Change Password Script

[Hooo]

Hi, I believe the main part of the code is correct, however the logic I believe is wrong. I know there are many misplaces { and } and would like to know what to change to make it work.

 

Thanks.

 

<html>
<body>

<?php

include 'config.php';
include 'opendb.php';

session_start();

$opass = $_POST["opass"];
$npass = $_POST["npass"];
$npass1 = $_POST["npass1"];
$salt = 's+(_a*';
$salt_passo = md5($opass.$salt);
$salt_passn = md5($npass.$salt);
$result = mysql_query("SELECT userpass FROM Users WHERE usname = '" .$_SESSION['usname'] . "'"); 

if(isset($_SESSION['usname']))
{

else {
if ($salt_passo != $result) {
echo "Your old password was entered incorrectly";

} else {
if ($salt_passo != $salt_passn) {
echo "The two new password didn't match";

} else {

$sql=mysql_query(UPDATE Users SET userpass='$salt_passn' WHERE usname = '" .$_SESSION['usname'] . "'");

if (!mysql_query($sql))
  {
  die('Error: ' . mysql_error());
  }
}
}
}
}
else
{

echo '<meta http-equiv="refresh" content="2;url=index.php">';

}

?>

</body>
</html>

[bundyxc]

Honestly, your logic is so screwed up, I have no clue what you're even trying to do.

Either document your code, or let us know what you're trying to do... but honestly, if a human can't understand your code, your computer won't be able to do it.

 

Comment your lines with

//Comment goes here.

[Hooo]

Basically, the script is to change a password once a member is logged in.

 

So first I include the files, start the session and ask if a session is set. If it is ( { ) then the elses happen, like if old password inputted into form beforehand matches pass in database, carry on, if not, echo error basically. Then it checks that both New Password and Confirm New Password fields are matching, and carries on and does the SQL update.

 

At the end, the if session set ends with a redirect to index, which is the login page.

 

Hope you understand?

 

Thanks, I know it isn't pretty either

[AngelicS]

Try this =)

<?php

include 'config.php';
include 'opendb.php';

session_start();

$opass = $_POST["opass"];
$npass = $_POST["npass"];
$npass1 = $_POST["npass1"];
$salt = 's+(_a*';
$salt_passo = md5($opass.$salt);
$salt_passn = md5($npass.$salt);
$result = mysql_query("SELECT userpass FROM Users WHERE usname = '{$_SESSION['usname']}'") or die(mysql_error()); 

if(isset($_SESSION['usname']))
{

if ($salt_passo != $result) 
{
echo "Your old password was entered incorrectly";
}
elseif ($salt_passo != $salt_passn)
{
echo "The two new password didn't match";
} 
else 
{
mysql_query("UPDATE `Users` SET `userpass`='{$salt_passn}' WHERE `usname` = '{$_SESSION['usname']}'") or die("Error: ".mysql_error());
}
}
else
{
echo '<meta http-equiv="refresh" content="2;url=index.php">';
}

?>

 

I think you've been programming another language for a while, and newly started PHP?

 

Instead of doing the following

 

else{
if{

And forget to close both of them

Try using the

 

elseif()
{}

 

=)

 

Best wishes

//AngelicS

[Hooo]

Done what you have suggested, however now when I enter the old pass, plus a new passX2, I get: Your old password was entered incorrectly.

 

Could this be something to do with the encrypting?

 

I believe I have used the same algorithm of md5 + $salt

 

Thanks

[AngelicS]

Try this =)

 

$salt_passo = md5($opass.=$salt);
$salt_passn = md5($npass.=$salt);

 

Best wishes

//AngelicS

[Hooo]

Same outcome fella. =[

[AngelicS]

Check the register script, and make sure that you are using the same encryption salt =)

That's my tip.

[Hooo]

$salt = 's+(_a*';
$salt_pass = md5($pword.$salt);

 

Then:

 

$sql="INSERT INTO Users (usname, userpass, useremail, userage)
VALUES
('$uname','$salt_pass','$jmail','$age')";

 

Appears to be the same to me

[AngelicS]

$result = mysql_query("SELECT userpass FROM Users WHERE usname = '{$_SESSION['usname']}'") or die(mysql_error()); 

 

if you try to echo the variable $results, I think that you wont get anything =)

Am I right?

 

If I am, try doing it like this instead:

 

$result = mysql_query("SELECT userpass FROM Users WHERE usname = '{$_SESSION['usname']}'") or die(mysql_error()); 
$row=mysql_fetch_assoc($result);

 

And then when you get to the if statement, change it to this:

 

if ($salt_passo != $row['userpass']) 
{
   echo "Your old password was entered incorrectly";
}

 

Best wishes

//AngelicS

[Hooo]

Haha, think we are getting there *sigh*

 

Now I get:

 

The two new password didn't match

 

I don't see anything similar wrong with that however :/

[AngelicS]

You are trying to match the old and the new password.

Is that what you want?

[Hooo]

No, the code I have (Changed from first time I posted)

 

elseif ($npass != $npass1)
{
echo "The two new password didn't match";
}

 

and the Variables:

 

$opass = $_POST["opass"];
$npass = $_POST["npass"];
$npass1 = $_POST["npass1"];
$salt = 's+(_a*';
$salt_passo = md5($opass.=$salt);
$salt_passn = md5($npass.=$salt);

[AngelicS]

Try adding this row:

 

$salt_npass1 = md5($npass1.$salt);

 

and then change the if statement to this:

 

if ($salt_passn != $salt_npass1) {
echo "The two new password didn't match";
}

[Hooo]

Edited my post, sorry, noticed that mistake

 

There is no need to check when both are encrypted as it will encrypt with the SQL anyway, so I checked npass != npass1. Both of which are taken directly from the previous form, and should both be filled with the same password.

[AngelicS]

So is it working?

[Hooo]

Isn't =.=

 

I must be annoying you <3