Jump to content

Recommended Posts

Hi guys

I am having all sorts of problems with my script. I want the script to check current password before allowing member to change their password to a new one. My script is failing to check their old password and also to match their new password with confirm new password. I am still new in php and I am using mysqli please help. I will be adding security later on.

 

<?php 
include_once("Mydbtable.php");
if(isset($_POST['submit'])) {
      $Old_pwd=$_POST['Oldpass'];
      $New_pwd=$_POST['pass1'];
      $confirm_pwd=$_POST['pass2'];
      $data_pwd=$fetch['Oldpass'];
      $email=$fetch['email'];


 $sql = "SELECT * FROM MembersTable WHERE email = '$email' AND password = '$Old_pwd' ";
 $result = mysqli_query($Mydbtable, $sql); 


      if($New_pwd==confirm_pwd && $data_pwd==$Oldpass){
   $sql = "UPDATE MembersTable SET password = '$New_pwd' WHERE email = '$email' ";
$result = mysqli_query($Mydbtable, $sql); 
 $msg="password changed";
        }
      else {
  if($pass1 == "" || $pass2 == ""){
$msg= "Passwords do not match.  Please GO BACK and try again.";
exit();
}  
}
      ?>


<form method="post" name="change">
<?php echo $msg; ?>
<p>old password<br />
<input type="password" name="Oldpass"  id="Oldpass" /></p>
<p>New password<br />
<input type="password" name="pass1"  id="pass1" />
</p>
<p>Confirm password<br />
<input type="password" name="pass2" id="pass2" />
</p>
<p>
<input name="submit" type="submit" value="Save Password" />
</p>
</form>

 

Link to comment
https://forums.phpfreaks.com/topic/281851-password-change/
Share on other sites

Try these code changes...

 

<?php 


include_once("Mydbtable.php");


if(isset($_POST['submit'])) {


$Old_pwd=$_POST['Oldpass'];
$New_pwd=$_POST['pass1'];
$confirm_pwd=$_POST['pass2'];
#$data_pwd=$fetch['Oldpass']; #you don't need this
$email=$fetch['email'];


if($New_pwd != $confirm_pwd) {
$msg= "Passwords do not match. Please GO BACK and try again.";
}
else {
#Binary keyword make sure that the password is case-sensitive
$sql = "SELECT * FROM MembersTable WHERE email = '$email' AND BINARY password = BINARY '$Old_pwd' ";
$result = mysqli_query($Mydbtable, $sql); 
if(mysqli_num_rows($result) == 0) {
$msg= "Passwords do not match. Please GO BACK and try again.";
}
else {
$sql = "UPDATE MembersTable SET password = '$New_pwd' WHERE email = '$email' ";
$result = mysqli_query($Mydbtable, $sql); 
$msg="Password successfully changed";
}
}
}
?>


<form method="post" name="change">
<?php echo $msg; ?>
<p>old password<br />
<input type="password" name="Oldpass"  id="Oldpass" /></p>
<p>New password<br />
<input type="password" name="pass1"  id="pass1" />
</p>
<p>Confirm password<br />
<input type="password" name="pass2" id="pass2" />
</p>
<p>
<input name="submit" type="submit" value="Save Password" />
</p>
</form>
Link to comment
https://forums.phpfreaks.com/topic/281851-password-change/#findComment-1448154
Share on other sites

some points about the code -

 

1) the user messages should be unique and descriptive. they are currently the same message and vague. the message if the new password and the confirmed/retyped password don't match should clearly state that those two passwords don't match. the message if the email/old password was not valid/not found should clearly state that either or both the email/old password are not valid.

 

2) you need to ALWAYS have logic in your code to test if your database queries work before trying to use the data from that query. if your SELECT query is failing due to an error, there will be zero matching rows and the current logic will report that the Passwords do not match. that's not true. there may in fact be a matching row, but you cannot tell because the query didn't work at all and the code cannot perform the requested action. only after the query has executed successful, would zero matching rows mean that the email/old password were valid/found.

 

3) when you originally stored the passwords in the table, did you perform any hashing of the password? if so, you must apply that same hashing method to the old password when you test if it matches the existing password in your table and and you must apply that same hashing method to the new password when you update/store it in the table.

Link to comment
https://forums.phpfreaks.com/topic/281851-password-change/#findComment-1448256
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.