Change Password Script

wintallo

Hi, today I wrote a PHP script that would allow the users to change their password. When I tested it out, all that happened was the screen flashed like it was reloading and nothing changed. When I tried to log in using my login script, the old password was still active. Here's the code.

<?php

if ( isset($_POST['submit']) ) {

if ( $_POST['oldpassword'] != "" || $_POST['newpassword1'] != "" || $_POST['newpassword2'] != "" ) {

	/////////////////////////////////	

	$dbhost = 'localhost';
	$dbuser = '*******';
	$dbpass = '*******';
	$dbname = '*******';

	$conn = mysql_connect($dbhost, $dbuser, $dbpass) or die ('Error connecting to mysql');
	mysql_select_db($dbname);

	/////////////////////////////////

	$user = "testuser"; // I'll add a function to this so that 4user is equal to the current user.

	$query  = "SELECT password FROM users WHERE login = '$user'";

	$result = mysql_query($query);

	$row = mysql_fetch_array($result);

	$encuserpassword = $row['password'];

	$encuserinput = sha1($_POST['oldpassword']);

	mysql_close($conn);

	if ( $encuserinput == $encuserpassword ) {

		if ( $_POST['newpassword1'] == $_POST['newpassword2'] ) {

			/////////////////////////////////	

			$dbhost = 'localhost';
			$dbuser = '*******';
			$dbpass = '*******';
			$dbname = '*******';

			$conn = mysql_connect($dbhost, $dbuser, $dbpass) or die ('Error connecting to mysql');
			mysql_select_db($dbname);

			/////////////////////////////////

			$user = "testuser"; // I'll add a function to this so that 4user is equal to the current user.

			/////////////////////////////////

			$encnewpassword = sha1($_POST['newpassword1']);

			$query = "UPDATE users SET password = '$encnewpassword' WHERE login = '$user'";

			$result = mysql_query($query);

			echo "Your password has been changed.";

			mysql_close($conn);

		} else {

			$errormessage = "The two new passwords don't match.";

		}

	} else {

		$errormessage = "Your old password isn't valid.";

	}

} else {

	$errormessage = "Please fill in all fields.";

}
}

?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Change Password</title>
</head>
<body>
<br />
<?php echo $errormessage; ?>
<form name="password_change" method="post" action="">
<table width="350" border="0">
  <tr>
    <td>Enter Old Password: </td>
    <td><input name="oldpassword" type="password" size="20" maxlength="15" /></td>
  </tr>
  <tr>
    <td width="220">Enter New Password: </td>
    <td width="120"><input name="newpassword1" type="password" size="20" maxlength="15" /></td>
  </tr>
  <tr>
    <td>Re-Enter New Password: </td>
    <td><input name="newpassword2" type="password" size="20" maxlength="15" /></td>
  </tr>
  <tr>
    <td>&nbsp;</td>
    <td><input type="submit" name="Submit" value="Submit" /></td>
  </tr>
</table>
</form>
</body>
</html>

Thanks for reading! Hope you guys can help!

-Joel

Kudose

$result = mysql_query($query);

			echo "Your password has been changed.";

Doesn't do anything because you are never using $result.

You need:

if(mysql_query($query))

			echo "Your password has been changed.";

liquorvicar

Firstly, from your code, if the password was changed, the page would redisplay with your "password changed" message at the top like this:

Your password has been changed.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>

so it wouldn't display.

Secondly, you don't actually check to see whether any rows are returned from the database when you execute your SELECT query. It's a good idea to have error reporting on it's most strict settings as you would have seen some warnings come up and probably spotted the error.

Kudose if of course correct in pointing that out as well.