Jump to content

change password script not working

silverglade

By silverglade
in PHP Coding Help

 Share

Recommended Posts

silverglade Advanced Member

silverglade

Posted
Posted

hi, i have a change password script that is giving me an error when i submit the email and password and hit submit. any help is GREATLY appreciated. here is the error i get

 

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /hermes/bosweb/web173/b1739/sl.brendansite1/public_html/OLDMASTERCOPIES/passrecovery8.php on line 38

 

That email does not exist in the database

 

 

 

and here is the code to my page

 

<?php
include("connect1.php");

ini_set('display_errors', 1);
  error_reporting(E_ALL);   // GREAT SNIPPET FOR DEBUGGING OUTPUTS ERRORS TO SCREEN */

    if (isset($_POST['email']) && isset($_POST['Password']) && isset($_POST['Confirm']))
    {

       // Declare Variables
        $email = mysql_real_escape_string($_POST['email']);
        $Password = mysql_real_escape_string($_POST['Password']);
        $Confirm = mysql_real_escape_string($_POST['Confirm']);

        // Encrypt passwords with md5 encryption
        $Password = md5($Password);
        $Confirm = md5($Confirm);

        if($Password != $Confirm)
        {
        echo "<br>The two passwords did not match<br>";
         echo "Please enter your email: <form action=\"passrecovery8.php\" method=\"POST\"   >
<input type=\email\" name=\"email\"><br>
<br>
<br><br><br>Please enter your new password:<br>
<input type=\"password\" name=\"Password\"><br>
<br>
Please Confirm that new Password:<br>

<input type=\"password\" name=\"Confirm\"><br>
<br><input type=\"submit\" value=\"Set Password\"</form>";
         exit;
        }

      // Check if the email already exists in database
       
      $query = "SELECT * FROM members_videos WHERE Email = '$email' ";
      $results = mysql_num_rows(mysql_query($query));
     
   
      
  if ($results > 0)
      {

          // Insert information to the database
          mysql_query("UPDATE members_videos SET Password='$Password' WHERE Email='$email'");

          //Send them to login
          header("Location:http://oldmastercopies.com/success.html");
      }
      else
      {
          echo "<br>That email does not exist in the database<br>";
      }
}
    else 
    {
        // Displaying Forms
        echo "Please enter your email: <form action=\"passrecovery8.php\" method=\"POST\">
            <input type=\"text\" name=\"email\"><br>
            <br>
             <br><br>Please enter your new password:<br>
            <input type=\"password\" name=\"Password\"><br>
            <br>
            Please Confirm that new Password:<br>
         
        <input type=\"password\" name=\"Confirm\"><br>
            <br><input type=\"submit\" value=\"Set Password\"></form>";
    }

?> 
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Reset Password Page</title>
</head>

<body>
</body>
</html>

Link to comment
Share on other sites
Psycho Prolific Member

Psycho

Posted
Posted

sorry how do i run the query? please.

 

Oh, sorry, I didn't see you had mysql_query() inside the mysql_num_rows() function. It's better to split up the steps to make debugging easier. I'll add an "or die()" so you can see the error, but it's best to not leave that in when you go to production.

 

//Create the query
$query = "SELECT * FROM members_videos WHERE Email = '$email' ";
$result = mysql_query($query) or die ("Query:<br>$query<br>Error:<br>".mysql_error());
$results = mysql_num_rows($result);

Link to comment
Share on other sites
Psycho Prolific Member

Psycho

Posted
Posted

FYI: No need to use mysql_real_escape_string() on values that you will use MD5() on. In fact it is probably a bad idea. If the user enters characters that mysql_real_escape_string() modifies then the MD5 value will be of that modifed string, not the user's password.

 

Probably doesn't make a big difference in most situations. But, by doing that your data is now dependant on php & mysql. Data should be language and environment independant. If you ever wanted to change to a different database application or if you wanted to create an application in a different language that uses the same data, you would have to create a function that mimics mysql_real_escape_string().

Link to comment
Share on other sites
the182guy Newbie

the182guy

Posted
Posted

FYI: No need to use mysql_real_escape_string() on values that you will use MD5() on. In fact it is probably a bad idea. If the user enters characters that mysql_real_escape_string() modifies then the MD5 value will be of that modifed string, not the user's password.

 

Probably doesn't make a big difference in most situations. But, by doing that your data is now dependant on php & mysql. Data should be language and environment independant. If you ever wanted to change to a different database application or if you wanted to create an application in a different language that uses the same data, you would have to create a function that mimics mysql_real_escape_string().

