Change PW issue

sushix

Hi guys,

This is a basic password changing code, but somehow it seem that the logic is a bit wrong which cannot be changed or even prompt. Can anyone help me out on this?

Tks in advance

if($_POST['submit']){
		$user = $_SESSION['login'];
		$oldpass = $_POST['Pass'];
		$newpass = $_POST['newPass'];
		$repass = $_POST['rePass'];

	if($_POST['newPass'] == '' || strlen(($_POST['newPass'])) < 6){
		echo "<script> alert('Your password is less than 6 character!');</script>";

		if ($oldpass && $newpass && $repass){						

			$query = "SELECT * FROM user WHERE login = '$user'";
			$result = mysqli_query ($redConnect, $query) or die (mysqli_error($redConnect));
			while ($row = mysqli_fetch_array($result)){
				$dbpass = $row['user_password'];
			}
			if($newpass == $repass){
				$updatePass = "UPDATE usertable SET userpassword = '$repass' WHERE login_name = '$user'";
				$updated = mysqli_query ($Connect, $updatePass) or die (mysqli_error($redConnect));
			}else{
				echo "The new passwords does not match, please re-key in the password!";
			}
			if ($oldpass == $dbpass){					
			}else{
				echo"Password is incorrect!";
			}
		}
	}else{
		echo "Please fill in all the fields!";
	}
}

dagon

give this a try,

function change_pass($user,$oldpass,$newpass,$repass){

if($newpass==''||strlen(($newpass))<6){
	return ("<script> alert('Your password is less than 6 character!');</script>");
}

if($oldpass&&$newpass&&$repass){

	if($newpass!=$repass){
		return ("The new passwords does not match, please re-key in the password!");
	}

	$query = "SELECT * FROM user WHERE login = '$user'";
	$result = mysqli_query($redConnect,$query) or die(mysqli_error($redConnect));
	while ( $row = mysqli_fetch_array($result) ){
		$dbpass = $row['user_password'];
	}

	if($oldpass!=$dbpass){
		return ("Password is incorrect!");
	}else{
		$updatePass = "UPDATE usertable SET userpassword = '$repass' WHERE login_name = '$user'";
		$updated = mysqli_query($Connect,$updatePass) or die(mysqli_error($redConnect));
	}

}else{
	return ("Please fill in all the fields!");
}
}

echo change_pass($user,$oldpass,$newpass,$repass);

NB: you shouldn't be storeing the password as plain text, you should be sanitising the user input, you don't need a while loop to select one db value

sushix

so to sanitise, it would just to included in front of the post function?

sanitise($user) = $SESSION['login'];
sanitise($oldpass) = $POST['Pass'];
sanitise($newpass) = $POST['newPass'];
sanitise($repass) = $POST['rePass'];

tks for the help