kayz100 Posted September 4, 2013 Share Posted September 4, 2013 Hi guys I am having all sorts of problems with my script. I want the script to check current password before allowing member to change their password to a new one. My script is failing to check their old password and also to match their new password with confirm new password. I am still new in php and I am using mysqli please help. I will be adding security later on. <?php include_once("Mydbtable.php"); if(isset($_POST['submit'])) { $Old_pwd=$_POST['Oldpass']; $New_pwd=$_POST['pass1']; $confirm_pwd=$_POST['pass2']; $data_pwd=$fetch['Oldpass']; $email=$fetch['email']; $sql = "SELECT * FROM MembersTable WHERE email = '$email' AND password = '$Old_pwd' "; $result = mysqli_query($Mydbtable, $sql); if($New_pwd==confirm_pwd && $data_pwd==$Oldpass){ $sql = "UPDATE MembersTable SET password = '$New_pwd' WHERE email = '$email' "; $result = mysqli_query($Mydbtable, $sql); $msg="password changed"; } else { if($pass1 == "" || $pass2 == ""){ $msg= "Passwords do not match. Please GO BACK and try again."; exit(); } } ?> <form method="post" name="change"> <?php echo $msg; ?> <p>old password<br /> <input type="password" name="Oldpass" id="Oldpass" /></p> <p>New password<br /> <input type="password" name="pass1" id="pass1" /> </p> <p>Confirm password<br /> <input type="password" name="pass2" id="pass2" /> </p> <p> <input name="submit" type="submit" value="Save Password" /> </p> </form> Quote Link to comment Share on other sites More sharing options...
thodanga Posted September 4, 2013 Share Posted September 4, 2013 Try these code changes... <?php include_once("Mydbtable.php"); if(isset($_POST['submit'])) { $Old_pwd=$_POST['Oldpass']; $New_pwd=$_POST['pass1']; $confirm_pwd=$_POST['pass2']; #$data_pwd=$fetch['Oldpass']; #you don't need this $email=$fetch['email']; if($New_pwd != $confirm_pwd) { $msg= "Passwords do not match. Please GO BACK and try again."; } else { #Binary keyword make sure that the password is case-sensitive $sql = "SELECT * FROM MembersTable WHERE email = '$email' AND BINARY password = BINARY '$Old_pwd' "; $result = mysqli_query($Mydbtable, $sql); if(mysqli_num_rows($result) == 0) { $msg= "Passwords do not match. Please GO BACK and try again."; } else { $sql = "UPDATE MembersTable SET password = '$New_pwd' WHERE email = '$email' "; $result = mysqli_query($Mydbtable, $sql); $msg="Password successfully changed"; } } } ?> <form method="post" name="change"> <?php echo $msg; ?> <p>old password<br /> <input type="password" name="Oldpass" id="Oldpass" /></p> <p>New password<br /> <input type="password" name="pass1" id="pass1" /> </p> <p>Confirm password<br /> <input type="password" name="pass2" id="pass2" /> </p> <p> <input name="submit" type="submit" value="Save Password" /> </p> </form> Quote Link to comment Share on other sites More sharing options...
kayz100 Posted September 5, 2013 Author Share Posted September 5, 2013 I have tried the code and it keeps echoing password do not match, any help guys Quote Link to comment Share on other sites More sharing options...
mac_gyver Posted September 5, 2013 Share Posted September 5, 2013 some points about the code - 1) the user messages should be unique and descriptive. they are currently the same message and vague. the message if the new password and the confirmed/retyped password don't match should clearly state that those two passwords don't match. the message if the email/old password was not valid/not found should clearly state that either or both the email/old password are not valid. 2) you need to ALWAYS have logic in your code to test if your database queries work before trying to use the data from that query. if your SELECT query is failing due to an error, there will be zero matching rows and the current logic will report that the Passwords do not match. that's not true. there may in fact be a matching row, but you cannot tell because the query didn't work at all and the code cannot perform the requested action. only after the query has executed successful, would zero matching rows mean that the email/old password were valid/found. 3) when you originally stored the passwords in the table, did you perform any hashing of the password? if so, you must apply that same hashing method to the old password when you test if it matches the existing password in your table and and you must apply that same hashing method to the new password when you update/store it in the table. Quote Link to comment Share on other sites More sharing options...
kayz100 Posted September 5, 2013 Author Share Posted September 5, 2013 Thanks Thodanga and Mcgyver you guys really helped me on this. I am working on it Quote Link to comment Share on other sites More sharing options...
kayz100 Posted September 6, 2013 Author Share Posted September 6, 2013 Wow guys! 1439 views on this in two days is awesome. I am a php newbie and I am impressed. Hope you can all visit my website when I am finished making it lol. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.