Help with Change Password Code

anaitis4

Hello! I'm really new to php (just started learning a month ago) and this is my first post so please excuse any stupid questions.
I am building a site for a client and I cannot get my change password code to work.

Here's the code from the page with the form on it:

<table border='0' width='50%' cellspacing='0' cellpadding='0' align=center style="height: 153px"><form name=form2 method=post action=change-passwordck.php onsubmit='return validate(this)'><input type="hidden" name="todo" value="post"/>

<tr ><td bgcolor="#FFFFFF" style="width: 201px" >&nbsp;<font face='Verdana' size='2' color="#000000" ><b>User Name:</b></font></td><td bgcolor="#FFFFFF" ><font face='Verdana' size='2'> 
	<input type="text" name="userame" size="10" maxlength="20" value="<?php if (isset($_POST['username'])) echo $_POST['username'];?>" style="width: 132px" /> 

<tr ><td bgcolor="#FFFFFF" style="width: 201px" >&nbsp;<font face='Verdana' size='2' color="#000000" ><b>Current password:</b></font></td><td bgcolor="#FFFFFF" ><font face='Verdana' size='2'> 
	<input type="password" name="password" size="20" maxlength="20" style="width: 132px" />

<tr ><td bgcolor="#FFFFFF" style="width: 201px" >&nbsp;<font face='Verdana' size='2' color="#000000" ><b>New password:</b> </font></td><td bgcolor="#FFFFFF" ><font face='Verdana' size='2'>
	<input type="password" name="password1" size="20" maxlength="20" style="width: 131px" />

<tr ><td bgcolor="#FFFFFF" style="width: 201px" >&nbsp;<font face='Verdana' size='2' color="#000000" ><b>Confirm New password:</b></font></td><td bgcolor="#FFFFFF" ><font face='Verdana' size='2'> 
	<input type="password" name="password2" size="20" maxlength="20" style="width: 131px" /><tr ><td bgcolor="#FFFFFF" colspan="2" class="style4" ><font face='Verdana' size='2'> <input type="submit" name="submit" value="Change My password" /></font></td> 
</tr></font></td></table></form>

And here's the code from the page that checks that code:

//At the top of the page:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<? include "include/z_db.php"; ?>

//in the <body>

<?
if(isset($todo) and $todo=="changepassword"){
$password=mysql_real_escape_string($password);

//Setting flags for checking
$status = "OK";
$msg="";




if ( strlen($password) < 3 or strlen($password) > 8 ){
$msg=$msg."Password must be more than 3 char legth and maximum 8 char lenght<BR>";
$status= "NOTOK";}					

if ( $password <> $password2 ){
$msg=$msg."Both passwords are not matching<BR>";
$status= "NOTOK";}					



if($status<>"OK"){ 
echo "<font face='Verdana' size='2' color=red>$msg</font><br><center><input type='button' value='Retry' onClick='history.go(-1)'></center>";
}else{ // if all validations are passed.
if(mysql_query("UPDATE accounts SET password='$password' WHERE username='$session[username]'")){
echo "<font face='Verdana' size='2' ><center>Thanks <br> Your password has been changed successfully.</font></center>";
}
}
}
echo "<center><font face='Verdana' size='2' ><br><br>Click <a href=logout.php>here to logout</a> &nbsp; | &nbsp; <a href=changepassword.php>Change Password</a><br></center></font>";

?>

Any ideas what might be wrong. I'm at a loss and I've been staring at this code far too long to be of any more use to myself. Thanks in advance for any help you can offer.

-Ash

bradgrafelman

Please wrap your code in the board's [noparse]
[/noparse] bbcode tags as they make your code much, much easier to read.
You should start using the full '<?php' tags versus the deprecated '<?' short tags, as these aren't enabled on all servers and aren't even available in the next version of PHP.
Where is $todo ever defined? Or $password? Or ...? It looks like your script depends on register_globals being enabled. This directive was long ago discovered to be a security risk and has since been disabled by default. You should convert all of your scripts to use the superglobal arrays such as $POST or $GET. More info about these variables can be found here: [man]variables.superglobal[/man].
You could get rid of the $status variable if you want and just check if $msg is still an empty string (meaning you didn't add any error messages, thus the "status" is OK).
$session isn't defined - perhaps you meant $_SESSION ?

Just as a side note, you might want to look into validating your HTML once you get the errors fixed.

anaitis4

[Separate threads merged -- MOD]

Hello,
I'm very new to PHP (just started learning a month ago) and i'm having some trouble. Please excuse me if these questions are simple. I'm pretty stuck.

