change password for profile page. working but not? help please

[blesseld]

Hey All,

 

I am starting to build my profile page for members,  and I figured id start with changing the users password.

 

I based some code off my forgot password page, and molded it to my needs.  Now the weird thing is, I created a little script that will view my users info form the database, after I submit my password change request, it updates the MD5 password field in the database, but I cannot log on.  Also after I click submit, the new password field shows a long string of characters.

 

Any help appreciated,

 

<?php
$sheet_name = "tbnl-profile";
include ("../inc/control.php"); //main inc dir.
include ("inc/tbnl-functions.php"); //users inc dir.
include ("inc/tbnl-header.php");
include ("../inc/page-top.php");
echo $content;
echo <<< _END
<form method='post' action='tbnl-profile.php'
enctype='multipart/form-data'>
Enter or edit your details and/or upload an image:<br />
<textarea name='text' cols='40' rows='3'>$text</textarea><br />
Image: <input type='file' name='image' size='14' maxlength='32' />
<input type='submit' value='Save Profile' />
</pre>
</form>
_END;

if (isset($_POST['pass'])) {
    $pass = sanitizeString($_POST['pass']);
    $newpass = sanitizeString($_POST['newpass']);
    if ($pass == "" || $newpass == "") {
        $error = "<p class=\"main-text\">Not all fields were entered</p><br />";
    } else {
        $res = mysql_query("select * from tbnlmembers where user='$user'") or die("cannot select from email");
        $row = mysql_fetch_array($res);
        $user = $row["user"];
        $password = $row["newpass"];
        $newpass = md5($password);
        mysql_query("update tbnlmembers set pass='$newpass' where user='$user'") or die("cannot send your password");
    }
}
//if (strlen($password) < 3 or strlen($password) >  {
//    $msg = $msg . "Password must be more than 3 char legth and maximum 8 char lenght<BR>";
//    $status = "NOTOK";
//}

//if ($password <> $password2) {
//    $msg = $msg . "Both passwords are not matching<BR>";
//    $status = "NOTOK";
//}
echo <<< _END
<br />
<br />
<div id="user-login-form">
<form action="tbnl-profile.php" method="post" enctype="multipart/form-data"">
$error
<ul class="single">
	<li><label>Password</label><input type='password' maxlength='32' name='pass' value='$pass' /></li>
	<li><label>New Password</label><input type='password' maxlength='32' name='newpass' value='$newpass' /></li>
	<li><input type="submit" name="submit" value="Submit" /></li>
</ul>
</form>
</div>
_END;

include ("../inc/page-bot.php");
?>

[mikesta707]

idk if you meant to do the following, but shouldnt

$password = $row["newpass"];
        $newpass = md5($password);

 

be something like

$newpass = md5($newpass);

 

based on what it is now, you are taking the value from the newpass column of your table (which i'm not entirely sure actually exists) MD5-ing that value and setting it as the actual password. The password entered in the form doesn't even take part in the script at all

[blesseld]

Ok,

 

Ya  I  misunderstood what i was doing, with a bit more research i was able to figure it out.

 

Here is what I did,  Is this an OK way of doing this??

 

<?php
$sheet_name = "tbnl-profile";
include ("../inc/control.php"); //main inc dir.
include ("inc/tbnl-functions.php"); //users inc dir.
include ("inc/tbnl-header.php");
include ("../inc/page-top.php");
echo $content;
if (!isset($_SESSION['user']))
    die("<br /><br />You need to login to view this page");
$user = $_SESSION['user'];
if (isset($_POST['pass'])) {
    $pass = sanitizeString($_POST['pass']);
    $newpass = sanitizeString($_POST['newpass']);
    if ($pass == "" || $newpass == "") {
        $error = "<p class=\"main-text\">Not all fields were entered</p><br />";
    } else {
        mysql_query("select * from tbnlmembers where user='$user'") or die("cannot select from email");
        $newpass = md5($newpass);
        mysql_query("update tbnlmembers set pass='$newpass' where user='$user'") or die("cannot send your password");
    }
}
//if (strlen($password) < 3 or strlen($password) >  {
//    $msg = $msg . "Password must be more than 3 char legth and maximum 8 char lenght<BR>";
//    $status = "NOTOK";
//}

