changing password

Nathan__02

i made a script to allow a user to change a password...it checks if both passwords match and then changes the password if they match. If it updates the password it should say 'Password Changed' and 'Password not Changed' if it doesn't work.
I keep gettin password changed but it never actually changes the password...cna anybody help me out?

<?php
include("config.php");
include("style.css");

if ($_GET['area']=='password') {


echo("<form action='/options.php?action=change' method=post>New Password: <input type=password name=password1><Br>");
echo("Confirm New Password: <input type=password name=password2><br>");
echo("<input type=submit value=Change name=submit></form>");



} elseif ($_GET['action']=='change') {

$uname=$_SESSION[username];
$password1=$_POST['password1'];
$password2=$_POST['password2'];

if (empty($password1)) {
echo("You didn't fill in both password fields!<BR>");
} elseif ($password1 != $password2) {
echo("Your passwords don't match!<BR>");
} else {
$query=mysql_query("UPDATE `users` SET `password` = '$password1' WHERE `username` = '$uname'");
}

if($query) {
echo("Password Changed");
} else { 
echo("Password Not Changed");
}


} else {

















echo("<a href=/options.php?area=password>Change Your Password</a><BR>");
echo("<a href=/options.php?area=profile>Change Your Profile</a><BR>");



}


?>

skidaddle

i think php is going to try to assign a nonexistent constant in ...
$uname=$SESSION[username];
...when it should be
$uname=$SESSION['username'];

you should always somehow validate user input...

$password1=trim(addslashes(stripslashes($_POST['password1'])));
$password2=trim(addslashes(stripslashes($_POST['password2'])));

if (empty($password1)) 
{
   echo("You didn't fill in both password fields!<BR>");
} elseif ($password1 != $password2) {
   echo("Your passwords don't match!<BR>");
} else {
   $query=mysql_query("UPDATE `users` SET `password` = '$password1' WHERE `username` = '$uname'");
}

if(mysql_affected_rows() > 0)
{
   echo("Password Changed");
} else { 
   echo("Password Not Changed");
}


?>

Nathan__02

making progress...now it says that the password isnt being changed...heres my new code in case you need it.

<?php
include("config.php");
include("style.css");

if ($_GET['area']=='password') {


echo("<form action='/options.php?action=change' method=post><table><tr><td>New Password:</td><td> <input type=password name=password1></td></tr>");
echo("<tr><Td>Confirm New Password:</td><td> <input type=password name=password2><td></tr>");
echo("<tr><td colspan=2><input type=submit value=Change name=submit></td></tr></table></form>");



} elseif ($_GET['action']=='change') {

$uname=$_SESSION['username'];


$password1=trim(addslashes(stripslashes($_POST['password1']))); 
 $password2=trim(addslashes(stripslashes($_POST['password2']))); 

if (empty($password1))  

{ 
   echo("You didn't fill in both password fields!<BR>"); 
} elseif ($password1 != $password2) { 
   echo("Your passwords don't match!<BR>"); 
} else { 
   $query=mysql_query("UPDATE `users` SET `password` = '$password1' WHERE `username` = '$uname'"); 
} 

if(mysql_affected_rows() > 0) 
{ 
   echo("Password Changed"); 
} else {  

   echo("Password Not Changed"); 
} 





} else {

















echo("<a href=/options.php?area=password>Change Your Password</a><BR>");
echo("<a href=/options.php?area=profile>Change Your Profile</a><BR>");



}


?>

Nathan__02

can anyone help me?