Jump to content

Recommended Posts

Hey i was wondering how to make a password changing script ive done most of the PhP and have just got a bit stuck on the query heres what i have so far

<?php
$dbhost = "localhost";        //change this to your DB host
$dbuser = "User";             //change this to your DB username
$dbpass = "pass";             //change this to your DB password
$dbname = "logon";            //change this to your DB name for your account info

mysql_connect($dbhost, $dbuser, $dbpass);
mysql_select_db($dbname);

$user = $_POST['user'];
$pass = $_POST['pass'];
$newpass = $_POST['newpass'];
$newpass2 = $_POST['newpass2'];

$success = true; 
$problemMessage = ""; 
if (isset($_POST['Submit'])) 

{
       if(!$user || !$pass || !$newpass || !$newpass2)
       {
           $problemMessage = "Please fill in all required fields <br />";
           $success = false;
       }
       if(strlen($newpass < 5)
       {
           $problemMessage = "Your new password must be longer than 5 characters <br />";
           $success = false;
       }
       if(strlen($newpass > 20)
       {
           $problemMessage = "Your new password must be shorter than 20 characters <br />";
           $success = false;
       }
       if($newpass != $newpass2)
       {
          $problemMessage = "Your new passwords do not match <br />";
          $success = false;
       }

 

For the query i started guessing that it could be something like

if ($success)
       {
           echo "Your passwords have been changed! <br />";
           $result = mysql_query(UPDATE 'accounts' WHERE 'username' = $user AND 'password' = $pass

Can someone please help thanks!

Link to comment
https://forums.phpfreaks.com/topic/155686-solved-password-changing-script/
Share on other sites

Something like this:

 

<?php
$dbhost = "localhost"; //change this to your DB host
$dbuser = "User";      //change this to your DB username
$dbpass = "pass";      //change this to your DB password
$dbname = "logon";     //change this to your DB name for your account info

mysql_connect($dbhost, $dbuser, $dbpass);
mysql_select_db($dbname);

if (isset($_POST['Submit'])) {
$user = mysql_real_escape_string($_POST['user']);
$pass = mysql_real_escape_string($_POST['pass']);
$newpass = mysql_real_escape_string($_POST['newpass']);
$newpass2 = mysql_real_escape_string($_POST['newpass2']);

$errors = array();

if(empty($user) || empty($pass) || empty($newpass) || empty($newpass2)) {
    $errors[] = "Please fill in all required fields";
}
if(strlen($newpass < 5) {
    $errors[] = "Your new password must be longer than 5 characters";
}
if(strlen($newpass > 20) {
    $errors[] = "Your new password must be shorter than 20 characters";
}
if($newpass != $newpass2) {
   $errors[] = "Your new passwords do not match";
}

$res = mysql_query("SELECT password FROM accounts WHERE username='{$user}' LIMIT 1");
if (!$res || mysql_num_rows($res) != 1) {
	$errors[] = "That user does not exist";
}
else {
	list($dbPass) = mysql_fetch_row($res);
	if ($pass !== $dbPass) {
		$errors[] = "Incorrect password";
	}
}

if (count($errors) == 0) {
	$res = mysql_query("UPDATE accounts SET password='{$newpass}' WHERE username='{$user}'");
}
else {
	echo "Please fix these errors: " . join('<br>', $errors);
}
}

 

You'll have to adjust it to fit your database schema.

$res = mysql_query("UPDATE accounts SET password='{$newpass}' WHERE username='{$user}'");

 

what if someone knows there user can we do something like

 

$res = mysql_query("UPDATE accounts SET password='{$newpass}' WHERE username='{$user}' AND WHERE password ='{$pass}'");

yes you can do this all in one query...

 

<?php

$dbhost = "localhost"; //change this to your DB host
$dbuser = "User";      //change this to your DB username
$dbpass = "pass";      //change this to your DB password
$dbname = "logon";     //change this to your DB name for your account info

mysql_connect($dbhost, $dbuser, $dbpass);
mysql_select_db($dbname);

if (isset($_POST['Submit'])) {
$user = mysql_real_escape_string($_POST['user']);
$pass = mysql_real_escape_string($_POST['pass']);
$newpass = mysql_real_escape_string($_POST['newpass']);
$newpass2 = mysql_real_escape_string($_POST['newpass2']);

