[RESOLVED] Update user's password in database useing a form

the_mysox1

This code is supposed to let the user change their password by typeing into the form their username and their old password and then their new password and they need to confirm the new password but the page ends up not updateing the password it just says that the password is updated. What should i do about it?

<?php 
// Connects to your Database
mysql_connect("localhost", "email", "qwe") or die(mysql_error()); 

mysql_select_db("email") or die(mysql_error());

//This code runs if the form has been submitted 

if (isset($_POST['submit'])) {   

//This makes sure they did not leave any fields blank

if (!$_POST['username'] | !$_POST['pass'] | !$_POST['new_pass'] | !$_POST['new_pass2']) 
{
die('You did not complete all of the required fields. Click your browsers back button to go back.');
}

// checks if the username is in use

if (!get_magic_quotes_gpc()) 
{
$_POST['username'] = addslashes($_POST['username']);
} 
$usercheck = $_POST['username'];
$ucheck = mysql_query("SELECT username FROM users WHERE username = '$usercheck'") or die(mysql_error());
$ucheck2 = mysql_num_rows($ucheck);

//if the username does not exists it gives an error 
if ($ucheck2 != 1) {
die('The username '.$_POST['username'].' you used does not exist please click <a href="add.php">here</a> to redgester');
}

// this makes sure both passwords entered match 
if ($_POST['new_pass'] != $_POST['new_pass2']) 
{
die('Your passwords did not match. ');
}


// here we encrypt the password and add slashes if needed 
$_POST['new_pass'] = md5($_POST['new_pass']);
if (!get_magic_quotes_gpc()) 
{
$_POST['new_pass'] = addslashes($_POST['new_pass']);
}

// now we insert it into the database 

$insert = "UPDATE users SET password = 'new_pass' WHERE username='username' AND password='pass'";
$add_member = mysql_query($insert);
?>
<h1>Password Changed</h1>
<p>You have sucsessfully changed your password - you may now <a href="/login.php">login</a>.</p>


<?php 
}

else {	 ?>
<html>
<body alink="white" vlink="white" link="white" background="/img/hrlines2.png">

<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />

<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post"> 
<table border="0" style="color:white" align="center">

<tr bgcolor=#990033><td>Username:</td><td> <input type="text" name="username" maxlength="60"> </td></tr>
<tr bgcolor=#276B9A><td>Password:</td><td> <input type="password" name="pass" maxlength="10"> </td></tr>
<tr bgcolor=#990033><td>New Password:</td><td> <input type="password" name="new_pass" maxlength="10"> </td></tr>
<tr bgcolor=#276B9A><td>Confirm New Password:</td><td> <input type="password" name="new_pass2" maxlength="10"> </td></tr>
<tr bgcolor=#990033><td colspan=2 align="center"><input type="submit" name="submit" value="Change password"></td></tr>   


</table>
</form> 
</body>
</html>

<?php 
} ?>

dagon

your update query is using the string new_pass (etc) not the variable.

the_mysox1

dagon;10961773 wrote:
your update query is using the string new_pass (etc) not the variable.

how do i set it to use the variable? what extra code do i neeed to add?

dagon

Variables:basics

the_mysox1

I know that variables start with '$' but in this case how would i set it up? i have tried setting it as a variable but i don't know how to do it in this case.

kiss_the_robot

$insert = "UPDATE users SET password = '" .$_POST['new_pass']. "' WHERE username='" .$_POST['username']. "' AND password='" .$_POST['pass']. "'";

kiss_the_robot

Also, it's a good idea to set up your MySQL queries with an error message in case your query doesn't work, like so:

mysql_query($insert) or die("invalid query: " . mysql_error());

the_mysox1

I placed this code

$insert = "UPDATE users SET password = '" .$_POST['new_pass']. "' WHERE username='" .$_POST['username']. "' AND password='" .$_POST['pass']. "'";

insted of the code

$insert = "UPDATE users SET password = 'new_pass' WHERE username='username' AND password='pass'";

but it still does not work

dagon

are the passwords stored in the db as plain text (bad) or are they hashed? echo the insert statement, are the values what you expect?

the_mysox1

in my WHERE statement i was useing the password that the user typed in without it being encripted and thus the WHERE statement never was sufficed and so by echoing it i realized my mistake and now it is fixed.

thanks to all who helped me!😃

the_mysox1

and yes they are with md5. In your opinion on a scale of 1-100, 1 being no security 100 being bank security where does md5 come in?

dagon

that's not an issue with so many other weakness in your code, like not sanitising user input before using it in a query.

the_mysox1

what u mean

sanitising user input before using it in a query

laserlight

In your case, it means the use of mysql_real_escape_string on string input, and ensuring that numeric input really is numeric.

the_mysox1

where do i have numaric input?