not changing pass

demosthenes705

I have the following script.

<?php
session_start();
$sessionname = $_SESSION['username'];
include('db.php');
echo "Welcome,
". $_SESSION['username'] ." you can change your password here.";

if ($_POST['cmd'] == "changepass")

{

$old = $_POST["old"];
$new = $_POST["new"];
$new2 = $_POST["c_new"];

if ((!$old) || (!$new) || (!$new2))

{

echo "You forgot to enter some of the required information.<br>";

if (!$old)
{
echo "You have to enter an old password!<br>";
}
if (!$new)
{
echo "You have to enter a new password!<br>";
}
if (!$c_new)
{
echo "You have to retype your new password!<br>";
}

exit();
}

if (($new) != ($new2)) {
die("Your new passwords don't match!");
}

$new = $password;
$new = md5($md5password);
$username = $_SESSION['username'];

if(mysql_query($query))
$query = "UPDATE `users` SET `password` = $md5password `decrypted_password` = '$password' WHERE `username`= '$username'";

if ($result = mysql_query($query))

{
echo "password changed<br>";

} else {

echo "<b><br><br>error changing password</b>";

}

}

?>


<html>
<head>
<title>Change Pass here</title>
</head>
<body>
<form action="checkpass.php" method="post">
Change Password:<br><br>

Old Password:&nbsp;&nbsp;&nbsp;<input type="text" name="old"><br>
New Password:&nbsp;&nbsp;&nbsp;<input type="text" name="new"><br>
Confirm:&nbsp;&nbsp;&nbsp;<input type="text" name="c_new">
<input type="hidden" name="cmd" value="changepass">
<input type="submit" name="changepass" value="Change Password">
</form>
</body>
</html>

it is supposed to change the users pass but it doesn't. what is wrong

tomhath

There's an obvious bug in your SQL.

You should always have a "or die(mysql_error())" after every mysql_query to catch this kind of thing, I'm sure it will tell you what's wrong.

demosthenes705

ok so i changed it around a tad. i frogot that i didn't check to see if they told the truth

<?php
session_start();
$sessionname = $SESSION['username'];
include('db.php');
echo "Welcome,
". $SESSION['username'] ." you can change your password here.";

if ($_POST['cmd'] == "changepass")

{

$old = $POST["old"];
$new = $POST["new"];
$new2 = $_POST["c_new"];

if ((!$old) || (!$new) || (!$new2))

{

echo "You forgot to enter some of the required information.<br>";

if (!$old)
{
echo "You have to enter an old password!<br>";
}
if (!$new)
{
echo "You have to enter a new password!<br>";
}
if (!$c_new)
{
echo "You have to retype your new password!<br>";
}

exit();
}

if (($new) != ($new2)) {
die("Your new passwords don't match!");
}

//Checking to see if they told the truth
$sql_check = mysql_query("SELECT * FROM users WHERE decrypted_password='$old'");
$sql_check_num = mysql_num_rows($sql_check);
if($sql_check_num == 0){
echo "No records found matching your email address<br />";
include 'checkpass.php';
exit();
}
$username = $_SESSION['username'];
$new_passowrd = $new
$db_password = md5($new_password);

$sql = mysql_query("UPDATE `users` SET `password`=$db_password `decrypted_password'='$new'
            WHERE `username` ='$username"); 
[/B]

if ($result = mysql_query($query))

{
echo "password changed<br>";

} else {

echo "<b><br><br>error changing password</b>";

}

}

?>

<html>
<head>
<title>Change Pass here</title>
</head>
<body>
<form action="checkpass.php" method="post">
Change Password:<br><br>

Old Password:   <input type="text" name="old" value=""><br>
New Password:   <input type="text" name="new" value=""><br>
Confirm:   <input type="text" name="c_new" value="">
<input type="hidden" name="cmd" value="changepass">
<input type="submit" name="changepass" value="Change Password">
</form>
</body>
</html>

so i bolded what i added and it is messing my script from showing.

I would put it in php block but it cancels out the bolding effect

tomhath

There are a couple of problems here.

Look carefully at the SQL, you are missing quotes around $db_password, missing a comma after it, and missing the close quote around $username.

UPDATE `users` SET
 `password`=$db_password `decrypted_password'='$new'
WHERE `username` ='$username

Also, you have an extra call to mysql_query after the UPDATE. I'd check the result like this (untested), the call to mysql_error inside the "or die" would've pointed out the syntax errors in the sql:

 $sql = mysql_query("UPDATE `users` SET `password`='$db_password', `decrypted_password'='$new'
WHERE `username` ='$username' ") or die ('error changing password' . mysql_error());

echo "password changed<br>";

demosthenes705

thanks for helping me so far

this is what i get when i run it

error changing passwordYou have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 'username` ='admin'' at line 1

tomhath

Still a problem with the quotes.

 'username` ='admin''

It looks like there are two different quote character there: ` and '

Update: It looks like the problem is the quotes around decrypted_password', they don't match, so it kept looking for a until it found one near username.

bastien

I see this problem, you are overwriting the $new password with MD5($md5password). i think that should be the other way around

$new = $password;
$md5password = md5($new);
$username = $_SESSION['username'];

//set the query first then execute
$query = "UPDATE `users` SET `password` = '$md5password', `decrypted_password` = '$password' WHERE `username`= '$username'";
if(mysql_query($query))...