Visible Flaws in this form?

[virtuexru]

I made a form for users to update new passwords. Any huge security flaws here?

 

<?

include 'config.php';

include 'opendb.php';

 

  $username    = $_POST['txtUserId'];

  $oldpw        = $_POST['OldPassword'];

  $newpw      = $_POST['NEWPW1'];

  $newpwv    = $_POST['NEWPW2'];

 

  if (($newpw)!=($newpwv))

  {

      echo "Password doesn't match.";

      Die();

  }

 

  $min_length = 6;

 

  if(strlen($newpw) < $min_length)

  {

      echo "Password not long enough, minimum 6 characters.";

      Die();

  }

 

  $sql = "SELECT user_id FROM tbl_auth_user WHERE user_id = '$username' AND user_password = OLD_PASSWORD('$oldpw')";

 

  $result = mysql_query($sql) or die('Query failed. ' . mysql_error());

     

      if (mysql_num_rows($result) == 1) {

     

        $newpassword = sha1($password);

 

        $query = "UPDATE tbl_auth_user SET user_password = '$newpassword' WHERE user_id = '$username'";

     

        mysql_query($query) or die('Error, query failed');

       

        echo "Update successful";

 

  }

 

  else {

 

  echo "Old password not correct or username does not exist.";

 

  }

 

include 'closedb.php';

?>

[Ninjakreborn]

Clean the variables.

[virtuexru]

how do I do that ? (stupid question).

[neoform]

$value = mysql_real_escape_string($_POST['value'])

 

for each of them, and always make sure you have quotes around each value in the mysql query..

[Ninjakreborn]

well only use mysql_real_escape_strings if magic quotes is disabled

(You have to run phpinfo() to find that out)

If you ever think they are going to be "output" to a browser, you need to run them through something that will clean javascript, php, and/or xhtml text.  Since it is just a username and password, you might want to clean it for specific characters, (like mysql wildcards).