Member Avatar for j_limboo

New to PHP
Password change fails please advice

CREATE TABLE IF NOT EXISTS `ps_users` (
  `id` int(255) unsigned NOT NULL AUTO_INCREMENT,
  `username` varchar(100) NOT NULL,
  `firstname` varchar(50) DEFAULT NULL,
  `lastname` varchar(50) DEFAULT NULL,
  `password` varchar(40) NOT NULL,
  `active` int(1) NOT NULL DEFAULT '0',
  `ip` text NOT NULL,
  `usergroup` text NOT NULL,
  `datasource_id` int(3) unsigned DEFAULT '0',
  `last_login` int(14) DEFAULT NULL,
  `day_limit` int(3) unsigned DEFAULT NULL,
  `language` varchar(5) NOT NULL DEFAULT 'en',
  `email` varchar(100) DEFAULT NULL,
  `pwd_updated` int(14) unsigned DEFAULT NULL,
  `created` int(14) unsigned NOT NULL DEFAULT '0',
  `owner_id` int(255) NOT NULL DEFAULT '0',
  `modified` int(14) unsigned DEFAULT NULL,
  `updated` int(14) unsigned DEFAULT NULL,
  PRIMARY KEY (`id`),
  UNIQUE KEY `login` (`username`),
  KEY `active` (`active`),
  KEY `password` (`password`)
) ENGINE=MyISAM  DEFAULT CHARSET=latin1 AUTO_INCREMENT=11 ;
<html>
<head>
</head>
<body bgcolor="#5791BF">
  <h1>Change Password</h1>
  <form method="POST" action="passch.php">
  <table>
    <tr>
          <td>Enter your UserName</td>
      <td><input type="username" size="10" name="username"></td>
      
      <td>Enter your existing password:</td>
      <td><input type="password" size="10" name="password"></td>
    </tr>
    <tr>
      <td>Enter your new password:</td>
      <td><input type="password" size="10" name="newpassword"></td>
    </tr>
    
  </table>
  <p><input type="submit" value="Update Password">
  </form>
  <p><a href="member-index.php">Home</a>
  <p><a href="logout.php">Logout</a>
</body>
</html>

<?php
$server="localhost";
$db_user="root";
$db_pass="brijpuja1";
$database="puresearch";
// connect to the mysql server
$link = mysql_connect($server, $db_user, $db_pass)
or die ("Could not connect to mysql because ".mysql_error());

// select the database
mysql_select_db($database)
or die ("Could not select database because ".mysql_error());

$rs_pwd = mysql_query("select password FROM ps_users where username='$_POST[username]'");
list($old) = mysql_fetch_row($rs_pwd);

	if($old == md5($_POST['password']))
	{
	$newmd5 = md5(mysql_real_escape_string($_POST['newpassword']));
	mysql_query("update ps_users set password='$newmd5' where username='$_POST[username]'");
echo "Password Changed successfully";
	} else
	{
	echo "Password change failed";
	}
	
	
	?>
Edited by j_limboo because: n/a
  • 3 Contributors
  • 13 Replies
  • 198 Views
  • 1 Day Discussion Span
  • Latest Post Latest Post by j_limboo
Member Avatar for dr jekl

If you are using mysql_real_escape_string your

if($old == md5($_POST))

should be

if($old == md5(mysql_real_escape_string($_POST)))

Yes?

Member Avatar for j_limboo

Still do not change after doing the above
Is it something to do with table

Member Avatar for dr jekl

The variables you are comparing do not seem to be the same...

This:

list($old) = mysql_fetch_row($rs_pwd);

I believe would work as

@old = mysql_fetch_row($rs_pwd);

mysql_fetch_row will return the array of the items in the select.

Then your if should be like this:

if(@old[0] == md5(mysql_real_escape_string($_POST)))

Try and let me know.

Member Avatar for dr jekl

OR you can use something like this:

$old = mysql_fetch_array($rs_pwd));

and

if($old == md5(mysql_real_escape_string($_POST)))

Member Avatar for dr jekl

AND I just noticed this:

$_POST[username]

should be

$_POST['username']

and I'm not 100% percent but you might need to do a concatenate on the string instead of including it as it is for instance:

$rs_pwd = mysql_query("select password FROM ps_users where username='$_POST[username]'");

Should be:

$rs_pwd = mysql_query("select password FROM ps_users where username='".$_POST['username']."'");
Edited by dr jekl because: n/a
Member Avatar for nadnakinam 
<?php

$host="localhost";          // Host name 
$username="root";        // Mysql username 
$password="brijpuja1"; // Mysql password 
$db_name="puresearch";  // Database name 
$tbl_name="ps_users";     // Table name 

$username=$_POST['username'];
$oldpass=$_POST['oldpass']; 
$newpass=$_POST['newpass']; 
$conpass=$_POST['confirmpass'];

$encry_oldpass=md5($oldpass);          //encrypting old password

/*  Test OK
echo $username;
echo "<br />";
echo $oldpass;
echo "<br />";
echo $encry_oldpass;
echo "<br />";
die();   */

$con=mysql_connect("$host","$username","$password");
mysql_select_db("$db_name",$con);

$result=mysql_query("SELECT * FROM $tbl_name WHERE username='$username' and password='$encry_oldpass'");
$count=mysql_num_rows($result);

if((!empty($newpass)&&!empty($conpass))&&($newpass==$conpass)&&($count==1))
 {
      $encry_conpass=md5($conpass);//encrypting confirm password

      $result2=mysql_query("UPDATE $tbl_name SET password='$encry_conpass' WHERE username='$username' and password='$encry_oldpass'");
      
      echo "Password Chamged Successfully"; 
      header("location:...............");	  // redirect to login page

 }
 else
 {
      echo"Password Change Fails";	 
      header("location:...............");	  // redirect to password change page
 }
?>

provided username must be an unique entry in your database...

