Maq Posted September 22, 2008 Share Posted September 22, 2008 Then there's something in your logic. Try echoing your variables and see if they are correct. I bet it is something wrong with your username session. Link to comment Share on other sites More sharing options...
jonsjava Posted September 22, 2008 Share Posted September 22, 2008 It worked perfectly for me. Link to comment Share on other sites More sharing options...
sith717 Posted September 22, 2008 Author Share Posted September 22, 2008 Can I tell you the password I am useing to change? Link to comment Share on other sites More sharing options...
jonsjava Posted September 22, 2008 Share Posted September 22, 2008 Just to explain further, I created your `members` table, and added a user to it. Is your users passwords encrypted in any fashion? I don't take any encryption into account with my code. Link to comment Share on other sites More sharing options...
jonsjava Posted September 22, 2008 Share Posted September 22, 2008 create a dummy user, for testing purposes. one that has no rights. Link to comment Share on other sites More sharing options...
sith717 Posted September 22, 2008 Author Share Posted September 22, 2008 What do u mean dummy user? Link to comment Share on other sites More sharing options...
sith717 Posted September 22, 2008 Author Share Posted September 22, 2008 I will pm you. Link to comment Share on other sites More sharing options...
jonsjava Posted September 22, 2008 Share Posted September 22, 2008 ok, what's the username? Link to comment Share on other sites More sharing options...
Maq Posted September 22, 2008 Share Posted September 22, 2008 In the data base insert a fake user with fake credentials. So when you compare it in your SQL statement you can't be wrong. $sql = "UPDATE `members` SET `password`='$new_pass1' WHERE `username`='Maq';"; If it passes that then there's something wrong with your $_SESSION['username']; Where do you initiate this session username? Link to comment Share on other sites More sharing options...
sith717 Posted September 22, 2008 Author Share Posted September 22, 2008 Hu? Ugh... I have no idea what you just said... Link to comment Share on other sites More sharing options...
sith717 Posted September 22, 2008 Author Share Posted September 22, 2008 Oh, the username is bucket Link to comment Share on other sites More sharing options...
jonsjava Posted September 22, 2008 Share Posted September 22, 2008 ok, I think I see the problem: I don't think you added $_SESSION['username'] in the your login check script, like I had said at the beginning, so it's not seeing the user. Link to comment Share on other sites More sharing options...
sith717 Posted September 22, 2008 Author Share Posted September 22, 2008 This is what i have currently. <? session_start(); if(!session_is_registered(myusername)){ header("location:login.php"); } ?> <?php session_start(); $host = "localhost"; // Host name $username = "bucketho_***"; // <-- Mysql username MAKE SURE THIS IS SET! $password = "****"; // <-- Mysql password MAKE SURE THIS IS SET! $db_name = "bucketho_***"; // <-- Database name CHANGE THIS TOO! $tbl_name = "members"; // Table name // Connect to server and select databse. mysql_connect($host, $username, $password)or die("cannot connect"); mysql_select_db($db_name)or die("cannot select DB"); if ($_GET['change_pass'] == true){ $new_pass1 = mysql_real_escape_string($_POST['pass1']); $new_pass2 = mysql_real_escape_string($_POST['pass2']); $old_pass = mysql_real_escape_string($_POST['old_pass']); $username = $_SESSION['username']; $sql = "SELECT COUNT(*) AS `total_found` FROM `members` WHERE `username`='$username' AND `password`='$old_pass' LIMIT 1;"; $result = mysql_query($sql); $row = mysql_fetch_assoc($result); $total_found = $row['total_found']; if (($total_found == 1) && ($new_pass1 == $new_pass2)){ $sql = "UPDATE `members` SET `password`='$new_pass1' WHERE `username`='$username';"; mysql_query($sql); header("location:./"); exit(); } else{ print "Error processing Password change. Please try again"; } } if ($_GET['pass_change_form'] == true){ ?> <form method="POST" action="?change_pass=true"> <table border="0"> <tr> <td>Old Password:</td> <td><input type="password" name="old_pass"></td> </tr> <tr> <td>New Password:</td> <td><input type="password" name="pass1"></td> </tr> <tr> <td>New Password(Again):</td> <td><input type="password" name="pass2"></td> </tr> <tr> <td> </td> <td><input type="submit" value="Submit"></td> </tr> </table> </form> <?php } Link to comment Share on other sites More sharing options...
