Okay, I have it working, but atm anyone can change anyone's password.

Here's my form:

<form action="changepass.php" method="post">
<font color="#FFFFFF" size="1">
<input type="text" name="id" value="Username"/>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<b><input type="text" name="oldpassword" value="Current Password"/></font></b>
<input type="text" name="newpassword" value="New Password"/></font></b>
<b><input type="text" name="connewpassword" value="Confirm New"/></font></b>
<input type="submit" value="submit"/></font></b>
</form>

Changepass.php:

?php
$con = mysql_connect("*");

if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }
mysql_select_db("*", $con);

$sql="UPDATE users SET `password` = '$_POST[password]' WHERE `username` = '$_POST[id]'";

if (!mysql_query($sql,$con))
  {
  die('Error: ' . mysql_error());
  }
echo "<font color='#FFFFFF' size='2'>1 record updated</font>";

mysql_close($con)

?>

How would I make it check the username and current password are correct, if they are, change it to the new password (which has to be confirmed with both fields) or die if anything is wrong.

Thanks in advance
~Karl

    ask for the old pasword and username, if those match then update with the primary key.
    i found this example code which makes you want:

    <?php

if ( 
    empty( $_POST["username"] ) OR
        empty( $_POST["oldpassword"] ) OR
        empty( $_POST["password_new1"] ) OR
        empty( $_POST["password_new2"] ) 
        ) 
		print "Please fill all required fields!";
	else 
	{
    	if ( $_POST["password_new1"] != $_POST["password_new2"] )
        	print "The new passwords did not match";
    	else {
	        $res = mysql_query( 
	            sprintf( "select userID from `users`  WHERE  username='%s' AND password='%s'  LIMIT 1",
	                mysql_real_escape_string( $_POST["username"] ) ,
	                sha1( $_POST["oldpassword"] ) 
	                ) 
	            ) ;

        if ( mysql_num_rows( $res ) == 1 ) {
            $row = mysql_fetch_assoc( $res );
            mysql_query( 
                sprintf( "UPDATE `users` SET password='%s' WHERE userID='%d'" ) ,
                sha1( $_POST["password_new1"] ) ,
                $row["userID"] 
                );
            print( "UN/PASS changed" );
        } else
            print( "UN/PASS is wrong" );
	} 
}
?>

      That's perfect, thanks a lot 🙂

        Had a good mess around with the code, but I still can't get it to work 🙁

          copy-paste solutions are a bit tricky.

          -i'm using sha1 encrypting on the inserted password.
          -these codes not always been tested, in this case it's untested
          -it's up to you to insert test codes, print the SQL insert for testing, ect...
          -the inserted SQL queries using example table/field/primary key names.
          -$_POST indexes such as (old_password , new_password1) needed to be changed to the real names.

          I show a logic with the codes, you need to realise a program with this.

            I never knew what sha1 was, that's probably why I couldn't get it to work as the passwords in my database aren't encrypted as there's no need to encrypt them.

            I'll keep changing it to fit my needs, thanks.

              Its suggested to encrypt user's passwords.
              you just need to replace sha1 into mysql_real_escape_string in the posted code to keep your database protected from user injections.

                Done it, thanks a lot for your help 🙂

                  Write a Reply...