blink359 Posted April 26, 2009 Share Posted April 26, 2009 Hey i was wondering how to make a password changing script ive done most of the PhP and have just got a bit stuck on the query heres what i have so far <?php $dbhost = "localhost"; //change this to your DB host $dbuser = "User"; //change this to your DB username $dbpass = "pass"; //change this to your DB password $dbname = "logon"; //change this to your DB name for your account info mysql_connect($dbhost, $dbuser, $dbpass); mysql_select_db($dbname); $user = $_POST['user']; $pass = $_POST['pass']; $newpass = $_POST['newpass']; $newpass2 = $_POST['newpass2']; $success = true; $problemMessage = ""; if (isset($_POST['Submit'])) { if(!$user || !$pass || !$newpass || !$newpass2) { $problemMessage = "Please fill in all required fields <br />"; $success = false; } if(strlen($newpass < 5) { $problemMessage = "Your new password must be longer than 5 characters <br />"; $success = false; } if(strlen($newpass > 20) { $problemMessage = "Your new password must be shorter than 20 characters <br />"; $success = false; } if($newpass != $newpass2) { $problemMessage = "Your new passwords do not match <br />"; $success = false; } For the query i started guessing that it could be something like if ($success) { echo "Your passwords have been changed! <br />"; $result = mysql_query(UPDATE 'accounts' WHERE 'username' = $user AND 'password' = $pass Can someone please help thanks! Quote Link to comment Share on other sites More sharing options...
Daniel0 Posted April 26, 2009 Share Posted April 26, 2009 Something like this: <?php $dbhost = "localhost"; //change this to your DB host $dbuser = "User"; //change this to your DB username $dbpass = "pass"; //change this to your DB password $dbname = "logon"; //change this to your DB name for your account info mysql_connect($dbhost, $dbuser, $dbpass); mysql_select_db($dbname); if (isset($_POST['Submit'])) { $user = mysql_real_escape_string($_POST['user']); $pass = mysql_real_escape_string($_POST['pass']); $newpass = mysql_real_escape_string($_POST['newpass']); $newpass2 = mysql_real_escape_string($_POST['newpass2']); $errors = array(); if(empty($user) || empty($pass) || empty($newpass) || empty($newpass2)) { $errors[] = "Please fill in all required fields"; } if(strlen($newpass < 5) { $errors[] = "Your new password must be longer than 5 characters"; } if(strlen($newpass > 20) { $errors[] = "Your new password must be shorter than 20 characters"; } if($newpass != $newpass2) { $errors[] = "Your new passwords do not match"; } $res = mysql_query("SELECT password FROM accounts WHERE username='{$user}' LIMIT 1"); if (!$res || mysql_num_rows($res) != 1) { $errors[] = "That user does not exist"; } else { list($dbPass) = mysql_fetch_row($res); if ($pass !== $dbPass) { $errors[] = "Incorrect password"; } } if (count($errors) == 0) { $res = mysql_query("UPDATE accounts SET password='{$newpass}' WHERE username='{$user}'"); } else { echo "Please fix these errors: " . join('<br>', $errors); } } You'll have to adjust it to fit your database schema. Quote Link to comment Share on other sites More sharing options...
blink359 Posted April 26, 2009 Author Share Posted April 26, 2009 Thanks Quote Link to comment Share on other sites More sharing options...
blink359 Posted April 26, 2009 Author Share Posted April 26, 2009 $res = mysql_query("UPDATE accounts SET password='{$newpass}' WHERE username='{$user}'"); what if someone knows there user can we do something like $res = mysql_query("UPDATE accounts SET password='{$newpass}' WHERE username='{$user}' AND WHERE password ='{$pass}'"); Quote Link to comment Share on other sites More sharing options...
blink359 Posted April 26, 2009 Author Share Posted April 26, 2009 else { list($dbPass) = mysql_fetch_row($res); if ($pass !== $dbPass) { $errors[] = "Incorrect password"; } why does $pass have to be equal to $dbpass? Quote Link to comment Share on other sites More sharing options...
blink359 Posted April 26, 2009 Author Share Posted April 26, 2009 In fact i may have found the script would this work? mysql_query("UPDATE accounts SET password = '$newpass' WHERE login = '$user' AND password = '$pass'"); Quote Link to comment Share on other sites More sharing options...
