Problem in Updating passwords in PHP-MySQL

Question

sumit007 0 Newbie Poster

14 Years Ago

Hii I m using PHP-MySQL to make a class assignment. In this i have made a login control. It was working very fine. But i made an attempt to provide the password changing facility. Since then my project is not logging in. It shows in table the new password but neither with new password nor with od password it logs me on..
Please help me in this..

mysql php

3 Contributors
5 Replies
99 Views
3 Days Discussion Span
Latest Post 14 Years Ago Latest Post by Fbody

as.bhanuprakash 2 Junior Poster

14 Years Ago

Code Please.

Fbody 682 Posting Maven

14 Years Ago

Provide the code for the login and change password methods.

You probably didn't handle the new password correctly in either your PHP or your SQL (or both). As a result, you didn't store the properly-encrypted version of it in your d-base. I suspect you'll find a hashing error in your change password method if you do a side-by-side comparison.

Edited 14 Years Ago by Fbody because: n/a

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

sumit007 0 Newbie Poster · Answer 1 · 2010-03-07T22:45:04+00:00

<?php


if($_POST['Button1']=="Change")
{
change();
}

function Change()
{
$con = mysql_connect("localhost","root","omomom");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }
mysql_select_db("login", $con);
$result = mysql_query("SELECT * FROM password1
WHERE UserName='$_POST[Text1]'");

$row = mysql_fetch_array($result);
if($_POST['Text4']==$row['Password'])
{
 if($_POST['Text5']==$_POST['Text6'])
 {
  mysql_query("UPDATE password1 SET Password = '$_POST[Text5]'
  WHERE Username ='$_POST[Text3]'");
  echo"password changed";
 }
else
 {
  echo"passwords don't match";
 }
}
else
{
echo"wrong password";
}

mysql_close($con);

}

if($_POST['Button3']=="Show")
{
show();
}

function show()
{
$con = mysql_connect("localhost","root","omomom");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }
mysql_select_db("login", $con);
$result = mysql_query("SELECT * FROM password1
WHERE UserName='$_POST[Text1]'");

$row = mysql_fetch_array($result);
echo "<table border='1'>
<tr>
<th>Name</th>
<th>Father's Name</th>
</tr>";
while($row = mysql_fetch_array($result))
  {
  echo "<tr>";
  echo "<td>" . $row['UserName'] . "</td>";
  echo "<td>" . $row['Password'] . "</td>";
  echo "</tr>";
  }

echo "</table>";
mysql_close($con);
}

?>

as.bhanuprakash 2 Junior Poster · Answer 2 · 2010-03-08T10:41:53+00:00

if($_POST['Text5']==$_POST['Text6'])
{
mysql_query("UPDATE password1 SET Password = '$_POST[Text5]'
WHERE Username ='$_POST[Text3]'");
echo"password changed";
}

In the above part of your code, the comparison for username is wrong i guess because here you are comparing WHERE Username ='$_POST[Text3]'" but in the other queries you are doing WHERE UserName='$_POST[Text1]'"

So i think the following will work fine.

mysql_query("UPDATE password1 SET Password = '$_POST[Text5]'
WHERE Username ='$_POST[Text1]'");

Fbody 682 Posting Maven Featured Poster · Answer 3 · 2010-03-08T20:22:48+00:00

I agree, it seems the OP is referencing the wrong row when you perform your update.

@OP:
Also, I see some serious security flaws:
1. You aren't guarding against SQL Injection attacks. Search the term for solutions, there are several threads on it.

2. It is not advisable to store the raw (plain-text) version of the password in your database. If someone hacks it (which won't be too hard based on what I'm seeing so far), they suddenly have all of your users' passwords. To make matters worse, they will have the password of the administrator and wreak some even more serious havoc with your site.