Change Password

devil_vin

Hi..guys!Did there any bugs on the following script?My script always execute on else part.Thanks...

<?php
include ('dbconn.cfg');// database configuration file
$connection = @mysql_connect("localhost", "root", "") or die("Cannot connect to server!");
if (isset($_SESSION['gmemberid']))
{

$tbl_name = "member";
$sql = "SELECT password FROM $tbl_name";

$result = @mysql_query($sql, $connection) or die("Cannot execute query.");
if (isset($_POST['changePw']))
{
    if ($result == $_POST['oldPw'])
    {
       $update = mysql_query("
	              UPDATE 
                       $tbl_name
                  SET
                       password = '" . mysql_real_escape_string($_POST['newPw1']) . "',

                  WHERE
                       password = '" . mysql_real_escape_string($_REQUEST['password']) . "',

                  ");
                echo($update);
   	            exit();
		        $changed = mysql_query($update) or die(mysql_error());

		//$result = $_POST['newPw1'];
        $redirectUrl = "http://localhost/www2/home.html";
        print "<script type=\"text/javascript\">";
        print "window.location.href = '$redirectUrl'";
        print "</script>";
    }
    else
    {
        $status = "Wrong Old Password!";// wrong old password
    }


}


}
?>

jrolands

The reason you get an error is that you haven't fetched the data from the mysql_query..

another thing i want to comment on this script is the potential hazard of not encrypting your passwords.. in mysql there's a function called password() that encrypts your passwords..
and you might also take in considering the chanse of users having the same passwords.
the query you'r using is getting rows based on the password, so i urge you to consider inputing the username into the query to..

example:

$result = mysql_query("SELECT * FROM member WHERE username = '$username' AND WHERE password = password('$old_pass')");
if(!$result) {
  echo("Something went wrong:".mysql_error());
} else {
  if (mysql_num_rows($result) == 1) {
    put udatequery here..
  } else {

echo("Wrong old password");
  }
}

devil_vin

Thanks for replying.It said that Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource when the page is loaded.I am using email address as username.

$result = "SELECT * FROM $tbl_name WHERE email = '" . $_REQUEST['email'] . "'
	        AND password = '" . $_REQUEST['password'] . "' ";
    if (!$result)
    {
        echo ("Something went wrong:" . mysql_error());
    }
    else
    {
        $num_row = mysql_num_rows($result);
        if ($num_row == 1)
        {

        //$result = @mysql_query($sql, $connection) or die("Cannot execute query.");
        //$oldPw = mysql_result($result, 0);
        if (isset($_POST['changePw']))
        {
            if ($oldPw == $_POST['oldPw'])
            {
                $update = mysql_query("
	              UPDATE 
                       $tbl_name
                  SET
                       password = '" . mysql_real_escape_string($_POST['newPw1']) .
                    "',

                  WHERE
                       password = '" . mysql_real_escape_string($_REQUEST['password']) .
                    "',

                  ");
                echo ($update);
                exit();
                $changed = mysql_query($update) or die(mysql_error());

                //$result = $_POST['newPw1'];
                $redirectUrl = "http://localhost/www2/home.html";
                print "<script type=\"text/javascript\">";
                print "window.location.href = '$redirectUrl'";
                print "</script>";
            }
            else
            {
                $status = "Wrong Old Password!";// wrong old password
            }


        }


    }
}

}
?>

jrolands wrote:
The reason you get an error is that you haven't fetched the data from the mysql_query..

another thing i want to comment on this script is the potential hazard of not encrypting your passwords.. in mysql there's a function called password() that encrypts your passwords..
and you might also take in considering the chanse of users having the same passwords.
the query you'r using is getting rows based on the password, so i urge you to consider inputing the username into the query to..

example:
$result = mysql_query("SELECT * FROM member WHERE username = '$username' AND WHERE password = password('$old_pass')");
if(!$result) {
  echo("Something went wrong:".mysql_error());
} else {
  if (mysql_num_rows($result) == 1) {
    put udatequery here..
  } else {

echo("Wrong old password");
  }
}

jrolands

well that's simply because right now $result is a string... try adding mysql_query.. ;P

jrolands

remember.. when getting data from a table first you have to execute the query with the mysql_query function, and then get array with either mysql_fetch_array, or count rows with mysql_num_rows..
try browsing the mysql function in the php manual..

jrolands

and one more thing.. in this script the "if(mysql_num_rows($result) == 1) {" will turn false if the old password is incorrect, which means that you don't need "if ($oldPw == $_POST['oldPw'])"

devil_vin

jrolands wrote:
well that's simply because right now $result is a string... try adding mysql_query.. ;P

I thought that mysql_result can retrieve value from a string,how come need to put $result into mysql_query again to produce another string then only retreive its value??

jrolands

from where do you get mysql_result? that function is not used in the script you wrote..

devil_vin

jrolands wrote:
from where do you get mysql_result? that function is not used in the script you wrote..

