Jump to content

Recommended Posts

I'm trying to let the users change their password, but everytime I try.. it just changes the password to what they type in whether or not the password they currently have is right or not.. x_x

I have the password set as an MD5 so I'm guessing I have to select the password from the database as an MD5, but I don't know how to do that..

 

<?php
include("logincheck.php");
$newpass = $_POST['newpass'];
$username = $_SESSION['username'];
$password = $_POST['password'];
?>
<?php include_once("header.php"); ?>
Welcome to your settings. This is where you can manage everything on your account!
<br><br>----------<b>Change Password</b>----------

<form action="<?php echo $_SERVER['SCRIPT_NAME']?>" method="post">

<?php
$type = "text";
echo "
<p>Type your current password:<br>
<input size='25' name='password' type='$type'></input></p>
<p>Type your new password:<br>
<input size='25' name='newpass' type='$type'></input></p>
<p>Verification:<br>
<img src='randomimage.php'><br>
<input name='txtNumber' type='text' id='txtNumber' value=''>
<br>";
?>

<input type="submit" name="changepass" value="submit" />
</form>

<?php
if (@$_POST['changepass']) {
include("haha.php");
$cxn = mysqli_connect($dbhost,$dbuser,$dbpassword,$dbdatabase);
$sql = "SELECT `password` FROM `Member` WHERE `username`='$username'";
$result = mysqli_query($cxn,$sql) or die("Query died: password");
if($result = $password) //password matches
{
$number = $_POST['txtNumber'];
if (md5($number) == $_SESSION['image_random_value'])
{
$sql = "UPDATE Member SET password = md5('$newpass') WHERE username = '$username'";
mysqli_query($cxn,$sql) or die("Query died: update");
}}}
?>
<?php include_once("footer.php"); ?>

Link to comment
https://forums.phpfreaks.com/topic/210652-coding-a-simple-password-change/
Share on other sites

You should compare the username/password within the query, if the old password and username matches a record then change the password to the new one.

 

<?php

// check that form has been submitted
if(isset($_POST['changepass']))
{
     // grab username and old password
     $username = $_SESSION['username'];

     // md5 the old password
     $old_password = md5($_POST['password']);

     // make sure the old password matches the current password within the database
    $sql = "SELECT username, password FROM Member WHERE username='$username' AND password='$old_password";
    $result = mysqli_query($cxn, $sql) or die("Query died: password");

    // check that there has been a match.
    if(mysqli_num_rows($result) === 1)
    {
        // md5 the new password and update the database
        $new_password = md5($_POST['newpass']);
        $sql = "UPDATE Member SET password = '$new_password' WHERE username = '$username'";
        mysqli_query($cxn, $sql) or die("Query died: update");;
    }
}

?>

It still gives me that. x_x I already had it added in.

-looks over code again-

 

edit

Are you sure this is how you code when selecting two fields from the database? This is the part that has to be throwing it off:

$sql = "SELECT username, password FROM Member WHERE username='$username' AND password='$old_password";

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.