 

By removing mysql_real_escape_string(), OP is not going to make his app database independant, because he is using mysql_connect(), mysql_select_db(), mysql_query(), mysql_num_rows().

 

Also, if you wrote the same app in a different language you would still need to use a function that does something similar to mysql_real_escape_string() otherwise the app would be vulnerable to SQL Injection. If OP removes the use of that function in his current code then he will become vulnerable to SQL Injection.

Link to comment
Share on other sites
Psycho Prolific Member

Psycho

Posted
Posted

By removing mysql_real_escape_string(), OP is not going to make his app database independant, because he is using mysql_connect(), mysql_select_db(), mysql_query(), mysql_num_rows().

 

Also, if you wrote the same app in a different language you would still need to use a function that does something similar to mysql_real_escape_string() otherwise the app would be vulnerable to SQL Injection. If OP removes the use of that function in his current code then he will become vulnerable to SQL Injection.

All valid points only in the context of the application he currently has, which cannot support thse things. The fact remains that by using mysql_real_escape_string() and THEN using MD5(), the hashed value in the database is NOT the hashed value of what the user entered. I was only providing some useful info for future use.

 

As for your other critiques...

 

One thing I always try to profess is that you should always separate your logic from the presentation. By doing that, it is a simple matter to create a web application that is database independant. There are plenty of database classes that allow you to run the same PHP application off of any number of databases.

 

As for creating a separate app to use the same data, yes, that app would needd a simialr function to guard against SQL injection and many languages already have that functionality, so I'm not sure what your point is. If anything it only supports my point. mysql_real_escape_string() ensures that the data saved in the database is exactly the data entered. The escaping of certain characters will ensure that the original character is what is saved. It just so happens that the function provides dual duty in also protecting against SQL injection. It may be that another application needs to escape characters differently but will end with the same result in the database. That is why there is no needor even a reason to, escape text that will be hashed. The MD5() algorithm is application independant.

 

If you don't believe me, just do a google seach for data independence" or "database independence" and you will find numerous resources on the subject.

Link to comment
Share on other sites
the182guy Newbie

the182guy

Posted
Posted

By removing mysql_real_escape_string(), OP is not going to make his app database independant, because he is using mysql_connect(), mysql_select_db(), mysql_query(), mysql_num_rows().

 

Also, if you wrote the same app in a different language you would still need to use a function that does something similar to mysql_real_escape_string() otherwise the app would be vulnerable to SQL Injection. If OP removes the use of that function in his current code then he will become vulnerable to SQL Injection.

All valid points only in the context of the application he currently has, which cannot support thse things. The fact remains that by using mysql_real_escape_string() and THEN using MD5(), the hashed value in the database is NOT the hashed value of what the user entered. I was only providing some useful info for future use.

 

As for your other critiques...

 

One thing I always try to profess is that you should always separate your logic from the presentation. By doing that, it is a simple matter to create a web application that is database independant. There are plenty of database classes that allow you to run the same PHP application off of any number of databases.

 

As for creating a separate app to use the same data, yes, that app would needd a simialr function to guard against SQL injection and many languages already have that functionality, so I'm not sure what your point is. If anything it only supports my point. mysql_real_escape_string() ensures that the data saved in the database is exactly the data entered. The escaping of certain characters will ensure that the original character is what is saved. It just so happens that the function provides dual duty in also protecting against SQL injection. It may be that another application needs to escape characters differently but will end with the same result in the database. That is why there is no needor even a reason to, escape text that will be hashed. The MD5() algorithm is application independant.

 

I agree with you about using mysql_real_escape_string() before md5(), of course doing that could cause problems. I was not referring that part of your post (not sure how you thought I was).

 

My point is you said that by using mysql_real_escape_string() OP's code is dependant on MySQL, well it was anyway because of all the other mysql functions in use. You also seemed to suggest removing mysql_real_escape_string() altogerher, which led to my comment about that resulting in OP's script being vulnerable.

 

For database independant code I use PDO. Although I honestly don't think OP will be interested in that yet because it looks like he is just learning PHP with MySQL at the moment.

Link to comment
Share on other sites
Psycho Prolific Member

Psycho

Posted
Posted

My point was that by using mysql_real_escape_string() and then using md5() on a value was creating tainted data, i.e. the value being stored was not the hashed value of what the user entered. And I agree that there is a lot the OP would need to change to , in fact, get to a data independant solution, but this one problem was at least a good example of something not to do.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.