jonsjava Posted September 22, 2008 Share Posted September 22, 2008 no, I told you to change your checklogin.php to this: <?php $host="localhost"; // Host name $username="bucketho_****"; // Mysql username $password="*****"; // Mysql password $db_name="bucketho_****"; // Database name $tbl_name="members"; // Table name // Connect to server and select databse. mysql_connect("$host", "$username", "$password")or die("cannot connect"); mysql_select_db("$db_name")or die("cannot select DB"); // username and password sent from form $myusername=$_POST['myusername']; $mypassword=$_POST['mypassword']; // To protect MySQL injection (more detail about MySQL injection) $myusername = stripslashes($myusername); $mypassword = stripslashes($mypassword); $myusername = mysql_real_escape_string($myusername); $mypassword = mysql_real_escape_string($mypassword); $sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'"; $result=mysql_query($sql); // Mysql_num_row is counting table row $count=mysql_num_rows($result); // If result matched $myusername and $mypassword, table row must be 1 row if($count==1){ // Register $myusername, $mypassword and redirect to file "index.php" $_SESSION['username'] = $myusername; session_register("myusername"); session_register("mypassword"); header("location:index.php"); } else { header("location:login_failed.php"); } ?> I don't think you did, and that's the cause of the issue. Link to comment Share on other sites More sharing options...
Maq Posted September 22, 2008 Share Posted September 22, 2008 Yes you need to change it, if you look you have 2 session_starts and you do $username = $_SESSION['username']; which, I don't think is anything that's what I thought you error was. So change your code and try the dummy user test. Link to comment Share on other sites More sharing options...
sith717 Posted September 22, 2008 Author Share Posted September 22, 2008 Ok now: checklogin.php <?php $host="localhost"; // Host name $username="bucketho_****"; // Mysql username $password="*****"; // Mysql password $db_name="bucketho_****"; // Database name $tbl_name="members"; // Table name // Connect to server and select databse. mysql_connect("$host", "$username", "$password")or die("cannot connect"); mysql_select_db("$db_name")or die("cannot select DB"); // username and password sent from form $myusername=$_POST['myusername']; $mypassword=$_POST['mypassword']; // To protect MySQL injection (more detail about MySQL injection) $myusername = stripslashes($myusername); $mypassword = stripslashes($mypassword); $myusername = mysql_real_escape_string($myusername); $mypassword = mysql_real_escape_string($mypassword); $sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'"; $result=mysql_query($sql); // Mysql_num_row is counting table row $count=mysql_num_rows($result); // If result matched $myusername and $mypassword, table row must be 1 row if($count==1){ // Register $myusername, $mypassword and redirect to file "index.php" $_SESSION['username'] = $myusername; session_register("myusername"); session_register("mypassword"); header("location:index.php"); } else { header("location:login_failed.php"); } ?> and change_password.php <? session_start(); if(!session_is_registered(myusername)){ header("location:login.php"); } ?> <?php session_start(); $host = "localhost"; // Host name $username = "bucketho_****"; // <-- Mysql username MAKE SURE THIS IS SET! $password = "****"; // <-- Mysql password MAKE SURE THIS IS SET! $db_name = "bucketho_****"; // <-- Database name CHANGE THIS TOO! $tbl_name = "members"; // Table name // Connect to server and select databse. mysql_connect($host, $username, $password)or die("cannot connect"); mysql_select_db($db_name)or die("cannot select DB"); if ($_GET['change_pass'] == true){ $new_pass1 = mysql_real_escape_string($_POST['pass1']); $new_pass2 = mysql_real_escape_string($_POST['pass2']); $old_pass = mysql_real_escape_string($_POST['old_pass']); $username = $_SESSION['username']; $sql = "SELECT COUNT(*) AS `total_found` FROM `members` WHERE `username`='$username' AND `password`='$old_pass' LIMIT 1;"; $result = mysql_query($sql); $row = mysql_fetch_assoc($result); $total_found = $row['total_found']; if (($total_found == 1) && ($new_pass1 == $new_pass2)){ $sql = "UPDATE `members` SET `password`='$new_pass1' WHERE `username`='$username';"; mysql_query($sql); header("location:./"); exit(); } else{ print "Error processing Password change. Please try again"; } } if ($_GET['pass_change_form'] == true){ ?> <form method="POST" action="?change_pass=true"> <table border="0"> <tr> <td>Old Password:</td> <td><input type="password" name="old_pass"></td> </tr> <tr> <td>New Password:</td> <td><input type="password" name="pass1"></td> </tr> <tr> <td>New Password(Again):</td> <td><input type="password" name="pass2"></td> </tr> <tr> <td> </td> <td><input type="submit" value="Submit"></td> </tr> </table> </form> <?php } Is all of that correct? Link to comment Share on other sites More sharing options...