ToonMariner Posted April 26, 2009 Share Posted April 26, 2009 yes you can do this all in one query... <?php $dbhost = "localhost"; //change this to your DB host $dbuser = "User"; //change this to your DB username $dbpass = "pass"; //change this to your DB password $dbname = "logon"; //change this to your DB name for your account info mysql_connect($dbhost, $dbuser, $dbpass); mysql_select_db($dbname); if (isset($_POST['Submit'])) { $user = mysql_real_escape_string($_POST['user']); $pass = mysql_real_escape_string($_POST['pass']); $newpass = mysql_real_escape_string($_POST['newpass']); $newpass2 = mysql_real_escape_string($_POST['newpass2']); $errors = array(); if(empty($user) || empty($pass) || empty($newpass) || empty($newpass2)) { $errors[] = "Please fill in all required fields"; } if(strlen($newpass < 5) { $errors[] = "Your new password must be longer than 5 characters"; } if(strlen($newpass > 20) { $errors[] = "Your new password must be shorter than 20 characters"; } if(strcmp($newpass,$newpass2) != 0) { $errors[] = "Your new passwords do not match"; } if (count($errors) == 0) { $qry = "UPDATE accounts SET password = '{$newpass}' WHERE username = '{$username}' and password = '{$pass}'"; $res = mysql_query($qry); if (!$res || mysql_affected_rows($res) != 1) { echo "Unable to complete request"; } else { echo "Password changed successfully"; } } else { foreach($errors as $key => $val) { echo $val; } } } ?> there is no need to run a query to check if the users credentials are ok - they should need to be logged in anyway so your session should be 'proof' of that. you will need to smrten up the error output for notices on password length etc etc but that is trivial. Quote Link to comment Share on other sites More sharing options...
blink359 Posted April 26, 2009 Author Share Posted April 26, 2009 Still need help heres new PhP code <?php $dbhost = "localhost"; //change this to your DB host $dbuser = "User"; //change this to your DB username $dbpass = "pass"; //change this to your DB password $dbname = "logon"; //change this to your DB name for your account info mysql_connect($dbhost, $dbuser, $dbpass); mysql_select_db($dbname); $user = $_POST['user']; $pass = $_POST['pass']; $newpass = $_POST['newpass']; $newpass2 = $_POST['newpass2']; $success = true; $problemMessage = ""; if (isset($_POST['Submit'])) { if(!$user || !$pass || !$newpass || !$newpass2) { $problemMessage .= "Please fill in all required fields <br />"; $success = false; } if(strlen($newpass < 5) { $problemMessage .= "Your new password must be longer than 5 characters <br />"; $success = false; } if(strlen($newpass > 20) { $problemMessage .= "Your new password must be shorter than 20 characters <br />"; $success = false; } if($newpass != $newpass2) { $problemMessage .= "Your new passwords do not match <br />"; $success = false; } if ($success) { echo "Your passwords have been changed! <br />"; $result = mysql_query("UPDATE accounts SET password = '$newpass' WHERE login = '$user' AND password = '$pass'"); or die("Error: (" . mysql_errno() . ") " . mysql_error()); } } ?> <html> <head> <title>Password Change</title> </head> <body> <form> <input name="user" type="text"/> <br> Password: <input name="pass" type="password"/> <br> New Password: <input name="newpass" type="password"/> <br> Repeat New Password: <input name="newpass2" tpye="password"/> <br /> <input name="Submit" type="submit" value="submit" /> <imput name="reset" type="reset" value="reset" /> </form> </body> </html> Quote Link to comment Share on other sites More sharing options...
Daniel0 Posted April 26, 2009 Share Posted April 26, 2009 Well, first of all, the password shouldn't be stored in the database. Secondly, for high risk features it's a good idea to indeed check the user's credentials, and an active session shouldn't be proof of that. You probably don't need the username, but at the very least the password. If you want to see a real world application of that then try to here, change your password here, or checkout Linux' sudo or Vista's/7's UAC. Also, stop those or die(mysql_error()); things. They pose a potential security risk and just abruptly ending execution isn't a proper way of error handling. Also, why did you discard all the code you were given? Quote Link to comment Share on other sites More sharing options...
blink359 Posted April 26, 2009 Author Share Posted April 26, 2009 BTW thanks tooner and everyone else im a bit tierd this morning and didnt notice lol Quote Link to comment Share on other sites More sharing options...
ToonMariner Posted April 26, 2009 Share Posted April 26, 2009 @Daniel0 this operation doesn't require such an inefficient check - indeed if its so high risk the single query option is better as it does NOT give any feedback on why something error. You initial login check should be sufficiently robust to negate any such requirement. Quote Link to comment Share on other sites More sharing options...
Daniel0 Posted April 26, 2009 Share Posted April 26, 2009 Code I post here is almost never to be used verbatim as it'll quite often lack something. First of all it's because I lack contextual information to be able to write a complete script. Secondly, I don't want to create a complete script for people. To be honest, I would completely rewrite the vast majority of scripts people post on these forums. I don't do that because it's not worth my time and because it's not immediately useful for the people posting here. I added that check to illustrate that you should check the password somewhere. I could have written it all in pseudo-code, but that probably wouldn't help very much. In a real application you would probably have information about the user (thus the password) loaded anyway, so you could just use that. Either way, the initial login is not sufficient check for such actions. What if I walk up to your computer that's logged on? Am I then you, should I be able to do everything as though I was you? What if I steal your cookie? Changing a password is high-risk, filling out e.g. a comment form isn't. Quote Link to comment Share on other sites More sharing options...
ToonMariner Posted April 26, 2009 Share Posted April 26, 2009 @daniel0 - wasn't having a beef mate! agreed on the contextual (lack of) info etc etc. but one last point... the request for the current password should prevent anyone happening across an unattended account from changing it Quote Link to comment Share on other sites More sharing options...
blink359 Posted April 26, 2009 Author Share Posted April 26, 2009 Nevermind now i have managed to make the script i want work now thanks all for time and work Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.