Hi,
I'm a 16 year old web designer and aspiring developer. I've learned the ins and outs of making a website look amazing, but I'm only now starting to try to figure out how the heck it's all possible. One of the things I run into with every site I make is a user account system (because everyone needs to sign up for everything nowadays). I'm trying to learn little-by-little how to make a simple yet fully-featured account system.
In this specific case, I'm working on a very simple login system that only myself and a few friends will use. For that reason, I'm not concerned with security, injections, all that stuff. Actually, the login system was built (by me) without a MySQL connection, using PHP arrays to authenticate the few of us. Now, however, I want to give them a chance to change their password whenever they want via an easy interface. Therefore, I knew I'd have to start integrating MySQL. The ideal goal is to allow them to login with either the password set in the PHP code or the updated one in the database.
My code is posted below (along with what page each code is in). Currently, a user types in their old password and both new passwords and it directs to ?error=1. Nothing can be found in the PHP error_log and no change is made to the password in the database. Any help getting this to work would be appreciated.
account.php (PHP)
<?php
session_start();
if(!$_SESSION['username'])
{
header("Location: index.php");
}
$db_host = *WITHHELD*
$db_user = *WITHHELD*
$db_pass = *WITHHELD*
$db_name = *WITHHELD*
$mysql = mysql_connect($db_host, $db_user, $db_pass, $db_name);
if(isset($_POST['submitpw'])) {
if($_POST['currentpw'] == $_SESSION['password'] && $_POST['newpw'] == $_POST['confirmpw']) {
$username = $_SESSION['username'];
$securepw = md5($_POST['newpw']);
$query = "UPDATE users SET password='$securepw' WHERE username='$username'";
if (mysql_query($query, $mysql)) {
header("Location: account.php?success=1");
} else {
header("Location: account.php?error=1");
}
}
}
?>
account.php (HTML Excerpt)
<h3>Change Password</h3>
<form class="form-inline" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
<fieldset>
<div class="form-group">
<input id="currentpw" name="currentpw" type="password" placeholder="Current Password" class="form-control input-md" required="">
</div>
<div class="form-group">
<input id="newpw" name="newpw" type="password" placeholder="New Password" class="form-control input-md" required="">
</div>
<div class="form-group">
<input id="confirmpw" name="confirmpw" type="password" placeholder="Confirm Password" class="form-control input-md" required="">
</div>
<div class="form-group">
<button id="submitpw" name="submitpw" class="btn btn-primary">Submit</button>
</div>
</fieldset>
</form>
<?php
if($_GET['success'] == "1") {
echo "<div class='alert alert-success' style='margin-top:20px;'><i class='fa fa-check-circle'></i> Your password has been updated successfully.</div>";
}
elseif($_GET['error'] == "1") {
echo "<div class='alert alert-danger' style='margin-top:20px;'><i class='fa fa-times-circle'></i> We are unable to process your request at this time.</div>";
}
?>
login.php (I realize nobody will be able to login after changing their password. I haven't gotten there yet. I'll be able to do that on my own.)
<?php
session_start();
$userinfo = array(
'michaela'=>'*WITHHELD*',
'Kyle'=>'*WITHHELD*',
'josh'=>'*WITHHELD*'
);
if(isset($_POST['username'])) {
if($userinfo[$_POST['username']] == $_POST['password']) {
$_SESSION['username'] = $_POST['username'];
$_SESSION['password'] = $_POST['password'];
header('Location: downloads.php');
}else {
header('Location: login-failed.php');
}
}
?>
Please let me know what I have wrong and how I can fix it to allow my users to change their passwords. (Once again, for the purposes of this project, I don't care about "good practice", mainly because I'll be integrating this project into another, and at that time, I'll be cleaning things up.
Thanks for any help.
Kind regards,
Kyle