[RESOLVED] update mysql (change password script)

middleman666

hey people,

having trouble with a change password script that should allow users to do the obvious.

most the validation works, but when i input the correct old password and define two same new passwords and submit, i get nothing and the password is not changed so im thinking theres something wrong with my 'update' piece of code.

heres my code:

// create short variable names
  $old_password = $_POST['old_password'];
  $new_password = $_POST['new_password'];
  $new_password2 = $_POST['new_password2'];

  //check valid user
  if (isset($_SESSION['valid_user']))
  {
      echo 'Logged in as '.$_SESSION['valid_user'].'.';
      echo '<br />';
  }
  else
  {
     // they are not logged in 
     echo 'You are not logged in.<br />[<a href=login.php>login</a>]';
     exit;
  } 

// check forms filled in
if (!filled_out($_POST))
{
  echo 'You have not filled the form out completly - please go back'
      .' and try again.<br />';
  exit; 
}

if ($new_password!=$new_password2)
  echo 'The new passwords you entered do not match - please go back'
      .' and try again.<br />Your password has not been changed.<br />';
  exit; 

if (strlen($new_password)>16 || strlen($new_password)<6)
  echo 'Your password must be between 6 and 16 characters - '
      .'please go back and try again.<br />';
  exit; 

// attempt update
//change_password($_SESSION['valid_user'], $old_password, $new_password);

  // if the old password is right 
  // change their password to new_password and return true
  // else throw an exception


  //login
      // connect to db
	$mysql_database="dbname";
	$mysql_username="username";
	$mysql_password="pass";

$dbconnect = mysql_connect("localhost",$mysql_username,$mysql_password) or die ("Unable to connect to SQL server");
mysql_select_db($mysql_database,$dbconnect) or die ("Unable to select database");

// check if username is unique
$result = mysql_query("select * from BWmembers where username='$username' and password = sha1('$password')")
      or die ("Could not log you in.");

if (mysql_num_rows($result)) {
	echo 'Successful Login<br />';

    // set session username
    $_SESSION['valid_user'] = $username;
}

else {
	echo 'Failed Login<br />[<a href=login.php>login</a>]'; 
	exit; 
}

  //update password
  $result = mysql_query("update BWmembers set password = sha1('$new_password') where username = '$username'")
            or die ("Database update failed.");
  if (!$result){
    echo 'Password could not be changed.';
    exit;
  }
  else {
    echo 'Password changed.';
  }

any help would be very much apreciated,

thanks.

_RL_Ian

$sql = "update BWmembers set password = sha1('$new_password') where username = '$username'";
echo($sql);
$result = mysql_query($sql);

Do that and paste the SQL string here.

Also, change this:

or die ("Database update failed.");

to this:

or die(mysql_errno($result) . ": " . mysql_error($result));

That way if you get an error, it will display the MySQL error instead of just a useless text string.

middleman666

i did all that but im still getting nothing except 'Logged is as 'username''

  if (isset($_SESSION['valid_user']))
  {
      echo 'Logged in as '.$_SESSION['valid_user'].'.';
      echo '<br />';
  }

which is now making me think theres something wrong with my IF functions..

can anyone see if my IF functions are deciding to stop somewhere rather than finish the rest of the code?

thanks for your reply.

lozza1978

is that your complete page ?,

I see you are not starting a session ? session_Start();

middleman666

sorry your right, i should have stated that its not the whole page, a session has been started. you get to that page from filling out a 3 field form, old_password, new_password and new_password2.

middleman666

Right... i've been over and over this so many times and I did spot that I was trying to log in with 'password' and not 'old_password' which ive changed, but still no luck.

ive cleaned the code up a bit so it now looks like this: (a session has been started)

  // create short variable names
  $old_password = $_POST['old_password'];
  $new_password = $_POST['new_password'];
  $new_password2 = $_POST['new_password2'];

  // check valid user
  if (isset($_SESSION['valid_user'])) {
      echo 'Logged in as '.$_SESSION['valid_user'].'.<br />';
  }
  else {
      echo 'You are not logged in.<br />[<a href=login.php>login</a>]';
      exit;
  } 

  // validate form
  if (!filled_out($_POST)) {
      echo 'You have not filled the form out completly - please go back'
          .' and try again.<br />';
      exit; 
  }

  if ($new_password!=$new_password2) {
      echo 'The new passwords you entered do not match - please go back'
          .' and try again.<br />Your password has not been changed.<br />';
      exit;
  }

  if (strlen($new_password)>16 || strlen($new_password)<6) {
      echo 'Your password must be between 6 and 16 characters - '
          .'please go back and try again.<br />';
      exit; 
  }

  // login with OLD password
  // connect to db
  $mysql_database="database";
  $mysql_username="username";
  $mysql_password="pass";

  $dbconnect = mysql_connect("localhost",$mysql_username,$mysql_password) or die ("Unable to connect to SQL server");
  mysql_select_db($mysql_database,$dbconnect) or die ("Unable to select database");

  // check if username is unique
  $result = mysql_query("select * from BWmembers where username='$username' and password = sha1('$old_password')")
            or die(mysql_errno($result) . ": " . mysql_error($result));

  if (mysql_num_rows($result)) {
      echo 'Successful Login<br />';
	  $_SESSION['valid_user'] = $username;
  }

  else {
      echo 'Failed Login<br />[<a href=login.php>login</a>]'; 
      exit; 
  }

  //update password
  $result = mysql_query("update BWmembers set password = sha1('$new_password') where username = '$username'")
            or die(mysql_errno($result) . ": " . mysql_error($result));

  if (!$result) {
      echo 'Password could not be changed.';
      exit;
  }
  else {
      echo 'Password changed.';
  }

the output im getting is:

Logged in as TestUser.
Failed Login
[login]

so it checks that a valid_user is in session, but then later on when it tries to log the user in using the 'old_password' it fails and returns the 'Failed Login'.

am I not defining the username it needs to login with correctly?

ive tried changing the password manualy using PHP myadmin and this:
update BWmembers set password = sha1('$new_password') where username = '$username'
replacing the passwords and username and it worked fine. dont know if that helps...?

any help would be apreciated.
Thanks.

middleman666

ok... it wasnt working because the username wasn't being carried on by the session for some reason (if anyone knows why, please say).

ive created a quick fix which seems to be working. i added a username field to the change password form and echo'd the session[valid user] into it and i simply added:
$username = $_POST['username'];
to the list of short variable names.

i suppose that means its kinda resolved now, but if anyone would like to add a real reason/solution for this error then please do.

thanks to the people that replied!

tunage

Were you assigning $_SESSION['valid_user'] to $username before you queried mysql?

middleman666

yea i tried putting:
$_SESSION['valid_user'] = $username;
before the queries but still no luck, i even stuck two in before each query to see if it would make a difference.