Coding a Simple Password Change

[Tenaciousmug]

I'm trying to let the users change their password, but everytime I try.. it just changes the password to what they type in whether or not the password they currently have is right or not.. x_x

I have the password set as an MD5 so I'm guessing I have to select the password from the database as an MD5, but I don't know how to do that..

 

<?php
include("logincheck.php");
$newpass = $_POST['newpass'];
$username = $_SESSION['username'];
$password = $_POST['password'];
?>
<?php include_once("header.php"); ?>
Welcome to your settings. This is where you can manage everything on your account!
<br><br>----------<b>Change Password</b>----------

<form action="<?php echo $_SERVER['SCRIPT_NAME']?>" method="post">

<?php
$type = "text";
echo "
<p>Type your current password:<br>
<input size='25' name='password' type='$type'></input></p>
<p>Type your new password:<br>
<input size='25' name='newpass' type='$type'></input></p>
<p>Verification:<br>
<img src='randomimage.php'><br>
<input name='txtNumber' type='text' id='txtNumber' value=''>
<br>";
?>

<input type="submit" name="changepass" value="submit" />
</form>

<?php
if (@$_POST['changepass']) {
include("haha.php");
$cxn = mysqli_connect($dbhost,$dbuser,$dbpassword,$dbdatabase);
$sql = "SELECT `password` FROM `Member` WHERE `username`='$username'";
$result = mysqli_query($cxn,$sql) or die("Query died: password");
if($result = $password) //password matches
{
$number = $_POST['txtNumber'];
if (md5($number) == $_SESSION['image_random_value'])
{
$sql = "UPDATE Member SET password = md5('$newpass') WHERE username = '$username'";
mysqli_query($cxn,$sql) or die("Query died: update");
}}}
?>
<?php include_once("footer.php"); ?>

[Pikachu2000]

if($result = $password) <-- will always evaluate to TRUE. You need to use a comparison == operator there instead of an assignment . . .

[wildteen88]

You should compare the username/password within the query, if the old password and username matches a record then change the password to the new one.

 

<?php

// check that form has been submitted
if(isset($_POST['changepass']))
{
     // grab username and old password
     $username = $_SESSION['username'];

     // md5 the old password
     $old_password = md5($_POST['password']);

     // make sure the old password matches the current password within the database
    $sql = "SELECT username, password FROM Member WHERE username='$username' AND password='$old_password";
    $result = mysqli_query($cxn, $sql) or die("Query died: password");

    // check that there has been a match.
    if(mysqli_num_rows($result) === 1)
    {
        // md5 the new password and update the database
        $new_password = md5($_POST['newpass']);
        $sql = "UPDATE Member SET password = '$new_password' WHERE username = '$username'";
        mysqli_query($cxn, $sql) or die("Query died: update");;
    }
}

?>

[Tenaciousmug]

Wildteen, everytime I try to use your code.. it just says "Query died: password". It's not going through.

Pika, yours wont even let me change it anymore when I do that.. x_x I'm so confused.

[wildteen88]

I've not included the code for connecting to mysql/database. You'll need to add that. You may want to add mysqli_error when your query fails

[Tenaciousmug]

It still gives me that. x_x I already had it added in.

-looks over code again-

 

edit

Are you sure this is how you code when selecting two fields from the database? This is the part that has to be throwing it off:

$sql = "SELECT username, password FROM Member WHERE username='$username' AND password='$old_password";

[wildteen88]

I have a mistake in my code. I left off the ' after $old_password on this line

    $sql = "SELECT username, password FROM Member WHERE username='$username' AND password='$old_password";

Change "; to '";

[Tenaciousmug]

Yeah I already saw that. There was a lot of mistakes punctuation wise. Thanks everyone for replying! It works along with the image verification code.