I-AM-OBODO Posted January 28, 2013 Share Posted January 28, 2013 Hi all, I've been battling with this for a while and I don't know why I'm not getting it right. I want a user to be able to change their password. The problem is that I don't know why its not checking the database for the old password but it just changes the password straight up even when its not the correct old password. Thanks in advance Here is my code: <?php if(isset($_POST['submit'])){ $oldpwd = $_POST['oldpwd']; $newpwd = $_POST['newpwd']; $newpwd2 = $_POST['newpwd2']; if($oldpwd == ""){ $err1 = "<font color=red><strong>Current Password Empty</strong></font>"; } if($newpwd == ""){ $err2 = "<font color=red><strong>New Password Empty</strong></font>"; } elseif(strlen($_POST['newpwd']) <= 5){ $err3 = "<font color=red><strong>Password Must Be More Than 5 Characters</strong></font>"; } elseif($newpwd2 == ""){ $err4 = "<font color=red><strong>Confirm Password Empty</strong></font>"; } elseif($newpwd != $newpwd2){ $err5 = "<font color=red><strong>Password Do Not Match</strong></font>"; } else{ $checkold = "SELECT password FROM reg_users WHERE username = '$_SESSION[username]' AND password = '".md5($_POST['newpwd'])."'"; $reslt = mysql_query($checkold); if($reslt){ if(mysql_num_rows($reslt) != 1) { echo "Unrecognized User or Password"; }else{ $query = "UPDATE reg_users SET password = '".md5($_POST['newpwd'])."' WHERE username = '$_SESSION[username]' "; $result = mysql_query($query); $pass_changed = "<font color=blue><strong>Password Changed.</strong></font>"; $wrong = "<font color=red><strong>Something went wrong</strong></font>"; if ($result){ echo $pass_changed; } else{ echo $wrong; } } } } } ?> Quote Link to comment Share on other sites More sharing options...
dpiearcy Posted January 28, 2013 Share Posted January 28, 2013 echo $reslt and what do you get? Quote Link to comment Share on other sites More sharing options...
I-AM-OBODO Posted January 28, 2013 Author Share Posted January 28, 2013 echo @reslt didn't echo anything. Quote Link to comment Share on other sites More sharing options...
dpiearcy Posted January 28, 2013 Share Posted January 28, 2013 That's because you are looking for a row that matches what the new password is. $checkold = "SELECT password FROM reg_users WHERE username = '$_SESSION[username]' AND password = '".md5($_POST['newpwd'])."'"; Select password that matches username then deal with your file handling after you have that information. Then you can check to see if the old password matches what you have in the database etc. and deal with the change from that point. Quote Link to comment Share on other sites More sharing options...
dpiearcy Posted January 28, 2013 Share Posted January 28, 2013 You might also want to read this. http://php.net/manual/en/faq.passwords.php Concerning your use of md5 for password hashing. Quote Link to comment Share on other sites More sharing options...
Christian F. Posted January 28, 2013 Share Posted January 28, 2013 Alternatively, this site, as it's bit more up-to-date. In addition to that, you can also read this article about secure login systems. Both of them combined should provide you with all of the information you need to make a proper & secure login system. Quote Link to comment Share on other sites More sharing options...
I-AM-OBODO Posted January 29, 2013 Author Share Posted January 29, 2013 Thanks @dpiearcy. I found that I was actually checking for new password instead of the old one. It ought to select from where old instead of select from where new. Oversight! thanks Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.