Even when I wrote,problem still remain.

$result = "SELECT * FROM $tbl_name WHERE email = '" . $_REQUEST['email'] . "'
	        AND password = '" . $_REQUEST['password'] . "' ";
    if (!$result)
    {
        echo ("Something went wrong:" . mysql_error());
    }
    else
    {
             //$result = @mysql_query($sql, $connection) or die("Cannot execute query.");
            //$oldPw = mysql_result($result, 0);
            if (isset($_POST['changePw']))
            {
                $oldPw = mysql_result($result, 0);
                if ($oldPw == $_POST['oldPw'])
                {

jrolands

cause you haven't sent the query. like i said, you have to use the mysql_query() function first, and then use mysql_num_rows with the resource mysql_query returns..
check out the Return section on mysql_query in the php manual..

this one will work

$result = mysql_query("SELECT * FROM $tbl_name WHERE email = '" . $_REQUEST['email'] . "'
            AND password = '" . $_REQUEST['password'] . "'");
if (!$result){
	echo ("Something went wrong:" . mysql_error());
} else {
	$num_row = mysql_num_rows($result);
	if ($num_row == 1) {
		if (isset($_POST['changePw'])){
			$update = mysql_query("UPDATE $tbl_name SET password = '" . mysql_real_escape_string($_POST['newPw1']) . "'
			WHERE email = '" . $_REQUEST['email'] . "'");
		} else {
			$status = "Wrong Old Password!";
		}
	}
}

jrolands

by the way, in the script i just gave you i changed the where calause in the update query for the same reason that i said you should have username in the first query..

devil_vin

Now no more warning but the password can't be changed and page is not redirected.

 $result = mysql_query("SELECT * FROM $tbl_name WHERE email = '" . $_REQUEST['email'] ."' 
	                      AND password = '" . $_REQUEST['password'] . "' ");

if (!$result)
{
    echo ("Something went wrong:" . mysql_error());
}
else
{
    $num_row = mysql_num_rows($result);
    if ($num_row == 1)
    {
        if (isset($_POST['changePw']))
        {
            $update = mysql_query("UPDATE $tbl_name SET password = '" . mysql_real_escape_string($_POST['newPw1']) .                                       "' WHERE email = '" . $_REQUEST['email'] . "'");

            $redirectUrl = "http://localhost/www2/home.html";
            print "<script type=\"text/javascript\">";
            print "window.location.href = '$redirectUrl'";
            print "</script>";

        }
        else
        {
            $status = "Wrong Old Password!";// wrong old password
        }

     }

}

}

?>

devil_vin

Now no more warning but the password can't be changed and page is not redirected.

 $result = mysql_query("SELECT * FROM $tbl_name WHERE email = '" . $_REQUEST['email'] ."' 
	                      AND password = '" . $_REQUEST['password'] . "' ");

if (!$result)
{
    echo ("Something went wrong:" . mysql_error());
}
else
{
    $num_row = mysql_num_rows($result);
    if ($num_row == 1)
    {
        if (isset($_POST['changePw']))
        {
            $update = mysql_query("UPDATE $tbl_name SET password = '" . mysql_real_escape_string($_POST['newPw1']) .                                       "' WHERE email = '" . $_REQUEST['email'] . "'");

            $redirectUrl = "http://localhost/www2/home.html";
            print "<script type=\"text/javascript\">";
            print "window.location.href = '$redirectUrl'";
            print "</script>";

        }
        else
        {
            $status = "Wrong Old Password!";// wrong old password
        }

     }

}

}

?>

jrolands

does it print Wrong Old Password?
btw, did you write this script your self?

devil_vin

jrolands wrote:
does it print Wrong Old Password?
btw, did you write this script your self?

Of course.It doesn't print anything,maybe the session can't be established after login.

jrolands

i suggest you put an echo in each of the if statements so you can see which one is failing..