[Resolved] Change password script not working

hbradshaw

Hi,

I wrote a script which will allow a user to change their password after they log in.

I was able to log in successfully. When, I tried to change my password it brought me to the login script as if though the username cannot be found.

Can someone help me troubleshoot this script?

To test for yourself; please visit:
http://www.bridgemilltennis.com/testing.htm.

Username: ghost
Password: ghost

Click on Change Password.

Here is the script:

<?php
session_start();
include "conn.inc.php";

if(!$_SESSION['username'] || !$_SESSION['password'])
   {

 header("Location: login_form.php");
  exit;
}

if (!$_POST[password])
  {
     include "pass-error.htm";

  }

if ($_POST[password] != $_POST[confirm])
   {
     include "pass-nomatch.htm";
   }

$sql = "SELECT * FROM member WHERE username='$_SESSION[username]'";
$result = mysql_query($sql) or die(mysql_error());

$num = mysql_num_rows($result);

if ($num !=0)
   {
     $chng = "UPDATE member SET
              password = md5('$_POST[password]')
              WHERE username = '$_POST[username]'";
     $result2 = mysql_query($chng) or die(mysql_error());

 include "pass-chng-success.htm";
 exit;
  }

else

{
   header("Location: change-password.htm");
   exit;
}

?>
[code=php]

Thank you in advance.

bradgrafelman

Thanks for trying to use PHP tags. To end a block of PHP code, its "/PHP" not another "PHP" tag.

Also, debug your script. Find out what session variables we have. Change:

if(!$_SESSION['username'] || !$_SESSION['password']) 
{ 

header("Location: login_form.php"); 
exit; 
}

to:

if(!$_SESSION['username'] || !$_SESSION['password']) 
{ 
print_r($_SESSION); // DEBUG LINE
//header("Location: login_form.php"); 
exit; 
}

EDIT: Also, here's an error on your site, not related to this issue. In lost-password.htm, you have this:

<form action="members/secure/lostpw.php" method="post">

but the correct path would be this:

<form action="lostpw.php" method="post">

Just FYI.

hbradshaw

Hi,

Thank you for the reply. I fixed the second error you found. Thanks for that.

I modified my script to see what session variables I'm getting. This was the result:

Array ( [login] => 1 [memberid] => 1031 [first_name] => ghost [last_name] => ghost [email] => helen.bradshaw@comcast.net [phone1] => 98908 [phone2] => 98908 )

What is that telling me? The username and password aren't even appearing in the above result. (This is my first attempt working with sessions. Please bear with me).

Thank you for your help.

bradgrafelman

What is that telling me? The username and password aren't even appearing in the above result

They aren't appearing because they weren't set!

What does your login script look like? Can you paste all relevant code that is executed upon a successful login?

hbradshaw

Hi,

[EDIT] I set the the username and password sessions variables.

After setting the variables, I ran the script again. After I type and retype the new password, instead of getting a success page, it brings me back to the Change Password page.

Here is the login script:

<?php
session_start();
include "conn.inc.php";
switch($_REQUEST['req'])
    {
case "validate":

$validate = mysql_query("SELECT * FROM member WHERE
                        username = '{$_POST['username']}' AND password = md5('{$_POST['password']}')") or 
                        die (mysql_error());

if (mysql_num_rows($validate) == 1)
    {
      while($row = mysql_fetch_assoc($validate))
        {
          $_SESSION['login'] = true;
          $_SESSION['memberid'] = $row['memberid'];
          $_SESSION['first_name'] = $row['first_name'];
          $_SESSION['last_name'] = $row['last_name'];
          $_SESSION['email'] = $row['email'];
          $_SESSION['phone1'] = $row['phone1'];
          $_SESSION['phone2'] = $row['phone2'];
          $_SESSION['username'] = $row['username'];
          $_SESSION['password'] = $row['password'];

   $login_time = mysql_query("UPDATE member SET last_login=now() where memberid='{$row['memberid']}'");
       }
        header("Location: [url]http://www.bridgemilltennis.com/members/secure/member-area-main.htm[/url]");
    }
      else
       {
         header("Location: [url]http://www.bridgemilltennis.com/members/secure/login_form.php[/url]");
       exit;
       }
break;
}
?> 
/PHP

===

At the end of the script, the last two headers, just direct the user either to the login form (which calls the script above) or the secure member area (successful login).

Thanks for the help.

bradgrafelman

Can we have the new password for username 'ghost' ?

hbradshaw

Hi,

I fixed my problem. Thanks for all the help.