MD5($p) and both didn't insert the information.

Re: form won't update db user info

Posted: Fri Apr 25, 2008 1:58 am
by andym01480
Put

Code: Select all

echo "$query <br/>";
before each mysql_query call and show the results here
Also

Code: Select all

or Die(mysql_error());
for each mysql_query call

Code: Select all

<?php
error_reporting(E_ALL);
at the very top of the script

Post what appears and we can help (hopefully)

Re: form won't update db user info

Posted: Fri Apr 25, 2008 1:59 pm
by ndjustin20
I figured it out from another post on phpfreaks. Apparently I had to use $p = SHA('$p'); before I sent the information in the query. This worked though I really don't know why it worked as I can use a select query and encrypt on the fly though I can't using an insert query.