Jump to content

Recommended Posts

Hello. I have this change password script but when I type something into the existing password box and leave the new password and confirm new password box blank it says the password has been changed. If I leave all boxes blank it says all fields are required (which is what I want it to say unless ALL boxes have been filled in). Also, if I do type in all 3 boxes it says the password has been changed but it doesn't even change it. I have set it as SHA1 but still no luck, it still allows me to log in with the existing password.

 

else if($_POST['submit']=='Doit')
{
  // Checking whether the Login form has been submitted

  $err = array();
  // Will hold our errors
  if(!count($err))
  {
  $_POST['password2'] = mysql_real_escape_string($_POST['password2']);
  $_POST['password3'] = mysql_real_escape_string($_POST['password3']);
  $_POST['password4'] = mysql_real_escape_string($_POST['password4']);

  // Escaping all input data
  }

  if(!$_POST['password2'] || !$_POST['password3'] || !$_POST['password4'])
  {
  $err[] = 'All fields are required.';
  }

  $row = mysql_fetch_assoc(mysql_query("SELECT * FROM playerdata WHERE user='{$_SESSION['user']}' AND password='".sha1($_POST['password2'])."'"));
 if($row['user'])
 {
    	  if($_POST['password3'] == $_POST['password4'])
    	  {
	   // If everything is OK login
	   	  $pass = substr(sha1($_POST['password3']));
	   	  mysql_query("   INSERT INTO playerdata(user,password)
		     VALUES(

			    '".$_SESSION['user']."',
		        '".sha1($_POST['password3'])."'

		  	  )");

	   	  $_SESSION['msg']['change-success']='Your existing password has been changed. '.$pass;
    	  }
    	  else $err[] = 'Your new passwords do not match.';

	 // Store some data in the session		 
    }
    else $err[]='You have entered an invalid existing password.';

  if($err)
  $_SESSION['msg']['change-err'] = implode('<br />',$err);
  // Save the error messages in the session

  header("Location: http://127.0.0.1/");
  exit;
}

Edited by Aphex
Link to comment
https://forums.phpfreaks.com/topic/273500-change-password-half-working/
Share on other sites

You set the error array to be empty, then check if there's something in it (spoiler: there won't be), then add errors to it, then completely ignore whether there were errors and continue on regardless.

It also seems like you have something which looks for a change-success message and, if present, ignores any change-err messages.

 

[edit] Also,

$pass = substr(sha1($_POST['password3']));

Don't know what that's supposed to do but since you didn't give a second argument to substr() $pass will be null or false, and

$_SESSION['msg']['change-success']='Your existing password has been changed. '.$pass;

I assume you add in the $pass for debugging? Which won't work because of the whole "null or false" thing.

Edited by requinix

Update.

I forgot to use "UPDATE" query instead of "INSERT" as the user would have already been added in order for the change pass function to work, so I got that working where it changes the password to SHA1 and adds it to the database successfully.

Now it's just the matter of it detecting whether all fields have been filled in even if two has and one hasn't.

 

else if($_POST['submit']=='Doit')
{
// Checking whether the Change Pass form has been submitted

$err = array();
// Will hold our errors
if(!count($err))
{
 $_POST['password2'] = mysql_real_escape_string($_POST['password2']);
 $_POST['password3'] = mysql_real_escape_string($_POST['password3']);
 $_POST['password4'] = mysql_real_escape_string($_POST['password4']);

 // Escaping all input data
}

if(!$_POST['password2'] || !$_POST['password3'] || !$_POST['password4'])
{
 $err[] = 'All fields are required.';
}
$pass = $_POST['password3'];
$row = mysql_fetch_assoc(mysql_query("SELECT * FROM playerdata WHERE user='{$_SESSION['user']}' AND password='".sha1($_POST['password2'])."'"));
  if($row['user'])
  {
  if($_POST['password3'] == $_POST['password4'])
  {
   mysql_query("UPDATE playerdata SET password='".sha1($_POST['password3'])."' WHERE user='{$_SESSION['user']}'");

   $_SESSION['msg']['change-success']='Your password has been successfully changed to '.$pass;
  }
  else $err[] = 'Your new passwords do not match.';

  // Store some data in the session  
   }
   else $err[]='You have entered an invalid existing password.';

if($err)
$_SESSION['msg']['change-err'] = implode('<br />',$err);
// Save the error messages in the session
header("Location: http://127.0.0.1/");
exit;
}

 

This works when no fields are filled in:

 

   if(!$_POST['password2'] || !$_POST['password3'] || !$_POST['password4'])
   {
       $err[] = 'All fields are required.';
   }

 

But I need this to happen if only one or two fields have been filled in (there's three fields altogether, "Existing Password, New Password and Confirm New Password")

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.