password change new format

tissam

I am trying another password change coding. but it gives "Your loginName and password do not match our records" always. pls provide me for the complete codes for "changepw1.php" because i am doing urgent project in my institute. I will attached all files in below. (this coding i abstracted from Internet)

MySQL table
CREATE TABLE users (
UserID INT(25) NOT NULL AUTO_INCREMENT PRIMARY KEY ,
Username VARCHAR(65) NOT NULL ,
Password VARCHAR(32) NOT NULL ,
EmailAddress VARCHAR(255) NOT NULL
);

INSERT INTO users (Username, Password) VALUES ('tissam','1990');

databaseconnectinfo.php

<?php
$db_host = "localhost";
$db_user = "root";
$db_password = "user";
$db_database = "pass";

$dbc = mysql_connect($db_host, $db_user, $db_password) or die ('Non riesco a connettermi: ' . mysql_error());


$db_selected = mysql_select_db($db_database, $dbc) or die ("Errore nella selezione del database: " . mysql_error());

?>

changepw1.php

<?php

if (isset($_POST['submit'])) {
// Handle the form.

require_once ('databaseconnectinfo.php');
// Connect to the db.

// Create a function for escaping the data.
function escape_data ($data) {
global $dbc; // Need the connection.
if (ini_get('magic_quotes_gpc')) {
$data = stripslashes($data);
}
return mysql_real_escape_string($data, $dbc);
}
// End of function.

$message = NULL; // Create an empty new variable.

// Check for a loginName.
if (empty($_POST['Username'])) {
$lo = FALSE;
$message .= '<p>You forgot to enter your Login Name!</p>';
} else {
$lo = escape_data($_POST['Username']);
}

// Check for an existing password.
if (empty($_POST['Password'])) {
$pa = FALSE;
$message .= '<p>You forgot to enter your existing password!</p>';
} else {
$pa = escape_data($_POST['Password']);
}

// Check for a password and match against the confirmed password.
if (empty($_POST['password1'])) {
$npa = FALSE;
$message .= '<p>You forgot to enter your new password!</p>';
} else {
if ($_POST['password1'] == $_POST['password2']) {
$npa = escape_data($_POST['password1']);
} else {
$npa = FALSE;
$message .= '<p>Your new password did not match the confirmed new password!</p>';
}
}

if ($lo && $pa && $npa) { // If everything's OK.

$query = "SELECT UserID FROM users WHERE (Username='$lo' AND Password=PASSWORD('$pa') )"; 

$result = mysql_query ($query);
$num = mysql_num_rows ($result); 
if ($num == 1) {
$row = mysql_fetch_array($result, MYSQL_NUM);

// Make the query.
$query = "UPDATE users SET Password=PASSWORD('$npa') WHERE id=$row[0]";
$result = @mysql_query ($query); // Run the query.
if (mysql_affected_rows() == 1) { // If it ran OK.

// Send an email, if desired.
echo '<p><b>Your password has been changed.</b></p>';

exit(); // Quit the script.

} else { // If it did not run OK.
$message = '<p>Your password could not be changed due to a system error. We apologize for any inconvenience.</p><p>' . mysql_error() . '</p>';
}
} else {
$message = '<p>Your loginName and password do not match our records.</p>';
}
mysql_close(); // Close the database connection.

} else {
$message .= '<p>Please try again.</p>';
}

} // End of the main Submit conditional.

// Print the error message if there is one.
if (isset($message)) {
echo '<font color="red">', $message, '</font>';
}
?>

<form action="<?php echo $_SERVER['PHP_SELF'];?>" method="post">
<fieldset><legend>Enter your information in the form below:</legend>

<p><b>Login Name:</b> <input type="text" name="Username" size="10" maxlength="20" value="<?php if (isset($_POST['Username'])) echo $_POST['Username'];?>" /></p>

<p><b>Current Password:</b> <input type="password" name="Password" size="100" maxlength="100" /></p>

<p><b>New Password:</b> <input type="password" name="password1" size="20" maxlength="20" /></p>

<p><b>Confirm New Password:</b> <input type="password" name="password2" size="20" maxlength="20" /></p>
</fieldset>

<div align="center"><input type="submit" name="submit" value="Change My Password" /></div>

</form>

bradgrafelman

When posting PHP code, please use the board's [noparse]
```
..
```
[/noparse] bbcode tags as they make your code much easier to read and analyze.
You probably shouldn't be posting your SQL login credentials for the entire world to see; I've obfuscated them in your post above.
Very few (if any) people that frequent these forums care how urgent your project is (it's your project, after all, not ours). Furthermore, not many people will simply spoonfeed you all the code and send you on your way. These forums exist to educate (IMHO, anyway) and help you fix the code.
Your code is a little hard to follow due to the lack of indenting. Please consider indenting your code properly so that it's easier for us to read it (and thus understand your problem and offer suggestions).
In your SELECT query, you use MySQL's PASSWORD() encryption function, yet in your sample INSERT above you show the password being stored as plain text. Obviously, you have to pick a method and be consistent.

Note that even if you did want to encrypt/hash the passwords being stored in your database (something you should be doing, by the way), then you should pay attention to the following note from the MySQL manual page for PASSWORD():

MySQL Manual wrote:
Note
The PASSWORD() function is used by the authentication system in MySQL Server; you should not use it in your own applications. For that purpose, consider MD5() or SHA1() instead.
User-supplied data should never be placed directly into a SQL query string, else your code will be vulnerable to SQL injection attacks and/or simple SQL errors. Instead, you must first sanitize it with a function such as [man]mysql_real_escape_string/man (for string data).

tissam

Dear bradgrafelman,

Thanks for your reply. any way this is not final coding for my password change in my project. this is a only sample that i have given to you just to understand and how it works. As i am a beginner in PHP if you can elaborate little more with sample code highly appreciate. Also copy and paste is little difficult to keep proper indenting. sorry for that.
awaiting your reply please.