reel_biggy_fish Posted September 5, 2010 Share Posted September 5, 2010 Hi, I have a page where a user can change his password what i want to acheive is a way of checking the database if the text the user has entered in the textboxes already exist in the db, and if it does exist change a certain part. for example the user goes to the address, types in the email, user name and password twice. if the username and email match in the db i would like the password to write over the old password that was in the db. i keep confusing myself when i think i know what im doing but i keep stumbling. i know this sounds a bit confusing so please ask if you need more understanding. so far ive got: <?php $n=$_POST['uname']; $e=$_POST['email']; if( $_POST['submitted'] == 'yes' ) { if( $_POST['pass_1'] != $_POST['pass_2'] ) { // fields don't match, so do something to indicate the error . . . echo '<p>Passwords Do Not Match</p>'; } // connect to the db include('config.php'); $query="select * from user where uname='$n' and email='$e'"; $result=mysql_query($query); } ?> <form action="" method="post"> <input type="text" name="uname" id="uname" size="30"> <input type="text" name="email" id="email" size="30"> <input type="password" name="pass_1" /> <input type="password" name="pass_2" /> <input type="hidden" name="submitted" value ="yes" /> <input type="submit" name="submit" value="Change Password" /> </form> just by looking at my code again i think its not right at all, the first php bit is only checking the password textboxes. i think i need to remove my email and username out of that form and put them in another. am i right? sorry im not that good at php or mysql thanks in advance and sorry for such a long read Quote Link to comment Share on other sites More sharing options...
petroz Posted September 5, 2010 Share Posted September 5, 2010 I think a different approach my be a little bit easier. Typically, When I have user info that can be updated, I present the user with a form to edit the fields. The trick is to preload the form with the correct data from the database, so that when the user submit's the update, any field they want to edit is updated with one update query and the data from the form. Let me know if that makes sense or not. Quote Link to comment Share on other sites More sharing options...
reel_biggy_fish Posted September 5, 2010 Author Share Posted September 5, 2010 im not 100% sure what you mean. do you preload all the info in there already? or do you just have a form that corrosponds to the db fields? i would still need to make a security check and i cant see how to make one with the way you suggest. could you explain a bit more please Quote Link to comment Share on other sites More sharing options...
petroz Posted September 5, 2010 Share Posted September 5, 2010 Here is a little example. I havent actually ran this, but this is a dry version of what I am talking about... <?php //vars $id = $_GET['id']; //set the user id from the url if($_SERVER['REQUEST_METHOD'] == "POST"){ //if the update form has been submitted //get the form data $first = $_POST['first']; $last = $_POST['last']; //update the database $update = mysql_query("UPDATE `users` SET `first` = '$first', `last` = '$last' WHERE `id` = '$id'"); //load the form data $user = mysql_fetch_array(mysql_query("SELECT `first`, `last` FROM `users` WHERE `id` = '$id'")); //load the form with and update message echo "Successfully Updated"; ?> <form action="update.php?id=<?php echo $id;?>" method="post"> <input type="text" name="first" value="<?php $user['first'];?>"> <input type="text" name="last" value="<?php $user['last'];?>" </form> <?php } else { //the update form has not been submitted //load the form data $user = mysql_fetch_array(mysql_query("SELECT `first`, `last` FROM `users` WHERE `id` = '$id'")); //load the form ?> <form action="update.php?id=<?php echo $id;?>" method="post"> <input type="text" name="first" value="<?php $user['first'];?>"> <input type="text" name="last" value="<?php $user['last'];?>" </form> <?php } Quote Link to comment Share on other sites More sharing options...
reel_biggy_fish Posted September 5, 2010 Author Share Posted September 5, 2010 if my users dont have an id but instead check username (uname) would this be it? $update = mysql_query("UPDATE `users` SET `first` = '$first', `last` = '$last' WHERE `uname` = '$id'"); this has confused me just a bit more when i want to change just there password. i understand being able to change everything is a good idea whcih i think i might stick with. but if i was to check if uname and email exist (as that is the only way of telling them part... i know not great) how would iupdate the password when i already have two textboxes that need to match first i think thats a little confusing let me know if you need me to explain it a bit better Quote Link to comment Share on other sites More sharing options...
