Member Avatar for andyy121

the password in database doesnt changet when i press change button in the page i show me the pass is change but when i log in with the new pass it show incorrect pass help please

<?php

session_start ();

$user = @$_SESSION['username'];

if ($user)
{
//user is logged in
if (@$_POST['submit'])
{
//check fields
$oldpassword =md5(@$_POST['oldpassword']);
$newpassword = md5(@$_POST['newpassword']);
$repeatnewpassword =md5(@$_POST['repeatnewpassword']);
//check password against db

//connect to db
$connect = mysql_connect ("localhost","root","") or die();
mysql_select_db("phplogin")or die();

$queryget = mysql_query ("SELECT password FROM users WHERE username='$user'")or die ("Query didnt work");
$row = mysql_fetch_assoc($queryget);

$oldpassworddb = $row ['password'];


//check passwords
if($oldpassword==$oldpassworddb)
{
//check the new password
if ($newpassword==$repeatnewpassword)
{
//succes
//change password in db
$querychange = mysql_query ("
UPTADE users SET password='$newpassword' WHERE username='$user'
");
session_destroy();
die ("Your password has been changed.<a href='index.php'>Return </a>to the main page");

}
else 
 die ("New password dont match!");
}
else 
 die("Old password doesnt match!");
}
else
{
echo("
<form action ='changepassword.php' method='POST'>
 Old password: <input type ='text' name ='oldpassword'><p>
 New password: <input type='password' name='newpassword'><br>
 Repeat new password <input type='password' name='repeatnewpassword'><p>
 <input type='submit' name='submit' value='Change password'>
</form>
");
}

}
else
   die ("You must be logged in to change your password");
?>
Edited by pritaeas because: Changed code snippet into discussion thread
  • 7 Contributors
  • 15 Replies
  • 14K Views
  • 5 Years Discussion Span
  • Latest Post Latest Post by diafol
Member Avatar for <M/>

Is this for any cms in specific?
Joomla, Drupal, WP, etc.

Member Avatar for Javvy

Line 37: UPDATE not UPTADE

Member Avatar for andyy121

yess :) the pass can change example: i put asdfg in the change password field and in the data base it is asdfg not encrypted,so when i try to log in it display incorrect password,so it is a problem with the md5,i have to make it manualy from the database for each, what should i do??

Member Avatar for andyy121

i have fix this no problem i remuved the md5 from $password =@$_POST['password'] ; thnx

Member Avatar for andyy121

can everybody recomend me some basic book of php or fondamental ideas of a complex page

Member Avatar for <M/>

There are lots of books based on php... there are a lot of good ones and a lot of repetitive ones... Good ones are the For Dummies series, o'Reily series, WROX, and a few others.

Member Avatar for Quezia

Didnt work for me, Query doesnt work ;/

Member Avatar for Quezia 
 <?php
        include('connection.php');
        session_start();
            if(!empty ($_SESSION["logged_in"])){
                    $logged_in=$_SESSION['logged_in'];
                    $id_user=$logged_in['id_user'];
                if(isset($_POST['submit']) && $_POST['submit'] = "submit"){
                        $password = md5($_POST['old_passoword']);
                        $new_password = md5($_POST['new_passoword']);
                        $confirm_passoword =md5 ($_POST['confirm_passoword']);
                        $result = mysql_query("SELECT passoword FROM users WHERE id_user='$id_user'");
                        $row = mysql_fetch_assoc($result);
                        $passworddb = $row['passoword']; //password from Data Base
                            if(!$result)
                            {
                                echo "ERROR, Unexisted User";
                            }
                            else if($password!= mysql_result($result, 0))
                            {
                                ?> <script>
                                alert('password dont match');
                                window.location.href='change_passoword.php';
                                </script> <?php
                            }
                            if($password==$passworddb){
                                if($new_password==$confirm_password){
                                    $sql=mysql_query("UPDATE usuario SET password='$new_password' where id_user='$id_user'");
                                    ?> <script>
                                    alert('Password changed!');
                                    window.location.href='change_password.php';
                                    </script> <?php
                                }

                            else{
                                ?> <script>
                                alert('Error, new password and confirm password must be the same');
                                window.location.href='change_password.php';
                                </script> <?php
                            }
                        }   
                    }
            }
    ?>

//Also work This way.. if you are using a data base connection separated, like me... if You find this useful, let me know!

Member Avatar for diafol

This code is 3 years old. The last addition uses deprecated code (mysql_* functions). It also uses the "dead" md5 hashing algorithm. I really don't get the throwing of client-side alerts and redirects mashed up in server side code. PHP has the ability to redirect and pass a message - no need for ugly browser alert boxes.

Please look up password_hash() and password_verify(). You need PHP >= 5.5
For mysql_* alternatives, see mysqli or PDO
For PHP redirects, see header()

Member Avatar for diafol

@codetuts I don.t know why you pointed to that tute as it clearly doesn.t work. Firstly it uses md5 hash which is not considered safe. Secondly the error listing is ridiculous. Thirdly the update sql does not update the pw, it simply changes the surname etc of the user. Frankly the code is a crock of poo. Just shows any idiot can post a tutorial. Don.t use it.

Member Avatar for diafol

Sorry didnt realise it was yours

Member Avatar for codeandtuts

@diafol No problem, We are here to help each others. Thank you. :)

Member Avatar for Zack_8 
            <?php
              if($_POST['submit']) {
                include("conn.php");
                $username = $_POST['username'];
                $password = $_POST['password'];

                $sql = "select username,accesslevel from tblusers
                    where username='$username' and password='$password'";

                $res = $conn->query($sql);

                if($res->num_rows>0){
                  $row = $res->fetch_assoc();
                  extract($row);
                  $_SESSION['username'] = $username;
                  $_SESSION['accesslevel'] = $accesslevel;
                  echo "<script>window.location='listproducts.php';</script>";

                }
                $conn->close();
              }

            ?>

            i have that in my log in form..

            what must be the codes in my change password form?
Member Avatar for diafol

I sincerely hope you do not have that in your login form. You do not sanitize your input nor escape it so you are wide open to SQL injection. Sort this out before moving on. Also you include js to redirect. No need use php'sheader().

Finally - start your own thread - you have resurrected a thread that finally died after many attempts, a year ago.

commented: Robert'); DROP TABLE Students; - Little Bobby Tables! +12
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.