Need a little help with PHP , Newbie

Kostikz666

Hello I trying to create page 'Change Password' , but I find out what it hard to make...
Here is code :

<?php
require_once "../db/connect.php";
session_start(); 
if(!empty($_SESSION['LoggedIn']) && !empty($_SESSION['Username']) && !empty($_SESSION['Password'])) 
{
	if(!empty($_POST['OLDpass']) && !empty($_POST['NEWpass']) && !empty($_POST['VALpass']))  

{ 
    $password = md5(mysql_real_escape_string($_POST['OLDpass'])); 
    $OLDpass = md5(mysql_real_escape_string($_POST['OLDpass']));  

    $NEWpass = md5(mysql_real_escape_string($_POST['NEWpass'])); 
    $VALpass = md5(mysql_real_escape_string($_POST['VALpass'])); 
	$NotCoded = $_POST['NEWpass'];

 $checkpassword = mysql_query("SELECT * FROM Users WHERE Password = '".$password."'");
 if(mysql_num_rows($checkpassword) == 1)  
 {  
    echo "<h1>Error</h1>";  
    echo "<p>Sorry, you're already using this password.</p>";  
 }  
 else  
 {  
	if ($_POST['Verti'] != $_SESSION['Verti']) {
	die("The code you've entered is incorrect!");

    $registerquery = mysql_query("UPDATE Users WHERE Username ='".$_SESSION['Username']."' SET Password='$NEWpass', NotCodedPass='$NotCoded'");  
		if($registerquery && $_POST['Verti'] == $_SESSION["Verti"])  
        echo "<h1>Success</h1>";  
        echo "<p>Your account was successfully created. Please <a href=\"../../index.php\">click here to login</a>.</p>";  
    /*
	}elseif($_POST['Verti'] != $_SESSION["Verti"]){
			echo "You entered incorrect code!";
	*/
	}else{  
        echo "<h1>Error</h1>";  
        echo "<p>Sorry, your registration failed. Please go back and try again.</p>"; 
		die(mysql_error());
    }  
 }  
}
}
?>

First time when I write code it worked but it changed all table passwor after I added WHERE Username ='".$_SESSION['Username']."' it stoped work and now it doesnt event work this lines :

     $checkpassword = mysql_query("SELECT * FROM Users WHERE Password = '".$password."'");
	 if(mysql_num_rows($checkpassword) == 1)  

     {  

        echo "<h1>Error</h1>";  

        echo "<p>Sorry, you're already using this password.</p>";  

     }

I always get same error :

Error , Sorry, your registration failed. Please go back and try again.

Thanks!

Matt_Denton

First of all:

if ($_POST['Verti'] != $_SESSION['Verti']) {
        die("The code you've entered is incorrect!");

    $registerquery = mysql_query("UPDATE Users WHERE Username ='".$_SESSION['Username']."' SET Password='$NEWpass', NotCodedPass='$NotCoded'");

It will die before you even get to that third line.

Second of all:

if($registerquery && $_POST['Verti'] == $_SESSION["Verti"])  

            echo "<h1>Success</h1>";  

            echo "<p>Your account was successfully created. Please <a href=\"../../index.php\">click here to login</a>.</p>";

You're missing curly braces here, and you also don't need to check that $POST['Verti'] == $SESSION["Verti"] because you already checked if they were equal, and you died otherwise. Perhaps:

if($registerquery)  {
            echo "<h1>Success</h1>";  

            echo "<p>Your account was successfully created. Please <a href=\"../../index.php\">click here to login</a>.</p>"; 
}

But regardless of all that, the output you're getting indicates that this:

$_POST['Verti'] != $_SESSION['Verti']

Is false. Your code's not doing what you want it to. I think what you want is...

<?php
require_once "../db/connect.php";
session_start(); 
if(!empty($_SESSION['LoggedIn']) && !empty($_SESSION['Username']) && !empty($_SESSION['Password'])) 
{
    if(!empty($_POST['OLDpass']) && !empty($_POST['NEWpass']) && !empty($_POST['VALpass']))  

    {
		$password = md5(mysql_real_escape_string($_POST['OLDpass'])); 
		$OLDpass = md5(mysql_real_escape_string($_POST['OLDpass']));  

		$NEWpass = md5(mysql_real_escape_string($_POST['NEWpass'])); 
		$VALpass = md5(mysql_real_escape_string($_POST['VALpass'])); 
		$NotCoded = $_POST['NEWpass'];

	$checkpassword = mysql_query("SELECT * FROM Users WHERE Password = '".$password."'");
	if(mysql_num_rows($checkpassword) == 1)  
	{  
		echo "<h1>Error</h1>";  
		echo "<p>Sorry, you're already using this password.</p>";  //do you really want to print out this message? 
		//Perhaps just tell them that their password change was successful instead of telling them they are already using this pword.
	}  
	else  
	{
		if ($_POST['Verti'] != $_SESSION['Verti']) {
			echo "<h1>Error</h1>";  
			echo "<p>Sorry, your registration failed. Please go back and try again.</p>"; 
			die("The code you've entered is incorrect!");
		}

		$registerquery = mysql_query("UPDATE Users WHERE Username ='".$_SESSION['Username']."' SET Password='$NEWpass', NotCodedPass='$NotCoded'");  
		if($registerquery)  {
			echo "<h1>Success</h1>";  
			echo "<p>Your account was successfully created. Please <a href=\"../../index.php\">click here to login</a>.</p>";  
		}
	}  
}
}
?>

Also... Why are you storing a non-hashed version of the password? That's insecure... Also, what is $VALpass for? It's never used. Why is it even required in the POST parameters?

Kostikz666

Thank you very much, yeah I missed a lot, next time I need to write code when I'll have time 😃
Ok starting from 1 question
1) I store non-hashed version just for now , i check if it change password correctly , i will delete non-hashed password later 🙂
2) VALpass is Validatation Password i forget to add line to check if NEWpass Is equal to VALpass then you procced to next lines...
And of course I will need to learn More! more! and More! 🙂