[SOLVED] scope issue?

[zang8027]

Ok here is what i got:

 

page 1: Has 4 drop down boxes. One of name, one for password, one for new password, and one for new password confirm.

 

 

Im sending to the next page to process it all. the problem I have is that no matter what i type as the current password, it still changes the password. I tried using while statement instead of an if statement, but i have no idea why this is not working. I did manage to get it to return that error, but if you typed the right pass in, it would go to the process page and not go anywhere else.

 

 

Im 90% sure its a scope issue that I cant figure out.

 

<?php


//Capture the information coming over
$userName = $_GET['userName'];
$currentPass = $_GET['userPass'];
$newPass = $_GET['userPassNew'];
$check = $_GET['userPassNewCheck'];

//connect to DB here to retrieve the current password so we can chec against it down below.
//Make a connection to the server... connect("servername","username","password") (or die is optional to show error)
$link=mysql_connect("localhost","tyzangme_tyler","test") or die("No server connection".mysql_error());

//connect to our database
$db=mysql_select_db("tyzangme_clickndine") or die("No Database Connection ".mysql_error());

//construct a SQL query that selects users from DB
$query="SELECT * FROM clientTable WHERE userName='$userName'";

//run the query
$result=mysql_query($query);

    //NOTE: Is this the problem maybe?
if($row = mysql_fetch_array($result)) {

   //store into a variables for the current row 
   $myPass=$row['userPass'];

//-------------------VALIDATE----------------------//
//if password is wrong
if($currentPass!=$myPass){

         header("Location:changePass.php?error=wrongpassword");
      }
} //ends if statement


//if name is blank
if($userName==""){
          header("Location:changePass.php?error=noname");
}

//if password field blank
elseif($currentPass==""){
          header("Location:changePass.php?error=nopassword");
}

//if new field is blank
elseif($newPass==""){
           header("Location:changePass.php?error=nonew");
}

//if check field blank
elseif($check==""){
            header("Location:changePass.php?error=nocheck");
} 


//if new password doesnt match
elseif($newPass != $check){
             header("Location:changePass.php?error=nomatch");
}else {

//-------------------END VALIDATE------------------//



//construct a SQL query that selects users from DB
$query=" UPDATE clientTable SET userPass='$newPass' WHERE userName='$userName'";

$result = mysql_query($query);


//close the connection
mysql_close($link);

header("Location:passChangeConfirm.php");

	}// end else

?>

[trq]

Can you indent your code so it is readable?

[premiso]

One, it does not seem that you are encrypting or hashing the password in the db, not very good practice. Look into md5 and use that for storing password.

 

Two, why not pull out data only if the current password matches the SQL, and since sql is case-insensitive you will have to take that into account also (md5 would make the pass case sensitive).

 

   //construct a SQL query that selects users from DB
   $query="SELECT * FROM clientTable WHERE userName='$userName' AND userPass='$currentPass";

   //run the query
   $result=mysql_query($query);
   
    //NOTE: Is this the problem maybe?
   if(mysql_num_rows($result) == 1) {
       $row = mysql_fetch_assoc($result);

       //store into a variables for the current row 
       $myPass=$row['userPass'];
   
      //-------------------VALIDATE----------------------//
   
      //Now we do the case sensitive check since it is not md5 in the db.
      if($currentPass != $myPass){
           header("Location:changePass.php?error=wrongpassword");
      }

 

Now if that does not work, check your form, and make sure it is passing via GET and not POST like most forms do, infact post the form code for us.

[zang8027]

Here is the form code trimmed to the part:

 

        <div class="displayInfoAccount">
        <p><span class="titleText">Change your password</span></p>
        <br>
        <p>We will update your current session after your successful password change. If, however, you do experience difficulties, please try logging out and logging back in before contacting a staff member to help resolve the problem.</p> <br/>
     <?php
	//--VALIDATION--
	if(isset($_GET['error'])){
		if($_GET['error']=="noname"){
		//print error message for hey, please enter a name
			print "<span class='redText'>You must enter a name</span> <br/>";
		}

		if($_GET['error']=="nopassword"){
		//print error message for please enter a password
			print "<span class='redText'>You must enter a password</span> <br/>";
		}

		if($_GET['error']=="nonew"){
		//print error message for please answer the pass
			print "<span class='redText'>You must enter a new password</span> <br/>";
		}

		if($_GET['error']=="nocheck"){
		//print error message for please enter your pass
			print "<span class='redText'>You must re enter your new password</span> <br/>";
		}

		if($_GET['error']=="nomatch"){
		//print error message for no match
			print "<span class='redText'>Your new password does not match</span> <br/>";
		}

		if($_GET['error']=="wrongpassword"){
		//print error message for no match
			print "<span class='redText'>Your current password does not match</span> <br/>";
		}


	}
	?>

     <table>
     <form action="processChangePass.php" method="get">
     	<tr><td>Please enter your log in name: </td><td><input type="text" name="userName"></input></td></tr>
     	<tr><td>Please enter your current password: </td><td><input type="password" name="userPass"></input></td></tr>
     	<tr><td>Please enter your new password: </td><td><input type="password" name="userPassNew"></input></td></tr>
     	<tr><td>Please re-renter your new password: </td><td><input type="password" name="userPassNewCheck"></input></td></tr>
     	<tr></tr>
     	<tr>
     	<td><input type="submit" value="Change Password" /></td></tr>
     </form>
     </table>
        </div> <!-- displayInfo -->

[premiso]

For a user deal that changes a password I would highly recommend using POST instead of GET. Simple because that is saved in the users browser history. Also the </input> is not needed and may be causing issues. Instead do it like the submit one and do />  after the input statement.

[zang8027]

really? I didn't want to use post cause it sends the information through the URL bar real fast and I figured that would be bad for password information.

 

Still cant get it to work  I changed it to like yours

 

<?php
//construct a SQL query that selects users from DB
$query="SELECT * FROM clientTable WHERE userName='$userName' AND userPass='$currentPass'";

//run the query
$result=mysql_query($query);

if(mysql_num_rows($result) == 1) {
	$row = mysql_fetch_assoc($result);

	//store into a variables for the current row 
	$myPass=$row['userPass'];

//-------------------VALIDATE----------------------//
	//if password is wrong
	if($currentPass!=$myPass)
	{
		header("Location:changePass.php?error=wrongpassword");
	}
}
?>

 

im starting to wonder why its selecting from the table where my pass and user name is = to tyler/bob when bob is not my password.. is it completely skipping that part.

 

I tried echoing the query and i get:

 

 

SELECT * FROM clientTable WHERE userName='tyler' AND userPass='bob'

 

[zang8027]

wait, i think i just figured out why thats not working... im saying if a row is returned, do it.. ima change it to if not returned

[zang8027]

thanks for the help! I will look into that function. md5()