petroz Posted September 5, 2010 Share Posted September 5, 2010 can you post your entire script? Quote Link to comment Share on other sites More sharing options...
reel_biggy_fish Posted September 5, 2010 Author Share Posted September 5, 2010 <?php $n=$_POST['uname']; $e=$_POST['email']; if($_POST['submitted'] == 'yes' ) { if( $_POST['pass_1'] != $_POST['pass_2'] ) { // fields don't match, so do something to indicate the error . . . echo '<p>Passwords Do Not Match</p>'; } // connect to the db include('config.php'); $query="select * from user where uname='$n' and email='$e' or die(mysql_error());"; $result=mysql_query($query); $row = mysql_fetch_array($result); if($result = 1) { //insert values into certain places } else { echo '<p>ERRRRRRROR!</p>'; } } ?> <form action="" method="post"> <input type="text" name="uname" id="uname" size="30"> <input type="text" name="email" id="email" size="30"> <input type="password" name="pass_1" /> <input type="password" name="pass_2" /> <input type="hidden" name="submitted" value ="yes" /> <input type="submit" name="submit" value="Change Password" /> </form> Quote Link to comment Share on other sites More sharing options...
petroz Posted September 5, 2010 Share Posted September 5, 2010 Sorry.. didnt realize that was the entire script.. Quote Link to comment Share on other sites More sharing options...
petroz Posted September 5, 2010 Share Posted September 5, 2010 I defnintly do not recommend giving your users the ability to update the database this way.. If they can guess a uname and email pair, then can change other peoples passwords... But here is an update just updating the password field. <?php $n=$_POST['uname']; $e=$_POST['email']; if($_POST['submitted'] == 'yes' ) { if( $_POST['pass_1'] != $_POST['pass_2'] ) { // fields don't match, so do something to indicate the error . . . echo '<p>Passwords Do Not Match</p>'; } $pass = $_POST['pass_2']; // connect to the db include('config.php'); $query="select * from user where uname='$n' and email='$e' or die(mysql_error());"; $result=mysql_query($query); $row = mysql_fetch_array($result); if($result = 1) { //insert values into certain places $update_query = mysql_query("UPDATE `user` SET `pass` = '$pass' WHERE `uname` = '$n' AND `email` = '$e'"); } else { echo '<p>ERRRRRRROR!</p>'; } } ?> <form action="" method="post"> <input type="text" name="uname" id="uname" size="30"> <input type="text" name="email" id="email" size="30"> <input type="password" name="pass_1" /> <input type="password" name="pass_2" /> <input type="hidden" name="submitted" value ="yes" /> <input type="submit" name="submit" value="Change Password" /> </form> Quote Link to comment Share on other sites More sharing options...
reel_biggy_fish Posted September 5, 2010 Author Share Posted September 5, 2010 what would you suggest? this was the way i thought up and thougth it was a good idea. now you got me second guessing. EDIT: i just tried your code you gave me but for some reason no error is given when it searches the db and the username and email dont match Quote Link to comment Share on other sites More sharing options...
petroz Posted September 5, 2010 Share Posted September 5, 2010 First... what is the sole purpose of this script.. Second, are you using sessions at all? Quote Link to comment Share on other sites More sharing options...
reel_biggy_fish Posted September 5, 2010 Author Share Posted September 5, 2010 ill try and break it down for you: a person has forgotten his or her password they enter there username and a contact email address a email is sent to them with a web link to change the password they enter in there username and there orgiinal email address they registered with and the password they want to change twice for security if their username and email address match the ones theyve entered and the passwords all okay write the new password into the db. if username or email dont match show an error, i know at the top of my code i have that bit of php to check if the password textboxes match thats something i need to keep as they need to match to even continue aswell i am using sessions on the pages that need you to be logged in. when i log into my blog it has session start() at the top etc. Quote Link to comment Share on other sites More sharing options...
