I wrote a modify password file, but unfortunately, the MySQL query is throwing error:

Warning: mysql_query() expects at most 2 parameters, 3 given in admin\modify-password.php on line 40

This is the PHP code:

if (mysql_query("UPDATE admin SET hash = ? WHERE admin_id = ?", crypt($_POST["newpassword"]), $_SESSION["admin_id"]) === false)

I modified the code like this, and it produced a different error message:

if (mysql_query("UPDATE admin SET hash = ? WHERE username = 'admin'", '$newpassword') === false)

The second error message:

Warning: mysql_query() expects parameter 2 to be resource, string given in admin\modify-password.php on line 40

Here is the full code:

<?php
    // if form was submitted
    if ($_SERVER["REQUEST_METHOD"] == "POST")
    {        
         //This gets all the other information from the form
         $curpassword = mysql_real_escape_string(crypt($_POST["curpassword"]));
         $newpassword = mysql_real_escape_string(crypt($_POST["newpassword"]));
         $confirmation = mysql_real_escape_string(crypt($_POST["confirmation"]));

        // validate submission
        if (empty($_POST["curpassword"]))
        {
            echo nl2br ("You must provide your current password. \n");
        }
        if (empty($_POST["newpassword"]))
        {
            echo nl2br ("You must enter a desired new password. \n");
        }
        if (empty($_POST["confirmation"]))
        {
            echo nl2br ("You must confirm your new password. \n");
        }

        // query database for admin
        $rows = mysql_query("SELECT * FROM admin WHERE username = 'admin'");
        //$row = $rows[0];

        // compare hash of user's input against hash that's in database
        if (crypt($_POST["curpassword"], $row["hash"]) != $row["hash"])
        {
            echo nl2br ("Your input and your current password don't match. \n");
        }
        if ($_POST["newpassword"] != $_POST["confirmation"])
        {
            echo nl2br ("Your new password and confirmation don't match. \n");
        }

        // update the admin's password to the new one
        if (mysql_query("UPDATE admin SET hash = ? WHERE admin_id = ?", crypt($_POST["newpassword"]), $_SESSION["admin_id"]) === false)
        {
            echo "Internal server error occurred.";
        }
        else
        {
            // redirect to the logged in admin's profile
            //header("Location: index.php");
        }
    }

?>

Please, note: I'm trying to use MySQL and not MySQLi. I have a plausible reason for doing so at the moment.
Thanks in advance for your continued help.

You can try this code:

<?php
    // if form was submitted
    if ($_SERVER["REQUEST_METHOD"] == "POST")
    {        
         //This gets all the other information from the form
         $curpassword = mysql_real_escape_string(crypt($_POST["curpassword"]));
         $newpassword = mysql_real_escape_string(crypt($_POST["newpassword"]));
         $confirmation = mysql_real_escape_string(crypt($_POST["confirmation"]));

        // validate submission
        if(empty($_POST["curpassword"])){
            echo nl2br ("You must provide your current password. \n");
        }elseif(empty($_POST["newpassword"])){
            echo nl2br ("You must enter a desired new password. \n");
        }elseif(empty($_POST["confirmation"])){
            echo nl2br ("You must confirm your new password. \n");
        }else{
            // query database for admin
            $rows = mysql_query("SELECT * FROM admin WHERE username = 'admin'");
            //$row = $rows[0];
            // compare hash of user's input against hash that's in database
            if(crypt($_POST["curpassword"], $row["hash"]) != $row["hash"]){
                echo nl2br ("Your input and your current password don't match. \n");
            }
            if ($_POST["newpassword"] != $_POST["confirmation"])
            {
                echo nl2br ("Your new password and confirmation don't match. \n");
            }
            // update the admin's password to the new one
            $admin = mysql_query("UPDATE admin SET hash = '".crypt($_POST['newpassword'])."' WHERE admin_id = '".$_SESSION['admin_id']."'");
            if(!mysql_num_rows($admin)){
                echo "Internal server error occurred.";
            }else{
            // redirect to the logged in admin's profile
            //header("Location: index.php");
            }
        }
    }
?>

Warning: mysql_query() expects at most 2 parameters, 3 given in admin\modify-password.php on line 40

It happens because this function does not support prepared statements, and it only accepts two arguments:

mixed mysql_query ( string $query [, resource $link_identifier = NULL ] )

Where the first argument is the query, the second is the connection link to the database, which can be omitted, unless you want to connect to multiple databases.

Docs: http://php.net/mysql-query

commented: Nice tips +3

@Nibble, Thanks for the updated code. The modify password worked, but it throw an error message, after the modification:

Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in admin\modify-password.php on line 30
Internal server error occurred.

The code in line 30 is this:

if(!mysql_num_rows($admin)){
                    echo "Internal server error occurred.";
                }

Can you please, fix it?

@Cereal, thanks for your insight. I don't want to connect to multiple databases. What exactly is the correct syntax replacement for this?

if (mysql_query("UPDATE admin SET hash = ? WHERE admin_id = ?", crypt($_POST["newpassword"]), $_SESSION["admin_id"]) === false)
        {
            echo "Internal server error occurred.";
        }

You could do:

$passwd = crypt($_POST["newpassword"]);

# prepare query
$query = sprintf(
            "UPDATE admin SET hash = '%s' WHERE admin_id = %u",
             mysql_real_escape_string($passwd),
             (int)$_SESSION['admin_id']
         );

# perform query
$result = mysql_query($query);
if($result === FALSE)
    echo "Internal server error occurred.";

Where %s stands for string and so it's quoted, and %u stands for unsigned integer in case the admin_id index, in the session array, is an integer.

@Cereal, that was beautiful!

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.