Change password not working

sridsam

Hi all,

The change password is not working, even typing the old password correctly, it is displaying "Old Password Does not match". Pl help.

Code :

<?php



$user = $_SESSION['user1'];



if ('$user')

{

if ($_POST['submit'])

{



$oldpassword = md5($_POST['oldpassword']);

$newpassword = md5($_POST['newpassword']);

$repeatnewpassword = ($_POST['repeatnewpassword']);




$connect = mysql_connect("localhost", "root", "nandanam") or die();

mysql_select_db("times") or die();

$queryget = mysql_query("SELECT password from euser WHERE username = '$user'") or die("Query not ok");



$row = mysql_fetch_assoc($queryget);



$oldpassworddb = $row['password'];



if ($oldpassword==$oldpassworddb)

{


   if ($newpassword==$repeatnewpassword)

{

$querychange = mysql_query("UPDATE users SET password='$newpassword' WHERE username = '$user'");

session_destroy();

die("Your Password has been changed. <a href='eindex.php'>Return </a> to the main page");

}

else

die("New Passwords not matching !");

}

else

 die("Old Password doesn't match");





}

else

{

echo"



<form action ='changepassword.php' method='POST'>

Old Password : <input type='password' name='oldpassword'><p>

New Password : <input type='password' name='newpassword'><br>

Repeat New Password : <input type='password' name='repeatnewpassword'><p>

<input type='submit' name='submit' value='Change Password'>

</form>

";

}



}



else



die("You must be logged in to change your password!");





?>

niroshan

Hi sridsam,

Do you md5() the password when you enter it into the database on the registration?

instead of doing,

$user = $_SESSION['user1']; 

if ('$user')
{

you can directly check it as,

if (isset($_SESSION['user1']))
{

$repeatnewpassword = ($_POST['repeatnewpassword']);

YOu forgot the MD5() function here so,

if ($newpassword==$repeatnewpassword)
{

will always fail. But this is not your issue now.. it fail long before it comes here.

Regards,
Niroshan

Weedpacket

You've also forgotten to hash the repeated password. (To save time, why not just see if $POST['newpassword']==$POST['repeatnewpassword'] first? If they don't match you can stop checking right there - before you do use MD5 or query the database.)

halojoy

I have changed 4 things:

session_start()
if($user)
md5/B
$_SESSION = empty array before session_destroy()

But I also do not understand why you Query 2 different tables????
users
euser

I think it is now a good chance it will work!
🙂

<?php

session_start();
$user = $_SESSION['user1'];
if ($user)
{
	if ($_POST['submit'])
	{
	$oldpassword = md5($_POST['oldpassword']);
	$newpassword = md5($_POST['newpassword']);
	$repeatnewpassword = md5($_POST['repeatnewpassword']);

$connect = mysql_connect("localhost", "root", "nandanam") or die();
mysql_select_db("times") or die();

$sql = "SELECT password from euser WHERE username = '$user'"
$queryget = mysql_query($sql) or die("Query not ok");
$row = mysql_fetch_assoc($queryget);
$oldpassworddb = $row['password'];

if ($oldpassword==$oldpassworddb)
{
	if ($newpassword==$repeatnewpassword)
    {
    	$sql = "UPDATE users SET password='$newpassword' WHERE username='$user'";
	    $querychange = mysql_query($sql);
	    $_SESSION = array();
	    session_destroy();
	    die("Your Password has been changed. <a href='eindex.php'>Return </a> to the main page");
    }else
    	die("New Passwords not matching !");

}else
	die("Old Password doesn't match");

}else{

	echo "
	<form action ='changepassword.php' method='POST'>
	    Old Password : <input type='password' name='oldpassword'><p>
	    New Password : <input type='password' name='newpassword'><br>
	    Repeat New Password : <input type='password' name='repeatnewpassword'><p>
	    <input type='submit' name='submit' value='Change Password'>
	</form>
	";
}

}else
	die("You must be logged in to change your password!");

?>

sridsam

Hi helojoy,

It is not giving error now. ( it is accepting the new password ). But it is accepting only the old password not the new one..!!

Rgds

Sridsam

Weedpacket

As halojoy pointed out, you check passwords using "euser" table, but when you change a password you update the "users" table.