//if ($password <> $password2) {
//    $msg = $msg . "Both passwords are not matching<BR>";
//    $status = "NOTOK";
//}
echo <<< _END
<br />
<br />
<div id="user-login-form">
<form action="tbnl-profile.php" method="post" enctype="multipart/form-data"">
$error
<ul class="single">
	<li><label>Password</label><input type='password' maxlength='32' name='pass' value='$pass' /></li>
	<li><label>New Password</label><input type='password' maxlength='32' name='newpass' value='$newpass' /></li>
	<li><input type="submit" name="submit" value="Submit" /></li>
</ul>
</form>
</div>
_END;

include ("../inc/page-bot.php");

[mikesta707]

looks fine to me.. does it work?

[blesseld]

Indeed it does,  didn't realize i could cut all that other crap out.

[blesseld]

ran into an extra problem,  decided to send the user off to a page that says the password has been changed,  then I give them a link to go back to the profile page.  When i click it it says I need ot be logged in to view the page.  I'm not sure why my session isn't being passed.

 

So my change password form has action=profile-update-page.php

 

<?php
$sheet_name = "tbnl-profile-updated";
include ("../inc/control.php"); //main inc dir.
include ("inc/tbnl-functions.php"); //users inc dir.
include ("inc/tbnl-header.php");
include ("../inc/page-top.php");
echo $content;
if (!isset($_SESSION['user']))
    die("<br /><br />You need to login to view this page");
$user = $_SESSION['user'];


if (isset($_POST['pass'])) {
    $pass = sanitizeString($_POST['pass']);
    $newpass = sanitizeString($_POST['newpass']);
    if ($pass == "" || $newpass == "") {
        $error = "<p class=\"main-text\">Not all fields were entered</p><br />";
    } else {
        mysql_query("select * from tbnlmembers where user='$user'") or die("cannot find user");
        $newpass = md5($newpass);
        mysql_query("update tbnlmembers set pass='$newpass' where user='$user'") or die("cannot reset password");
    }
}
//if (strlen($password) < 3 or strlen($password) >  {
//    $msg = $msg . "Password must be more than 3 char legth and maximum 8 char lenght<BR>";
//    $status = "NOTOK";
//}

//if ($password <> $password2) {
//    $msg = $msg . "Both passwords are not matching<BR>";
//    $status = "NOTOK";
//}
echo <<< _END
<br />
<div id="warning-box-ty"><p class="main-text">Your profile has been updated, please <a href="http://www.tbaynightlife.com/users/tbnl-profile.php?user=$user">Click Here</a> to return to your profile page.<br /><br /></p></div>
<br />
<p class="main-text">$user</p>
_END;
include ("../inc/page-bot.php");
?>

 

The user is still recognized here,  when i click the link just above, the session gets dropped.  any ideas?  This is one part im very unsure of

 

and this again is my profile page

 

<?php
$sheet_name = "tbnl-profile";
include ("../inc/control.php"); //main inc dir.
include ("inc/tbnl-functions.php"); //users inc dir.
include ("inc/tbnl-header.php");
include ("../inc/page-top.php");
echo $content;
if (!isset($_SESSION['user']))
    die("<br /><br />You need to login to view this page");
$user = $_SESSION['user'];


echo <<< _END
<br />
<br />
<div id="user-sign-up-form">
<form action="tbnl-profile-updated.php" method="post" enctype="multipart/form-data"">
$error
<ul class="single">
	<li><label>Current Password</label><input type='password' maxlength='32' name='pass' value='$pass' /></li>
	<li><label>New Password</label><input type='password' maxlength='32' name='newpass' value='$newpass' /></li>
	<li><input type="submit" name="submit" value="Submit" /></li>
</ul>
</form>
</div>
_END;

include ("../inc/page-bot.php");
?>