Edited by nadnakinam because: n/a
Member Avatar for j_limboo

nadnakinam
I get this error

Warning: mysql_connect() [function.mysql-connect]: Access denied for user 'joelimboo'@'localhost' (using password: YES) in D:\webroot\puresearch\passch.php on line 37

Warning: mysql_select_db(): supplied argument is not a valid MySQL-Link resource in D:\webroot\puresearch\passch.php on line 38

Warning: mysql_query() [function.mysql-query]: Access denied for user 'ODBC'@'localhost' (using password: NO) in D:\webroot\puresearch\passch.php on line 40

Warning: mysql_query() [function.mysql-query]: A link to the server could not be established in D:\webroot\puresearch\passch.php on line 40

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in D:\webroot\puresearch\passch.php on line 41
Password Change Fails

my html code

<h1>Change Password</h1>
  <form method="POST" action="passch.php"><br/>

         Enter your UserName
      <input type="username" size="10" name="username"> <br/>
      
      Enter your existing password:
    <input type="password" size="10" name="oldpass"><br/>
Enter your new password:
      <input type="password" size="10" name="newpass"><br/>
      Enter your new password:
   <input type="password" size="10" name="confirmpass"><br/>


<input type="submit" value="Update Password">
  </form>

passch.php

<?php


$host="localhost";          // Host name 
$username="root";        // Mysql username 
$password="brijpuja1"; // Mysql password 
$db_name="puresearch";  // Database name 
$tbl_name="sumo_users";     // Table name 

$username=$_POST['username'];
$oldpass=$_POST['oldpass']; 
$newpass=$_POST['newpass']; 
$conpass=$_POST['confirmpass'];

$encry_oldpass=md5($oldpass);          //encrypting old password

/*  Test OK
echo $username;
echo "<br />";
echo $oldpass;
echo "<br />";
echo $encry_oldpass;
echo "<br />";
die();   */

$con=mysql_connect("$host","$username","$password");
mysql_select_db("$db_name",$con);

$result=mysql_query("SELECT * FROM $tbl_name WHERE username='$username' and password='$encry_oldpass'");
$count=mysql_num_rows($result);

if((!empty($newpass)&&!empty($conpass))&&($newpass==$conpass)&&($count==1))
 {
      $encry_conpass=md5($conpass);//encrypting confirm password

      $result2=mysql_query("UPDATE $tbl_name SET password='$encry_conpass' WHERE username='$username' and password='$encry_oldpass'");
      
      echo "Password Chamged Successfully"; 
     // header("location:...............");	  // redirect to login page

 }
 else
 {
      echo"Password Change Fails";	 
     // header("location:...............");	  // redirect to password change page
 }
?>

my table row

`sumo_users` (
  `id` int(255) unsigned NOT NULL AUTO_INCREMENT,
  `username` varchar(100) NOT NULL,
  `firstname` varchar(50) DEFAULT NULL,
  `lastname` varchar(50) DEFAULT NULL,
  `password` varchar(40) NOT NULL,
  `active` int(1) NOT NULL DEFAULT '0',
  `ip` text NOT NULL,
  `usergroup` text NOT NULL,
  `datasource_id` int(3) unsigned DEFAULT '0',
  `last_login` int(14) DEFAULT NULL,
  `day_limit` int(3) unsigned DEFAULT NULL,
  `language` varchar(5) NOT NULL DEFAULT 'en',
  `email` varchar(100) DEFAULT NULL,
  `pwd_updated` int(14) unsigned DEFAULT NULL,
  `created` int(14) unsigned NOT NULL DEFAULT '0',
  `owner_id` int(255) NOT NULL DEFAULT '0',
  `modified` int(14) unsigned DEFAULT NULL,
  `updated` int(14) unsigned DEFAULT NULL,
  PRIMARY KEY (`id`),
  UNIQUE KEY `login` (`username`),
  KEY `active` (`active`),
  KEY `password` (`password`)
) ENGINE=MyISAM  DEFAULT CHARSET=latin1 AUTO_INCREMENT=11 ;
Edited by j_limboo because: n/a
Member Avatar for nadnakinam

is mysql user & mysql password are correct?
verify, if wrong you'll get these errors...

paste the code on which you are getting error with respective errors next...

Error are in database connection only, try with password "no"...
establish correct database connection, sure that code'll work...

It works good for me...

Edited by nadnakinam because: n/a
Member Avatar for j_limboo

Now I get this
no errors
Password Change Fails

Member Avatar for j_limboo

the registration application saves password in this way. is it md5 at all
1d7d2fcc49f157c0be4456580011a58d469c71b6

Member Avatar for j_limboo

I just echoed md5 old password is correct but the echo md5 is different from database that means the registration form does nt save password in md5

Here is the look of the password saved in the database can anyone tell what type is it

1d7d2fcc49f157c0be4456580011a58d469c71b6
Please advice

Member Avatar for nadnakinam

hi j_limboo,

echo all variables after each declaration, analyse line-by-line...
try to find where goes wrong...

take some effort...
it is not recommended to post whatever you got...!

Member Avatar for j_limboo

I echo the old md5 password and it does not match the password in the database.
The registration application is using a different encryption
1d7d2fcc49f157c0be4456580011a58d469c71b6 using password brijpuja

md5 looks d41d8cd98f00b204e9800998ecf8427e using password brijpuja

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.