sith717 Posted September 22, 2008 Author Share Posted September 22, 2008 Man, theres a new error. Link to comment Share on other sites More sharing options...
sith717 Posted September 22, 2008 Author Share Posted September 22, 2008 Any luck with anything?? Do you need access to anything? Link to comment Share on other sites More sharing options...
jonsjava Posted September 22, 2008 Share Posted September 22, 2008 Dude, I wrote a simple script for you, and you keep on modding it. Here, let me fix your mod, so it works checklogin.php <?php $host="localhost"; // Host name $username="bucketho_****"; // Mysql username $password="*****"; // Mysql password $db_name="bucketho_****"; // Database name $tbl_name="members"; // Table name // Connect to server and select databse. mysql_connect("$host", "$username", "$password")or die("cannot connect"); mysql_select_db("$db_name")or die("cannot select DB"); // username and password sent from form $myusername=$_POST['myusername']; $mypassword=$_POST['mypassword']; // To protect MySQL injection (more detail about MySQL injection) $myusername = stripslashes($myusername); $mypassword = stripslashes($mypassword); $myusername = mysql_real_escape_string($myusername); $mypassword = mysql_real_escape_string($mypassword); $sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'"; $result=mysql_query($sql); // Mysql_num_row is counting table row $count=mysql_num_rows($result); // If result matched $myusername and $mypassword, table row must be 1 row if($count==1){ // Register $myusername, $mypassword and redirect to file "index.php" $_SESSION['username'] = $myusername; $_SESSION['is_valid'] = true; session_register("myusername"); session_register("mypassword"); header("location:index.php"); } else { header("location:login_failed.php"); } ?> change_password.php <?php session_start(); $host = "localhost"; // Host name $username = "bucketho_****"; // <-- Mysql username MAKE SURE THIS IS SET! $password = "****"; // <-- Mysql password MAKE SURE THIS IS SET! $db_name = "bucketho_****"; // <-- Database name CHANGE THIS TOO! $tbl_name = "members"; // Table name // Connect to server and select databse. mysql_connect($host, $username, $password)or die("cannot connect"); mysql_select_db($db_name)or die("cannot select DB"); if ($_GET['change_pass'] == true && $_SESSION['is_valid'] == true){ $new_pass1 = mysql_real_escape_string($_POST['pass1']); $new_pass2 = mysql_real_escape_string($_POST['pass2']); $old_pass = mysql_real_escape_string($_POST['old_pass']); $username = $_SESSION['username']; $sql = "SELECT COUNT(*) AS `total_found` FROM `members` WHERE `username`='$username' AND `password`='$old_pass' LIMIT 1;"; $result = mysql_query($sql); $row = mysql_fetch_assoc($result); $total_found = $row['total_found']; if (($total_found == 1) && ($new_pass1 == $new_pass2)){ $sql = "UPDATE `members` SET `password`='$new_pass1' WHERE `username`='$username';"; mysql_query($sql); header("location:./"); exit(); } else{ print "Error processing Password change. Please try again"; } } if ($_GET['pass_change_form'] == true && $_SESSION['is_valid'] == true){ ?> <form method="POST" action="?change_pass=true"> <table border="0"> <tr> <td>Old Password:</td> <td><input type="password" name="old_pass"></td> </tr> <tr> <td>New Password:</td> <td><input type="password" name="pass1"></td> </tr> <tr> <td>New Password(Again):</td> <td><input type="password" name="pass2"></td> </tr> <tr> <td> </td> <td><input type="submit" value="Submit"></td> </tr> </table> </form> <?php } else{ header("location:./"); exit(); } DON'T add your login check at the top. I've added it in this version. Link to comment Share on other sites More sharing options...
peranha Posted September 22, 2008 Share Posted September 22, 2008 on the change_password.php page, change the <? to <?php, as shorthand might not be set up on your server. Link to comment Share on other sites More sharing options...
