password()

PurpleMonkey

Hello. I'm amking a small control panel for the website I'm working on, and it allows the user to change their password. BUT only if they have entered their old password correctly and supplied two new identical passwords. The problem is that php thinks that $newp and $newp2 are equal, even when they arn't. Heres the code:

<?php
if($newp == $newp2) {

$conn = mysql_connect("localhost","","");

$db = mysql_select_db("users", $conn);

$psql = "select password from users where tag=\"$user\" ";

$pqr = mysql_query($psql, $conn);

while( $row < mysql_num_rows($pqr) ) {

	if($row["password"] = " password(\"$oldp\" ) " )

	 {

	$sql = "update users set password=password( \" $newp \" ) where tag=\"$user\" ";

	$qr = mysql_query($sql, $conn);

		if($qr) {

			$msg = "<br><b>Password has been changed</b>";
			echo($msg);

			} 
	} else { $er1 = "<b> You entered an incorrect old password</b><br>"; }
} 
} else { $er2 = "<b>You did not enter two new identical passwords.</b>"; }
echo($er1);
echo($er2);
?>

Any help much appreachiated.
N.B. $user is a session storing the users username.

Buddha443556

You need two equal signs == for a comparison. Your actually doing an assignment with just one equal sign. The mistake is in your second if statement.

swr

Where are $newp and $newp2 coming from? If they're suppsed to come from the form, but [man]register_globals[/man] is off, then they'll both be unset (and so, equal). Try $REQUEST['newp'] and $REQUEST['newp2'] instead.

Also, this will give you trouble:

if($row["password"] = " password(\"$oldp\" ) " )

You need to use == instead of =.

PurpleMonkey

Yes they are coming from a form where the user has to enter the details of there old password, and then their new one.

$oldp = old password
$newp = new password
$newp2 = re typed new password

swr

But is [man]register_globals[/man] on? Are the form values actually showing up in the PHP variables? Do echo $newp2; to find out. If not, read the [man]register_globals[/man] manual page. The short version is that you need to use $_REQUEST['formfield'] instead of just $formfield.

PurpleMonkey

I don't know what version of PHP your using, but all I have to do is use <input name="name" and when I need the result from that field I use $name - I'm using version 4.1 of php.

swr

It is both version and configuration dependent.

If you echo $newp does it actually show what you expect?

PurpleMonkey

Yes, it does. I don't need to use $POST and $GET, and I don't understand why anyone else is using them as all they do is take more time to program and increase the chances of an error!, when simply using $variable from html fields works well.