Update a users information - Change their own password

savj14

I have a script to register a name, email address, and give a random generated password at sign up. The user then can login only using that generated password. I want to be able to let the user login and change the password when he/she wants to. Eventually I want the users to be able to update their other information but for now the password change is needed.

here is what I have so far for changing the password.

<? 
include 'db.php';


$oldpasspass = $_POST["oldpasspass"]; 
$newpass = $_POST["newpass"]; 
$newpass2 = $_POST["newpass1"]; 

if ((!$oldpasspass) || (!$newpass) || (!$newpass2)) { 
echo "You forgot to enter some of the required information."; 
if (!$oldpasspass) { 
echo "You have to enter an old password!"; 
} 
if (!$newpass) { 
echo "You have to enter a new password!"; 
} 
if (!$newpass2) { 
echo "You have to retype your new password!"; 
} 
exit(); 
} 

if (($newpass) != ($newpass2)) { 
die("Your new passwords don't match!"); 
} 

$password = $newpass; 
$decrypted_pass = $newpass; 
$password = md5($password); 
$username = $_SESSION['username']; 


// connect to database 
$query = mysql_query("UPDATE users SET password='$password') 
WHERE username='$username'"); 

if ($result = mysql_query($query)){ 
echo "password changed<br>"; 
} else {echo "error changing password";} 

?>

I don't think this code is recognizing what user is logged in........and when I put the correct passwords in the text boxes it will always show every error message combined. If I type the correct old pass word, put two different passwords in for the new password it will still give me the error that I need to enter an old password.........I don't think it will ever give me "password changed" it cant get past the error messages

I would also like to compare the old password with the password that is in the database to make sure the user has the correct old password...............

can anyone please guide me in the right direction?

kburger

First, you've got some problems here:

$query = mysql_query("UPDATE users SET password='$password')
WHERE username='$username'");

if ($result = mysql_query($query))

but...

If your user is already on the 'change password' page, I'm assuming you've already validated that you have a valid user, right? If so, there's no need to force them to re-enter their old password (IMHO). Just validate the new password in some way and update their info. Something like this:

checkforvaliduser(); // I'll let you write this function.  Verify that we have a valid user or bounce them.
$username = $_SESSION['username'];
$newpass = $_POST["newpass"];
$newpass1 = $_POST["newpass1"];
$error = "";

if ($newpass != $newpass1) $error .= "<li>Your passwords don't match.</li>";
if (strlen($newpass) < 6) $error .= "<li>Passwords must be at least 6 characters in length.</li>"; // or whatever you say
// you might also want to check to insure that the new password isn't the same as the old password
// you also might want to make sure their password contains both letters and numbers, punctuation, etc.

if ($error) {
	echo "There were some errors that need to be taken care of before your password can be changed: <ul>$error</ul>";
} else {
	$password = md5($newpass);
	// connect to database
	$query = "UPDATE users SET password='$password' WHERE username='$username' LIMIT 1";
	$result = @mysql_query($query) or die("Password update failed.");
	echo "Password changed.";
}