Hey everyone, so I have a change password form and script to go with it..but when I change the password to letters, symbols such as (#$%$) and numbers, it still tells me my input information is incorrect whether it be username, old password or new password...why is this?

here is the script for changepassword.php

<?php
session_start();

function Checker($str)
{
    $var = preg_match('/[^a-zA-Z]/', $str);
    return $var;
}
function CheckerNum($str)
{
  $var = preg_match('/[^a-zA-Z0-9]/', $str);
  return $var;
}

if(isset($_POST['submit']))
{
    //Get all the user inputs
    $username = $_POST['username'];
    $passwordOld = $_POST['passwordOld'];
    $passwordNew = $_POST['passwordNew'];
    $passwordNew1 = $_POST['passwordNew1'];

    //Connect to database: hostname, username, password and databasename
    $con = mysql_connect('************', '******', '*********') or die(mysql_error());
    mysql_select_db('********') or die(mysql_error());

    //Remove stuff from the user inputs...
    $username = mysql_real_escape_string(html_entity_decode(htmlentities($username)));
    $passwordOld = mysql_real_escape_string(html_entity_decode(htmlentities($passwordOld)));
    $passwordNew = mysql_real_escape_string(html_entity_decode(htmlentities($passwordNew)));
    $passwordNew1 = mysql_real_escape_string(html_entity_decode(htmlentities($passwordNew1)));

    //Die if account contains non-alphanumeric characters
    if(CheckerNum($username) == 1)
    {
      die("Error: Username contains invalid characters! Please try again <a href='changepassword-form.php'>here</a>!");
    }
    //Die if old password contains non-alphanumeric characters
    elseif(CheckerNum($passwordOld) == 1)
    {
      die("Error: Password contains invalid characters! Please try again <a href='changepassword-form.php'>here</a>!");
    }
    //Die if new password contains non-alphanumeric characters
    elseif(CheckerNum($passwordNew) == 1)
    {
      die("Error: New password contains invalid characters! Please try again <a href='changepassword-form.php'>here</a>!");
    }
    //Die if new password(confirm) contains non-alphanumeric characters
    elseif(CheckerNum($passwordNew1) == 1)
    {
      die("Error: New password contains invalid characters! Please try again <a href='changepassword-form.php'>here</a>!");
    }

    //If new pass and new pass(confirm) dont match, die.
    if($passwordNew != $passwordNew1)
    {
        die("New password fields must match! Please try again <a href='changepassword-form.php'>here</a>!");
    }

    //Get password from db
    $query = "SELECT password FROM users WHERE username = '".$username."' AND password = '".$passwordOld."'";

    $result = mysql_query($query) or die(mysql_error());
    $numrows = mysql_num_rows($result);


    //If no rows, means invalid user/pass, die.
    if($numrows == 0)
    {
        die("Invalid username/password! Please try again <a href='changepassword-form.php'>here</a>!");
    }

    //Change pass to new password
    $query = "UPDATE users SET password = '".$passwordNew."' WHERE username = '".$username."'";
    $result = mysql_query($query) or die(mysql_error());

    echo "The password for ".$username." was successfully changed! Please log in <a href='logIn.php'>here</a>!";


    //close mysql connection
    mysql_close();
}
else
{
include('changepassword-form.php');
}

?>

Any help would be greatly appreciated!! :)

Member Avatar for Zagga

Hi geneh23,

Firstly, you are adding plain text passwords to your database? You may want to rethink that.

The reason your code won't accept a username or password with special characters is because your CheckerNum function only allows numbers and upper & lower case letters. You need to adjust your preg_match syntax to allow special characters.

@Zagga, No you're right I should have the md5 function in the oldpassword and newpassword variables listed at the beginning when I gather all the user inputs correct?

and I'm sorry I confused the way I have the preg_match..I believe that part is correct because that is what I want..only lowercase and upper case letters and numbers..

Member Avatar for Zagga

Hi geneh23,
With the password you are right. You collect and validate the user input, then run the password the user entered through the hash (MD5 or SHA1 etc) then compare the result with what is stored in the database.

Your preg_match will only match the characters you mention, so if the user tries to enter any special characters ($%<) in the username or password the validation will fail during your function, before the database is checked and the user will be shown your error message. So if the actual user name or password has special characters in it the user will never be able to log in because your function doesn't allow them.

@Zagga, I have added the md5 function with all of the password variables before going into the database..and I actually realized that the preg_match is the way it is supposed to be but even when I input the right characters, it still gives me the errors as if I inputted special symbols..why is this?..

Member Avatar for Zagga

Hi again geneh23,

Are you saying that even if you enter only alphanumeric characters you get one of the "Error: Username contains invalid characters!" messages?

@Zaga, yep, or any of the other messages..besides the one that changes my password

Member Avatar for Zagga

Hi geneh23,

I can't see why you would get errors. Your functions are correct and they should only display error messages if the user enters any non alphanumeric characters.

Try echoing the $_POST values you get from your form to make sure they are what you expect.
Add this code to line 22.

die ("Username: " . $username . "<br />PasswordOld: " . $passwordOld . "<br />PasswordNew: " . $passwordNew . "<br />PasswordNew1: " . $passwordNew1);

..I think I just figured out why I am getting errors..my log in form script isn't working... :/

so, I am wondering if I need to rewrite this script with the same idea in mind..I contacted godaddy and I am waiting on a response but there has got to be another way to rewrite the script to fit the same purpose that goddays server will work with..does anyone have any suggestions? any help would be great and very much appreciated :)

nevermind..wrong post.. disregard the last comment..

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.