I'm trying to write code that will allow users to change their password. The way I have it set up is that there's a page called 'changepassword.php' that has the form on it and then there's a page called 'change-passwordck.php' that checks the form. But it doesn't work. When you fill out the form and hit 'submit' the 'change-passwordck' page does come up but it doesn't spit out the message it should and the database does not update.

Here's my code.....

'changepassword.php'
//The following is at the very top of the page:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<? include "include/z_db.php"; ?>

//The following is in the <body>
<table border='0' width='50%' cellspacing='0' cellpadding='0' align=center style="height: 153px"><form name=form2 method=post action=change-passwordck.php onsubmit='return validate(this)'><input type="hidden" name="todo" value="post"/>

<tr ><td bgcolor="#FFFFFF" style="width: 201px" > <font face='Verdana' size='2' color="#000000" ><b>User Name:</b></font></td><td bgcolor="#FFFFFF" ><font face='Verdana' size='2'>
<input type="text" name="userame" size="10" maxlength="20" value="<?php if (isset($POST['username'])) echo $POST['username'];?>" style="width: 132px" />

<tr ><td bgcolor="#FFFFFF" style="width: 201px" > <font face='Verdana' size='2' color="#000000" ><b>Current password:</b></font></td><td bgcolor="#FFFFFF" ><font face='Verdana' size='2'>
<input type="password" name="password" size="20" maxlength="20" style="width: 132px" />

<tr ><td bgcolor="#FFFFFF" style="width: 201px" > <font face='Verdana' size='2' color="#000000" ><b>New password:</b> </font></td><td bgcolor="#FFFFFF" ><font face='Verdana' size='2'>
<input type="password" name="password1" size="20" maxlength="20" style="width: 131px" />

<tr ><td bgcolor="#FFFFFF" style="width: 201px" > <font face='Verdana' size='2' color="#000000" ><b>Confirm New password:</b></font></td><td bgcolor="#FFFFFF" ><font face='Verdana' size='2'>
<input type="password" name="password2" size="20" maxlength="20" style="width: 131px" /><tr ><td bgcolor="#FFFFFF" colspan="2" class="style4" ><font face='Verdana' size='2'> <input type="submit" name="submit" value="Change My password" /></font></td>
</tr></font></td></table>

'change-passwordck.php'
<?
if(isset($todo) and $todo=="changepassword"){
$password=mysql_real_escape_string($password);

//Setting flags for checking
$status = "OK";
$msg="";

if ( strlen($password) < 3 or strlen($password) > 8 ){
$msg=$msg."Password must be more than 3 char legth and maximum 8 char lenght<BR>";
$status= "NOTOK";}

if ( $password <> $password2 ){
$msg=$msg."Both passwords are not matching<BR>";
$status= "NOTOK";}

if($status<>"OK"){
echo "<font face='Verdana' size='2' color=red>$msg</font><br><center><input type='button' value='Retry' onClick='history.go(-1)'></center>";
}else{ // if all validations are passed.
if(mysql_query("UPDATE accounts SET password='$password' WHERE username='$session[username]'")){
echo "<font face='Verdana' size='2' ><center>Thanks <br> Your password has been changed successfully.</font></center>";
}
}
}
echo "<center><font face='Verdana' size='2' ><br><br>Click <a href=logout.php>here to logout</a>   |   <a href=changepassword.php>Change Password</a><br></center></font>";

Any ideas of what could be preventing this code from working correctly? I've stared at it for so long that I'm useless as far as figuring out how I screwed it up. Thanks in advance for any help you guys can offer.

anaitis4

Forgive how stupid this is going to sound, but how and where do I define $todo and $password, etc? Also, how do I use $POST or $GET with these scripts?

I've learned most of what I've learned by imitation so I'm still not great at understanding placement of items or exactly how to define certain things sometimes. Sorry.
Could you posible go a little more in-depth? Thanks.

bradgrafelman

anaitis4 wrote:
how and where do I define $todo and $password, etc?

Well you would define them before you need to use them (which only makes sense). As for the how... well that's up to you. If, for example, you want $password to contain the data that the user POST'ed via a form field named "password," then you'd use the value of $POST['password'] to assign value to $password. Otherwise, you could simply use $POST['password'] instead of creating another variable.

anaitis4 wrote:
Also, how do I use $POST or $GET with these scripts?

You use them just like you use any other variable. As for which one to use, that depends on where you're trying to get data from. As I mentioned above, POST'ed data from a form would, naturally, be found in the $_POST array. You should take a look at the manual page I linked to if you haven't already for more information.