petroz Posted September 5, 2010 Share Posted September 5, 2010 So this script is essentially open to anyone who can guess a username and password match. I wouldn't, recommend doing it this way, but here is a way to semi-secure the script and update the password. Again, I havent tested this, so it might have a error or two.. <?php $n=$_POST['uname']; $e=$_POST['email']; $p1 = $_POST['pass1']; $p2 = $_POST['pass2']; $referrer = $_SERVER['REFERRER']; //if form submitted if($_SERVER['REQUEST_METHOD'] == "POST"){ //check to see if passwords match if($p1 == $p2){ //db config stuff include('config.php'); //check to see if username and email exists $user_exists = mysql_num_rows(mysql_query("SELECT * FROM `user` WHERE `uname` = '$n' AND `email` = '$e'")); if($user_exists == 1){ //if there is one username and email pair //update the password $update_pass = mysql_query("UPDATE `user` SET `password` = '$p2' WHERE `uname` = '$n' AND `email` = '$e'"); echo "Successfully Updated"; } else { //cannot find 1 username and email pair echo 'Username and Email Pair does not exist. Go back and try again <a href="'.$referrer.'">here</a>'; } } else { //passwords do not match echo "Passwords Do Not Match"; echo 'Username and Email Pair does not exist. Go back and try again <a href="'.$referrer.'">here</a>'; } } ?> <form action="" method="post"> <input type="text" name="uname" id="uname" size="30"> <input type="text" name="email" id="email" size="30"> <input type="password" name="pass_1" /> <input type="password" name="pass_2" /> <input type="hidden" name="submitted" value ="yes" /> <input type="submit" name="submit" value="Change Password" /> </form> Quote Link to comment Share on other sites More sharing options...
reel_biggy_fish Posted September 5, 2010 Author Share Posted September 5, 2010 it kinda works. but i cant log in. it changes my password but if the fist textbox doesnt match the second it still changes it. the only problem is i cant log in any more update_pass = mysql_query("UPDATE `user` SET pw=md5('$p2') WHERE `uname` = '$n' AND `email` = '$e'"); all ive changed is putting the password into the db using md5. ill attach my login page (please bare in mind its not the best log in page but i now cant log in at all when i update the password [attachment deleted by admin] Quote Link to comment Share on other sites More sharing options...
reel_biggy_fish Posted September 5, 2010 Author Share Posted September 5, 2010 it kinda works. but i cant log in. it changes my password but if the fist textbox doesnt match the second it still changes it. the only problem is i cant log in any more update_pass = mysql_query("UPDATE `user` SET pw=md5('$p2') WHERE `uname` = '$n' AND `email` = '$e'"); all ive changed is putting the password into the db using md5. ill attach my login page (please bare in mind its not the best log in page but i now cant log in at all when i update the password EDIT: i now cant get it to write to my database at all. when the passwords dont match it still says sucsefully updated and i cant work out why Quote Link to comment Share on other sites More sharing options...
petroz Posted September 6, 2010 Share Posted September 6, 2010 Can you repost the final code you are using, I setup a test and I cant get the script to allow anything if the passwords dont match. Quote Link to comment Share on other sites More sharing options...
