Jump to content

Recommended Posts

Hi,

 

I'm trying to change the password after logging in to web site. Following is the code that change the password. However, the password is not changing in the table.  Please let me know if I'm making any error in below code.

 

Thanks.

 

 

 


<?php
            			
		$password=mysql_real_escape_string($_POST['newpassword']);
		$password2=mysql_real_escape_string($_POST['confirmnewpassword']);
            

		if ( strlen($password) < 5 or strlen($password) > 12 ){
		echo "Password must be more than 5 char legth and maximum 12 char lenght<BR>";
		} 

		if ( $password <> $password2 ){
		echo "Both passwords are not matching";
		} 

		if($password == $password2){
					if(mysql_query("update users set password='$password' where empid='$_SESSION[login]'")){
		echo "<font face='Verdana' size='2' ><center>Thanks <br> Your password changed successfully. Please keep changing your password every 2 monthsfor better security</font></center>";
		}
		} 		

Link to comment
https://forums.phpfreaks.com/topic/251313-change-password-code/
Share on other sites

There's no session_start()

You aren't checking if the query failed and produced any errors with mysql_error().

It appears you're storing plaintext passwords in the database? That's a bad idea.

Session is added at the top of the code.  If the password change works for normal password, then I'll be able to do it for sha1 encryption.

 

below is the HTML code:

 


<form name=tracker method=post action=checkpassword.php>

		<table width="100%" border="0" cellpadding="2" cellspacing="2" id="changepass" align="center" style="border-color:#39C; border-width:medium; border-style:outset;">
           
            			
		<tr>
            <td style="text-align:left">Enter your New Password:</td>
            <td><input type="password" name="newpassword" id="newpassword" size='50'/></td>
            </tr>
            
		<tr>
               <td style="text-align:left">Confirm New Password:</td>
               <td><input type="password" name="confirmnewpassword" id="confirmnewpassword" size='50'/></td>
            </tr>
            


		<tr>
            <td scope="row" > </td>
            <td colspan="2"><div id="submit"><input id="changepass" class="mainForm" type="submit" value="Change Password"/></div></td>
            </tr>
            </table>
		</form>

 

 

Below is the login check code that has the login session variable. This file name is checkpassword.php.

 


<?php session_start(); ?>
<?php include_once("includes/connections.php"); ?> 
<?php include_once("functions/funphp.php"); ?>
<?php

if (isset($_POST['password']) && isset($_POST['login'])) // if the password is set then the  form has been submitted on login.php page
{

$login =  mysql_real_escape_string($_POST['login']);
$password = mysql_real_escape_string($_POST['password']);
$qstr = "SELECT * from users where empid='$login' and password ='$password'";

$result = mysql_query($qstr);
$_SESSION['login']=$login['login'];

if (mysql_num_rows($result)==1)  
  {

     redirect("home.php");
}
else
{
     echo "<font color=#000000><b>Invalid User Name or Password. <a href=index.php> Click here</a> to go back to the login screen </a></Center></font>";

}
mysql_close();
}
?>

 

 

 

Below is my session code (redirect has a function for Location). This file is included at the top of the checkpassword.php.

 



<?php include_once("functions/funphp.php"); ?>

<?php
session_start();

function logged_in() {
	return isset($_SESSION['login']);
}

function confirm_logged_in() {
	if (!logged_in()) {
		redirect("index.php");
	}
}
?>

Give this a go.  NOTE: This should all be happening before anything is sent to the browser so I would change the error message to a variable to echo within body tags.

<?php 
session_start();
include_once("includes/connections.php");
include_once("functions/funphp.php");

if (isset($_POST['password']) && isset($_POST['login'])) // if the password is set then the  form has been submitted on login.php page
{

$login =  mysql_real_escape_string($_POST['login']);
$password = mysql_real_escape_string($_POST['password']);
$qstr = "SELECT * from users where empid='$login' and password ='$password'";

$result = mysql_query($qstr);

if (mysql_num_rows($result)==1)  
  {
  //I don't believe $login['login'] is correct.  
  //Also don't set the session unless you get a result.
$_SESSION['login']=$_POST['login'];

     redirect("home.php");
}
else
{
     $loginerror="<span style=\"color:#000000\"><b>Invalid User Name or Password.</b> <a href=index.php> Click here</a> to go back to the login screen </span>";

}
mysql_close();
}
?>

Yes, you're absolutely right. When I echo the session variable, it only printed one digit. My user id is a 10 digit code.

 

Please check if I'm making any error while creating the session..

 


<?php session_start(); ?>
<?php include_once("includes/connections.php"); ?> 
<?php include_once("functions/funphp.php"); ?>
<?php

if (isset($_POST['password']) && isset($_POST['login'])) // if the password is set then the  form has been submitted on login.php page
{

$login =  mysql_real_escape_string($_POST['login']);
$password = mysql_real_escape_string($_POST['password']);
$qstr = "SELECT * from users where empid='$login' and password ='$password'";

$result = mysql_query($qstr);
$_SESSION['login']=$login['login'];
$_SESSION['username'] = $username['username'];
if (mysql_num_rows($result)==1)  
  {

     redirect("home.php");
}
else
{
     echo "<font color=#000000><b>Invalid User Name or Password. <a href=index.php> Click here</a> to go back to the login screen </a></Center></font>";

}
mysql_close();
}
?>


Is there a reason you're using array syntax here:

 

<?php
//...

$_SESSION['login']=$login['login'];
$_SESSION['username'] = $username['username'];

//...
?>

 

 

Maybe I'm missing something, but isn't $login a plain variable. Also, where does $username come from?  :confused:

Ah, so you can use array syntax on regular variables. But it treats the variable as an array of characters. To see what happens, try this out:

 

<?php
$test = 'abs';
print $test['test'] . '<br />';
print $test;
?>

 

 

That would explain why you're only getting the first character.

In the sample code I posted, I moved the session till after verification of the user and used the $_POST value because you have mysql_real_escape_string on the variable $login.

 

if (mysql_num_rows($result)==1)  
  {
  //I don't believe $login['login'] is correct.  
  //Also don't set the session unless you get a result.
$_SESSION['login']=$_POST['login'];

     redirect("home.php");
}
else
{etc

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.