Change Password Half Working

Aphex · January 22, 2013

Hello. I have this change password script but when I type something into the existing password box and leave the new password and confirm new password box blank it says the password has been changed. If I leave all boxes blank it says all fields are required (which is what I want it to say unless ALL boxes have been filled in). Also, if I do type in all 3 boxes it says the password has been changed but it doesn't even change it. I have set it as SHA1 but still no luck, it still allows me to log in with the existing password.

else if($_POST['submit']=='Doit')
{
  // Checking whether the Login form has been submitted

  $err = array();
  // Will hold our errors
  if(!count($err))
  {
  $_POST['password2'] = mysql_real_escape_string($_POST['password2']);
  $_POST['password3'] = mysql_real_escape_string($_POST['password3']);
  $_POST['password4'] = mysql_real_escape_string($_POST['password4']);

  // Escaping all input data
  }

  if(!$_POST['password2'] || !$_POST['password3'] || !$_POST['password4'])
  {
  $err[] = 'All fields are required.';
  }

  $row = mysql_fetch_assoc(mysql_query("SELECT * FROM playerdata WHERE user='{$_SESSION['user']}' AND password='".sha1($_POST['password2'])."'"));
 if($row['user'])
 {
    	  if($_POST['password3'] == $_POST['password4'])
    	  {
	   // If everything is OK login
	   	  $pass = substr(sha1($_POST['password3']));
	   	  mysql_query("   INSERT INTO playerdata(user,password)
		     VALUES(

			    '".$_SESSION['user']."',
		        '".sha1($_POST['password3'])."'

		  	  )");

	   	  $_SESSION['msg']['change-success']='Your existing password has been changed. '.$pass;
    	  }
    	  else $err[] = 'Your new passwords do not match.';

	 // Store some data in the session		 
    }
    else $err[]='You have entered an invalid existing password.';

  if($err)
  $_SESSION['msg']['change-err'] = implode('<br />',$err);
  // Save the error messages in the session

  header("Location: http://127.0.0.1/");
  exit;
}

Edited January 22, 2013 by Aphex

Jessica · January 22, 2013

:psychic:

Cool story bro.

Edit: well if you post the code it ruins my post. Pah.

Edited January 22, 2013 by Jessica

requinix · January 22, 2013

You set the error array to be empty, then check if there's something in it (spoiler: there won't be), then add errors to it, then completely ignore whether there were errors and continue on regardless.

It also seems like you have something which looks for a change-success message and, if present, ignores any change-err messages.

[edit] Also,

$pass = substr(sha1($_POST['password3']));

Don't know what that's supposed to do but since you didn't give a second argument to substr() $pass will be null or false, and

$_SESSION['msg']['change-success']='Your existing password has been changed. '.$pass;

I assume you add in the $pass for debugging? Which won't work because of the whole "null or false" thing.

Edited January 22, 2013 by requinix

ncurran217 · January 22, 2013

I think you need to use an update statement for you query not an insert. But I could be wrong not to sure about it, just a thought.

Aphex · January 22, 2013

Update.

I forgot to use "UPDATE" query instead of "INSERT" as the user would have already been added in order for the change pass function to work, so I got that working where it changes the password to SHA1 and adds it to the database successfully.

Now it's just the matter of it detecting whether all fields have been filled in even if two has and one hasn't.

else if($_POST['submit']=='Doit')
{
// Checking whether the Change Pass form has been submitted

$err = array();
// Will hold our errors
if(!count($err))
{
 $_POST['password2'] = mysql_real_escape_string($_POST['password2']);
 $_POST['password3'] = mysql_real_escape_string($_POST['password3']);
 $_POST['password4'] = mysql_real_escape_string($_POST['password4']);

 // Escaping all input data
}

if(!$_POST['password2'] || !$_POST['password3'] || !$_POST['password4'])
{
 $err[] = 'All fields are required.';
}
$pass = $_POST['password3'];
$row = mysql_fetch_assoc(mysql_query("SELECT * FROM playerdata WHERE user='{$_SESSION['user']}' AND password='".sha1($_POST['password2'])."'"));
  if($row['user'])
  {
  if($_POST['password3'] == $_POST['password4'])
  {
   mysql_query("UPDATE playerdata SET password='".sha1($_POST['password3'])."' WHERE user='{$_SESSION['user']}'");

   $_SESSION['msg']['change-success']='Your password has been successfully changed to '.$pass;
  }
  else $err[] = 'Your new passwords do not match.';

  // Store some data in the session  
   }
   else $err[]='You have entered an invalid existing password.';

if($err)
$_SESSION['msg']['change-err'] = implode('<br />',$err);
// Save the error messages in the session
header("Location: http://127.0.0.1/");
exit;
}

This works when no fields are filled in:

   if(!$_POST['password2'] || !$_POST['password3'] || !$_POST['password4'])
   {
       $err[] = 'All fields are required.';
   }

But I need this to happen if only one or two fields have been filled in (there's three fields altogether, "Existing Password, New Password and Confirm New Password")

Aphex · January 22, 2013

Yeah thanks ncurran, may be the lack of sleep I've been dealing with for the past week now as this is a gaming community I've been working on for GTA San Andreas Multiplayer (SA-MP)

Aphex · January 22, 2013

Please close this topic I've solved it.

Jessica · January 22, 2013

Hit the Mark Solved button.

Sign In

Change Password Half Working

Recommended Posts

Aphex

Link to comment

Share on other sites

Jessica

Link to comment

Share on other sites

requinix

Link to comment

Share on other sites

ncurran217

Link to comment

Share on other sites

Aphex

Link to comment

Share on other sites

Aphex

Link to comment

Share on other sites

Aphex

Link to comment

Share on other sites

Jessica

Link to comment

Share on other sites

Join the conversation

Browse

Activity

Important Information