Help in php mysql password change code:

[sj005]

Hey all. I am new to this forum and to PHP as a whole. I though I would try to make a login system using php and mysql. The login and register forms work great but I cannot seem to fully figure out how to let a user change their password. My code partially works. When the user types the correct old password and when the two new password forms confirm, the password changes and the database is updated and the user is taken to a page that tells him that his password was successfully changed. However, the problem is when the old password he types is different than the one in the database, the page that states password successfully changed also appears but the password is not changed in the database. The problem is thus with the SELECT statement. Can anyone please help me find whats wrong. It has been tormenting for a few hours now. Thank you in advance. . I used md5 encryption for the passwords. Here is the section of code that comes after the script makes sure that none of the forms are empty and that the passwords confirm  .

 

//Create SELECT query to verify that the old password is correct

$qry="SELECT * FROM members WHERE login='" . $_SESSION['SESS_USERNAME'] . "' AND passwd='".md5($_POST['opassword'])."'";

$result = mysql_query($qry);

if($result)

{

//Create UPDATE query to replace old password with new password

$updatepasswd="Update members set passwd='".md5($_POST['npassword'])."' where login='" . $_SESSION['SESS_USERNAME'] . "' AND passwd='".md5($_POST['opassword'])."'";

$update = mysql_query($updatepasswd);

 

//Check whether the query was successful or not

if($update) {

 

header("location: changepasswordsuccess.php");

exit();

}

else {

die("Query failed");

}

}

else

{

header("location: passwordchange-failed.php");

}

[chaseman]

You should validate before you even do the query, like this:

 

if ($oldpassword != $dboldpassword){

echo "incorrect password";

}

 

$oldpassword is the password the user entered into the input field

and $dboldpassword is the password in the database

 

the validation checks if the entered PW matches with the PW in the database, if NOT then it will print out an error.

 

 

Hope that was what you were asking for.

 

And please use code tags next time.

 

 

EDIT: Here's a good video tutorial on register and login system which also explains how to implement a change password function: 

[Veteah]

Also, just to point out, you're using $result incorrectly. All it does is tell you whether the query failed or not, not if it returned any rows like it looks like you're trying to see. For that you should use mysql_num_rows(), but yeah, you should do password verification before you start making queries.

[Pikachu2000]

Just because an UPDATE query completes successfully, doesn't mean it actually changed anything. You'd need to use mysql_affected_rows to determine if any changes were made to the record.

[sj005]

Thanks to all I got it working. It was something really simple, what veteah pointed out. I  replaced $result with mysql_num_rows($result)!=0 and made some other similar small adjustments. I guess i am still in the progress of understanding the different functions of php and mysql.