reel_biggy_fish Posted September 6, 2010 Author Share Posted September 6, 2010 this is my final code. i found out why it wasnt writing to the db because the $_POST['pass1'] which it should have been pass_1 <?php $n=$_POST['uname']; $e=$_POST['email']; $p1 = $_POST['pass_1']; $p2 = $_POST['pass_2']; $referrer = $_SERVER['REFERRER']; //if form submitted if($_SERVER['REQUEST_METHOD'] == "POST"){ //check to see if passwords match if($p1 == $p2){ //db config stuff include('config.php'); //check to see if username and email exists $user_exists = mysql_num_rows(mysql_query("SELECT * FROM `user` WHERE `uname` = '$n' AND `email` = '$e'")); if($user_exists == 1){ //if there is one username and email pair //update the password $update_pass = mysql_query("UPDATE `user` SET `pw` = md5('$p2') WHERE `uname` = '$n' AND `email` = '$e'"); echo "Successfully Updated"; } else { //cannot find 1 username and email pair echo 'Username and Email Pair does not exist. Go back and try again <a href="'.$referrer.'">here</a>'; } } else { //passwords do not match echo 'Passwords Do Not Match Go back and try again <a href="'.$referrer.'">here</a>'; } } ?> <form action="" method="post"> <input type="text" name="uname" id="uname" size="30"> <input type="text" name="email" id="email" size="30"> <input type="password" name="pass_1" /> <input type="password" name="pass_2" /> <input type="hidden" name="submitted" value ="yes" /> <input type="submit" name="submit" value="Change Password" /> </form> what do you suggest to make it more secure? as i should learn to make it better Quote Link to comment Share on other sites More sharing options...
petroz Posted September 6, 2010 Share Posted September 6, 2010 I setup a little test.. its working for me. Is it working for you? You could add some security questions for starters. Then if you wanted to add more, you could also create a temporary password that is sent to the email, and force the user to type that one in and change it on their next login... Quote Link to comment Share on other sites More sharing options...
reel_biggy_fish Posted September 6, 2010 Author Share Posted September 6, 2010 yer its working for me now thanks . yer i might add a secruity question. would that kinda be like implmenting a captcha? for the temp password i would create a function to create a password, then use UPDATE to update the password but what would i do when they log in? Quote Link to comment Share on other sites More sharing options...
petroz Posted September 6, 2010 Share Posted September 6, 2010 Great! Captcha would not be a security question.. A security question would be similar to "Your Pets First Name." Basically, its a question that only the user would know the answer to. You wouldnt need to create a function for the new password. You could just do something like this. then update the database with it and email it to the user. <?php $time = time(); $random_number = rand(2,10); $temp_password = substr(md5($time * $random_number), 0, -25); echo $temp_password; Quote Link to comment Share on other sites More sharing options...
petroz Posted September 6, 2010 Share Posted September 6, 2010 what would i do when they log in? redirect them to a page where they have to change their password.. Quote Link to comment Share on other sites More sharing options...
reel_biggy_fish Posted September 6, 2010 Author Share Posted September 6, 2010 ahhh i kinda understand the temp password bit, so when they create a user you create a question and the answer goes into a field in the db and witth the change password bit it doesnt only check the email and username but it checks the security password aswell. the login bit still confuses me how would they know which user to redirect when youve given them a temp password? Quote Link to comment Share on other sites More sharing options...
petroz Posted September 6, 2010 Share Posted September 6, 2010 This would take a few steps.. First, add three fields to your DB.. Question, Answer and temp. To support the security question add the question and answer input to your password reset script.. Next, for the temporary password, add some value to the temp field on `user` when the password is reset.. maybe "true". Tell the login script to check if the `temp` field is true or not.. if it is, send the user to a page where they have to reset their password. Understand? Quote Link to comment Share on other sites More sharing options...
reel_biggy_fish Posted September 6, 2010 Author Share Posted September 6, 2010 to make life simple could i have a simple question like name of first school and then everyone types in the answer for first school? Next, for the temporary password, add some value to the temp field on `user` when the password is reset.. maybe "true". Tell the login script to check if the `temp` field is true or not.. if it is, send the user to a page where they have to reset their password. Understand? if i understand correctly i would do an if statement like if (temp_pw == true) { header(www..........) } else {header (home.php) { is that right? Quote Link to comment Share on other sites More sharing options...
petroz Posted September 6, 2010 Share Posted September 6, 2010 I would recommend letting them choose a question and or setting their own.. As for the temp thing, your code snip would be fine. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.