$errors = array();

if(empty($user) || empty($pass) || empty($newpass) || empty($newpass2)) {
    $errors[] = "Please fill in all required fields";
}
if(strlen($newpass < 5) {
    $errors[] = "Your new password must be longer than 5 characters";
}
if(strlen($newpass > 20) {
    $errors[] = "Your new password must be shorter than 20 characters";
}
if(strcmp($newpass,$newpass2) != 0) {
   $errors[] = "Your new passwords do not match";
}

        if (count($errors) == 0)
        {
    $qry = "UPDATE accounts SET password = '{$newpass}' WHERE username = '{$username}' and password = '{$pass}'";
    $res = mysql_query($qry);
    if (!$res || mysql_affected_rows($res) != 1) {
	echo "Unable to complete request";
    }
            else
            {
                echo "Password changed successfully";
            }
        }
        else
        {
            foreach($errors as $key => $val)
            {
                echo $val;
            }
        }
       
}
?>

 

there is no need to run a query to check if the users credentials are ok - they should need to be logged in anyway so your session should be 'proof' of that.

 

you will need to smrten up the error output for notices on password length etc etc but that is trivial.

Still need help heres new PhP code

<?php
$dbhost = "localhost";        //change this to your DB host
$dbuser = "User";             //change this to your DB username
$dbpass = "pass";             //change this to your DB password
$dbname = "logon";            //change this to your DB name for your account info

mysql_connect($dbhost, $dbuser, $dbpass);
mysql_select_db($dbname);

$user = $_POST['user'];
$pass = $_POST['pass'];
$newpass = $_POST['newpass'];
$newpass2 = $_POST['newpass2'];

$success = true; 
$problemMessage = ""; 
if (isset($_POST['Submit'])) 

{
       if(!$user || !$pass || !$newpass || !$newpass2)
       {
           $problemMessage .= "Please fill in all required fields <br />";
           $success = false;
       }
       if(strlen($newpass < 5)
       {
           $problemMessage .= "Your new password must be longer than 5 characters <br />";
           $success = false;
       }
       if(strlen($newpass > 20)
       {
           $problemMessage .= "Your new password must be shorter than 20 characters <br />";
           $success = false;
       }
       if($newpass != $newpass2)
       {
          $problemMessage .= "Your new passwords do not match <br />";
          $success = false;
       }
       if ($success)
       {
           echo "Your passwords have been changed! <br />";
           $result = mysql_query("UPDATE accounts SET password = '$newpass' WHERE login = '$user' AND password = '$pass'");
           or die("Error: (" . mysql_errno() . ") " . mysql_error()); 
        } 
} 

?>

<html>
<head>
<title>Password Change</title>
</head>
<body>
<form>
          <input name="user" type="text"/>
          <br>  
          Password: 
          <input name="pass" type="password"/>
          <br>  
         New Password: 
          <input name="newpass" type="password"/>
          <br>  
          Repeat New Password: 
          <input name="newpass2" tpye="password"/>
          <br />
          <input name="Submit" type="submit" value="submit" /> 
          
          <imput name="reset" type="reset" value="reset" /> 
</form>
</body>
</html>

Well, first of all, the password shouldn't be stored in the database. Secondly, for high risk features it's a good idea to indeed check the user's credentials, and an active session shouldn't be proof of that. You probably don't need the username, but at the very least the password. If you want to see a real world application of that then try to here, change your password here, or checkout Linux' sudo or Vista's/7's UAC.

 

Also, stop those or die(mysql_error()); things. They pose a potential security risk and just abruptly ending execution isn't a proper way of error handling.

 

Also, why did you discard all the code you were given?

@Daniel0

 

this operation doesn't require such an inefficient check - indeed if its so high risk the single query option is better as it does NOT give any feedback on why something error.

 

You initial login check should be sufficiently robust to negate any such requirement.

Code I post here is almost never to be used verbatim as it'll quite often lack something. First of all it's because I lack contextual information to be able to write a complete script. Secondly, I don't want to create a complete script for people. To be honest, I would completely rewrite the vast majority of scripts people post on these forums. I don't do that because it's not worth my time and because it's not immediately useful for the people posting here. I added that check to illustrate that you should check the password somewhere. I could have written it all in pseudo-code, but that probably wouldn't help very much. In a real application you would probably have information about the user (thus the password) loaded anyway, so you could just use that.

 

Either way, the initial login is not sufficient check for such actions. What if I walk up to your computer that's logged on? Am I then you, should I be able to do everything as though I was you? What if I steal your cookie? Changing a password is high-risk, filling out e.g. a comment form isn't.

@daniel0 - wasn't having a beef mate!

 

agreed on the contextual (lack of) info etc etc.

 

but one last point...

 

the request for the current password should prevent anyone happening across an unattended account from changing it ;)

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.