PHP On Submit Change Database Values

[Raqumine]

I currently have a login and a registration system online.  But right now i am making a User CP.  Where the user can change their password, and their "clan name." Yes, this is for a gaming site. 

Here are the scripts i have so far...

Usercp.html

<html>

<form name="change" method="post" action="change.php" and action"score.php">
<table border="0" width="225" align="center">
    <tr>
  <td width="219" bgcolor="#99">
    <p align="center"><font color="white"><span style="font-size:12pt;"><b></b></span></font></p>
  </td>
    </tr>
    <tr>
  <td width="219">
    <table border="0" width="282" align="center">
    <tr>
    <td width="116"><span style="font-size:10pt;"> Desired Clan Name:</span></td>
    <td width="156"><input type="text" name="clanname" maxlength="100"></td>
    </tr>
    <tr>
    <td width="116"><span style="font-size:10pt;">Current Password:</span></td>
    <td width="156"><input type="text" name="currentpassword" maxlength="100"></td>
    </tr>
    <tr>
    <td width="116"><span style="font-size:10pt;">New Password:</span></td>
    <td width="156"><input type="text" name="newpassword"></td>
    </tr>
    <tr>
    <td width="116"> </td>
    <td width="156">
    <p align="right"><input type="submit" name="submit" value="Submit"></p>
    </td>
    </tr>
    </table>
  </td>
    </tr>
    <tr>
  <td width="219" bgcolor="#99"> </td>
    </tr>
</table>
</form>

 

change.php

<html>
<?PHP

//Database Information

$dbhost = "localhost";
$dbname = "removed";
$dbuser = "removed";
$dbpass = "removed";

//Connect to database

mysql_connect ( $dbhost, $dbuser, $dbpass)or die("Could not connect: ".mysql_error());
mysql_select_db($dbname) or die(mysql_error());

$currentpass = $_POST['currentpassword'];
$newpass = $_POST['newpassword'];    
$clanname = $_POST['clanname'];

// lets check to see if the password is correct

$checkpassword = mysql_query("SELECT username FROM users WHERE password='$currentpass'");

$currentpass_exist = mysql_num_rows($checkpass);

if($currentpass_exist > 0){

// lf no errors present with the password
// use a query to insert the data into the database.

$query = "INSERT INTO users (password, Clan name)
VALUES('$newpass', '$clanname')";
mysql_query($query) or die(mysql_error());
mysql_close();

echo "Information has been updated.";

?>

 

I know most of it, if not all is incorrect. If someone could help me that would be great.

[Pikachu2000]

I only gave the code a cursory review, but the query you're using should be an UPDATE / SET query, not an INSERT query to change the records rather than create new ones. You also need to sanitize the user-supplied data from the form before putting it in a DB query string. There may be other issues as well, but let's start with those.

 

$query = "UPDATE `table` SET `field` = '$string', `field2` = $integer WHERE `key` = $id LIMIT 1";
mysql_query($query);

[Raqumine]

I'm sorry, but i am a noob and PHP.  I do not quite understand what you are saying.  Would you care to elaborate?

[kratsg]

To sanitize an input means to make it safe to stick in your database or something related. In your case, you want the function "mysql_real_escape_string()" used as follows:

 

$clean = mysql_real_escape_string($dirty);

 

Then, $clean is safe to insert in database. The issue here is SQL Injections. (Google it).

 

I'm sorry, but i am a noob and PHP.  I do not quite understand what you are saying.  Would you care to elaborate?

[Raqumine]

To sanitize an input means to make it safe to stick in your database or something related. In your case, you want the function "mysql_real_escape_string()" used as follows:

 

$clean = mysql_real_escape_string($dirty);

 

Then, $clean is safe to insert in database. The issue here is SQL Injections. (Google it).

 

I'm sorry, but i am a noob and PHP.  I do not quite understand what you are saying.  Would you care to elaborate?

 

At this point i am not concerned about SQL Injections, this is more of a personal accomplishment more than anything.