md5

chinni_77

hello,

After i logged successfully into the system as an admin, i would like to change my(admin) password sometime.
when i click on a button to change the admin password, it prompts for old password, new password and re-typing the newpassword: If both the new passowrd and the re-entered is same, it has to update.I am able to compare the both.But, i also want to check my oldpassword, i.e with the password which i logged in!

so, all i want is, when i would like to change the password,

Old password should match with that of the one in the db and
the new passwords which are entered twice should be entered same.

If any of these conditions fail, an error mesg should be prompted!

I used md5 to save my old password.

I hope somebody would help me.

thanks in advance

somehow, i'm upto here now:

<? 
	include "dbconnection.ini";

if ($newpassword <>$newpassword2){ 

echo "passwords do not match. please re-enter passwords!"; 
echo "<html><body> 

echo("<form action=\"$PHP_SELF\" method=\"POST\">\n");

echo("Old password:<input type=\"password\" name=\"oldpassword\" value=\"$oldpassword\"><br><br> 
New password:<input type=\"password\" name=\"newpassword\"><br> 
Repeat new pasword:<input type=\"password\" name=\"newpassword2\"><br> 
<input type=\"hidden\" value=\"$userid\"> 
<input type=\"submit\" value=\"submit\"></form></body></html>"); 

}else{ 
	$sql="update TBL_USER set USER_PASSWORD=MD5($password) where USER_ID =$userid"; 

$result=ibase_query($sql); 

if (!$result){ 
echo "Change update did not take place. Please retry"; 
}else { 
	echo "change successful!"; 
 } 
} 
?>

mrmufin

Assuming all your DB connect code is working, and your submitting the password from using the POST method. Also that your connection link id is $conn_id:

// Build a query to check the old password first:
$q = sprintf("SELECT COUNT(*) FROM TBL_USER WHERE USERID=\"%s\" AND USER_PASSWORD=\"%s\"", $HTTP_POST_VARS['userid'], md5($HTTP_POST_VARS['oldpassword']));

// Run the query:
$r = ibase_query($conn_id, $q);
if(!$r) {
	exit("Query $q failed: " . ibase_errmsg());
}

// If no rows were returned from the query the old password entered is wrong:
if(!count(ibase_fetch_row($r))) {
	exit('Old password is incorrect.');
}

// If the passwords don't match, we're outta here:
if($HTTP_POST_VARS['newpassword'] != $HTTP_POST_VARS['newpassword2']) {
	exit("New passwords don't match!");
}

// Build the update password query:
$q = sprintf("UPDATE TBL_USER SET USER_PASSWORD=\"%s\" WHERE USERID=\"%s\"", md5($HTTP_POST_VARS['newpassword']), $HTTP_POST_VARS['userid']);

// Run the update query:
ibase_query($conn_id, $q);

Any closer? Sorry about the previous screw-up...

chinni_77

hello mrmufin,

could you pls tell me what is sprintf and _POST does'nt work with the version of PHP i am using.I think i've to use HTTP_POST_VARS.
what would be the equivalent statement of mysql_affected_rows()) in interbase because my db is interbase.

any idea.

Thanks a lot

mrmufin

D'OH!

sprintf() is a string formatting function with about a gazillion options. You can learn all about it from the PHP website:
http://www.php.net/manual/en/function.sprintf

It doesn't look like interbase has the equivalent of mysql_affected_rows()... Sorry!

It also appears that the first argument of the ibase_query() function should be the connection_id, not the query itself. I'll go back and do some editing on my previous post, we'll see if we can make this thing work...

chinni_77

yeah, i checked it in the PHP manual for the equivalent.itz ok

so kind of you to edit your post, thanks a lot!

mrmufin

Okay, I'm not sure if InterBase supports the COUNT() function, if it doesn't you should be able to use 'SELECT ' instead. If there's one part of the code that I posted that I wouldn't take to the bank, it's the SELECT COUNT(*) statement and the following check.

I'd probably check that the passwords match first; especially if this is will be the only reason the database connection is opened. That's only logical; why go through the connection overhead only to find out the new passwords don't match anyway...

In the absence of a function which tells the number of rows affected by the query, you could probably just run another SELECT statement using the new password. If the query succeeds and returns a row of data, then it's a safe assumption that the UPDATE statement was successful.

Hope all that helps a bit, anyway.