Change Password, PHP.

[`Karl]

Okay, I have it working, but atm anyone can change anyone's password.

 

Here's my form:

<form action="changepass.php" method="post">
<font color="#FFFFFF" size="1">
<input type="text" name="id" value="Username"/>
      <b><input type="text" name="oldpassword" value="Current Password"/></font></b>
<input type="text" name="newpassword" value="New Password"/></font></b>
<b><input type="text" name="connewpassword" value="Confirm New"/></font></b>
<input type="submit" value="submit"/></font></b>
</form>

 

Changepass.php:

?php
$con = mysql_connect("*");

if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }
mysql_select_db("*", $con);

$sql="UPDATE users SET `password` = '$_POST[password]' WHERE `username` = '$_POST[id]'";

if (!mysql_query($sql,$con))
  {
  die('Error: ' . mysql_error());
  }
echo "<font color='#FFFFFF' size='2'>1 record updated</font>";

mysql_close($con)

?> 

 

How would I make it check the username and current password are correct, if they are, change it to the new password (which has to be confirmed with both fields) or die if anything is wrong.

 

Thanks in advance

~Karl

[fenway]

Ignoring the obvious security issues here, I assume you have a session with their current username.

[Russia]

Here is a simple one I made:

 

<?php 
error_reporting(E_ALL); 
$config = "inc/config.php"; 
if(file_exists($config)) 
{ 
    include($config); 
} 
else 
{ 
    die("config dir incorrect<br />"); 
} 

if (isset($_POST['chpass']))  
{ 
    $newPass = $_POST['newpass']; 
    $veri = $_POST['veri']; 
    $strcmp = strcmp($newPass, $veri);
    if($strcmp == 0)
    {
        $result = mysql_query("SELECT * FROM `members` WHERE id = '1'"); 
        if(mysql_num_rows($result)!=0) 
        { 
            $row = mysql_fetch_array($result); 
            $pass = $row['password']; 
            if(strcmp($_POST['oldpass'], $pass) == 0)  
            { 
                $newPass = strip_tags(mysql_real_escape_string($newPass)); 
                mysql_query("UPDATE `members` SET password = '$newPass' where id = '$member'"); 
                echo "Your Password has been changed. Please out to verify the password change. <br> <hr>"; 
            } 
            else 
            { 
                echo "The old password is incorrect. Please try again. <br> <hr>";     
            } 
        } 
        else 
        { 
            echo "Could not find the member you are changing the password for. <br> <hr>";     
        } 
    }
    else
    {
        echo "Your new password's do not match. Please try again.<br> <hr>";
    }
} 

?> 

<form action="accounts-password.php" method="POST"> 
<input type="hidden" name="member" value="1" /> 

<span style="float: left;">
Your old Password: (<a href="javascript:alert('This is the subject of the email that is being sent to your email.');">?</a>) 
</span>
<span style="float: right;">
<input size="40" type="password" name="oldpass">
</span>
<br><br>
<hr>

<span style="float: left;">
Your New Password: (<a href="javascript:alert('This is the subject of the email that is being sent to your email.');">?</a>) 
</span>
<span style="float: right;">
<input size="40" type="password" name="newpass">
</span>
<br><br>

<span style="float: left;">
Re-Type Your New Password: (<a href="javascript:alert('This is the subject of the email that is being sent to your email.');">?</a>) 
</span>
<span style="float: right;">
<input size="40" type="password" name="veri">
</span>



<br><br>
<hr>


<center>
<input name="chpass" id="submit" value="Change Password" type="submit">
</center>

</form> 

 

IT may or may not suit you since for me all I needed to chaneg was the user with the id 1.