Maq Posted September 22, 2008 Share Posted September 22, 2008 What's your error? I don't see where these $_POST vars come from? // username and password sent from form $myusername=$_POST['myusername']; $mypassword=$_POST['mypassword']; Link to comment Share on other sites More sharing options...
sith717 Posted September 22, 2008 Author Share Posted September 22, 2008 http://delta.bluespacetechnologies.com/~bucketho/admin/change_password.php?pass_change_form=true Another error. I did not change anything this time. Just changed the **** to the correct information. Link to comment Share on other sites More sharing options...
jonsjava Posted September 22, 2008 Share Posted September 22, 2008 you had to have changed something. There isn't an "&" at line 56 of my version. Link to comment Share on other sites More sharing options...
sith717 Posted September 22, 2008 Author Share Posted September 22, 2008 Thats the code, I didnt change anything! I swearz! <?php session_start(); $host = "localhost"; // Host name $username = "bucketho_****"; // <-- Mysql username MAKE SURE THIS IS SET! $password = "*****"; // <-- Mysql password MAKE SURE THIS IS SET! $db_name = "bucketho_****"; // <-- Database name CHANGE THIS TOO! $tbl_name = "members"; // Table name // Connect to server and select databse. mysql_connect($host, $username, $password)or die("cannot connect"); mysql_select_db($db_name)or die("cannot select DB"); if ($_GET['change_pass'] == true && $_SESSION['is_valid'] == true){ $new_pass1 = mysql_real_escape_string($_POST['pass1']); $new_pass2 = mysql_real_escape_string($_POST['pass2']); $old_pass = mysql_real_escape_string($_POST['old_pass']); $username = $_SESSION['username']; $sql = "SELECT COUNT(*) AS `total_found` FROM `members` WHERE `username`='$username' AND `password`='$old_pass' LIMIT 1;"; $result = mysql_query($sql); $row = mysql_fetch_assoc($result); $total_found = $row['total_found']; if (($total_found == 1) && ($new_pass1 == $new_pass2)){ $sql = "UPDATE `members` SET `password`='$new_pass1' WHERE `username`='$username';"; mysql_query($sql); header("location:./"); exit(); } else{ print "Error processing Password change. Please try again"; } } if ($_GET['pass_change_form'] == true && $_SESSION['is_valid'] == true){ ?> <form method="POST" action="?change_pass=true"> <table border="0"> <tr> <td>Old Password:</td> <td><input type="password" name="old_pass"></td> </tr> <tr> <td>New Password:</td> <td><input type="password" name="pass1"></td> </tr> <tr> <td>New Password(Again):</td> <td><input type="password" name="pass2"></td> </tr> <tr> <td> </td> <td><input type="submit" value="Submit"></td> </tr> </table> </form> <?php } else{    header("location:./");    exit(); } Link to comment Share on other sites More sharing options...
jonsjava Posted September 22, 2008 Share Posted September 22, 2008 ah, you got my pre-edit version. and I edited it like 5 seconds after post. try the post-edited version: <?php session_start(); $host = "localhost"; // Host name $username = "bucketho_****"; // <-- Mysql username MAKE SURE THIS IS SET! $password = "****"; // <-- Mysql password MAKE SURE THIS IS SET! $db_name = "bucketho_****"; // <-- Database name CHANGE THIS TOO! $tbl_name = "members"; // Table name // Connect to server and select databse. mysql_connect($host, $username, $password)or die("cannot connect"); mysql_select_db($db_name)or die("cannot select DB"); if ($_GET['change_pass'] == true && $_SESSION['is_valid'] == true){ $new_pass1 = mysql_real_escape_string($_POST['pass1']); $new_pass2 = mysql_real_escape_string($_POST['pass2']); $old_pass = mysql_real_escape_string($_POST['old_pass']); $username = $_SESSION['username']; $sql = "SELECT COUNT(*) AS `total_found` FROM `members` WHERE `username`='$username' AND `password`='$old_pass' LIMIT 1;"; $result = mysql_query($sql); $row = mysql_fetch_assoc($result); $total_found = $row['total_found']; if (($total_found == 1) && ($new_pass1 == $new_pass2)){ $sql = "UPDATE `members` SET `password`='$new_pass1' WHERE `username`='$username';"; mysql_query($sql); header("location:./"); exit(); } else{ print "Error processing Password change. Please try again"; } } if ($_GET['pass_change_form'] == true && $_SESSION['is_valid'] == true){ ?> <form method="POST" action="?change_pass=true"> <table border="0"> <tr> <td>Old Password:</td> <td><input type="password" name="old_pass"></td> </tr> <tr> <td>New Password:</td> <td><input type="password" name="pass1"></td> </tr> <tr> <td>New Password(Again):</td> <td><input type="password" name="pass2"></td> </tr> <tr> <td> </td> <td><input type="submit" value="Submit"></td> </tr> </table> </form> <?php } else{ header("location:./"); exit(); } Link to comment Share on other sites More sharing options...
Recommended Posts