[SOLVED] Change Password.php

Ell20 · November 6, 2007

Hey,

Im working on a change password.php.

I want the user to have to type in there original password then there new password, followed by the confirmed new password.

I have pretty much written the code to do this however the password which is stored in the database is encryped using PASSWORD ('$password') at registration. This means that when I attempt to match the password in the database with the current password they do not match.

How can I do this? I assume it must be something to do with how the current password is retrieved from the database so here is my code to retrieve the password from the database:

$password = mysql_query("SELECT password FROM users WHERE user_id = '$uid'")
OR DIE(mysql_error());
$row = mysql_fetch_assoc($password);
$password = $row['password'];

I displayed the contents of what each variable contained to check and this is what I was given:

Passowrd in DB: 37e455b94f62fb0d

Current password to match password in DB: comps10

Typed in new password: hello

Confirmation of password typed in: hello

Cheers

rajivgonsalves · November 6, 2007

SELECT password FROM users WHERE user_id = '$uid' and password = PASSWORD('$password')

this should do it in one query

MadTechie · November 6, 2007

try this

$password = mysql_query("SELECT password FROM users WHERE user_id = '$uid' and PASSWORD ('$password')")
OR DIE(mysql_error());
if(mysql_num_rows($password)>0)
{
//valid
}

it should be the same as the login script

Ell20 · November 6, 2007

Im affraid I still cant do it.

All I want to do is take the password value from the users table and store it in variable $password in its normal form?

Cheers

MadTechie · November 6, 2007

well thats a security risk.. if you do, do that then just remove the oneway encryption.. but your need to reset all the passwords

PS the examples above should work..

revraz · November 6, 2007

Why do people use PASSWORD instead of md5 or sha1?

What will you do if your DB crashes or they move you to a different sql server?

Ell20 · November 6, 2007

The query you have give me gives a result of Resource id #9 which wont work for this situation?

When the user types in the current password to see if the password matches that in the DB it is not encrypted as it never enters the DB its just a variable used to check whether the 2 match.

Im getting confused about this now, I have the rest of the code in place to check they all match, I just cant get the current password to match what is the in the database!

Cheers

MadTechie · November 6, 2007

The query you have give me gives a result of Resource id #9 which wont work for this situation?

erm you did something wrong.. post what you have

Ell20 · November 6, 2007

Why do people use PASSWORD instead of md5 or sha1?

What will you do if your DB crashes or they move you to a different sql server?

I use it because I have only been doing PHP for 1 week and that is just what I saw from the book I was learning from. Not everyone is a professional.

Elliot

Ell20 · November 6, 2007

<?php
if (isset($_POST['submit2'])) {

$oldpassword = escape_data($_POST['oldpassword']);
$newpassword = escape_data($_POST['newpassword']);
$confirmnew = escape_data($_POST['confirmnew']);

$password = mysql_query("SELECT password FROM users WHERE user_id = '$uid' and password = PASSWORD('$password')")
OR DIE(mysql_error());

if ($oldpassword == $password) {
if ($newpassword == $confirmnew) {
$update = "UPDATE users SET password='$confirmnew' where user_id='$uid'" or die(mysql_error());
mysql_query($update) or die(mysql_error());
echo '<h3>Password Changed!</h3>';
} else {
echo '<h3>New password and confirmed password to not match</h3>';
}
} else {
echo '<h3>Current passwords do not match</h3>';
}
}
?>

Thanks

MadTechie · November 6, 2007

try this

<?php
if (isset($_POST['submit2'])) {
$oldpassword = escape_data($_POST['oldpassword']);
$newpassword = escape_data($_POST['newpassword']);
$confirmnew = escape_data($_POST['confirmnew']);
//WHERE is $uid comming from ?
$password = mysql_query("SELECT password FROM users WHERE user_id = '$uid' and password = 'PASSWORD('$password')'")
OR DIE(mysql_error());

if(mysql_num_rows($password)>0)
{
	if ($newpassword == $confirmnew)
	{
		$update = "UPDATE users SET password = 'PASSWORD('$password')' where user_id='$uid'" or die(mysql_error());
		mysql_query($update) or die(mysql_error());
		echo '<h3>Password Changed!</h3>';
	} else {
		echo '<h3>New password and confirmed password to not match</h3>';
	}
} else {
	echo '<h3>Current passwords do not match</h3>';
}
}
?>

EDIT: quick fix

WHERE is $uid comming from ?

trq · November 6, 2007

You really ought to remove any references from the mysql PASSWORD function from all your code as well. Its not meant to be used externally, but is an internall mysql function.

It will break your code if you ever need to upgrade your mysql server.

Ell20 · November 6, 2007

$uid is a function which get the details for the user logged in.

An error occured in script c:\program files\easyphp1-8\www\html\personal.php on line 170: Undefined variable: password

Line 170:

$password = mysql_query("SELECT password FROM users WHERE user_id = '$uid' and password = PASSWORD('$password')")

MadTechie · November 6, 2007

$uid is a function which get the details for the user logged in.

What.. $uid is NOT a function!

where is it set?

<?php
if (isset($_POST['submit2'])) {
$oldpassword = escape_data($_POST['oldpassword']);
$newpassword = escape_data($_POST['newpassword']);
$confirmnew = escape_data($_POST['confirmnew']);
//WHERE is $uid comming from ?
$password = mysql_query("SELECT password FROM users WHERE user_id = '$uid' and password = 'PASSWORD('$confirmnew')'")
OR DIE(mysql_error());

if(mysql_num_rows($password)>0)
{
	if ($newpassword == $confirmnew)
	{
		$update = "UPDATE users SET password = 'PASSWORD('$newpassword')' where user_id='$uid'" or die(mysql_error());
		mysql_query($update) or die(mysql_error());
		echo '<h3>Password Changed!</h3>';
	} else {
		echo '<h3>New password and confirmed password to not match</h3>';
	}
} else {
	echo '<h3>Current passwords do not match</h3>';
}
}
?>

Ell20 · November 6, 2007

Sorry got confused with the variable name.

$uid is the user_id of the user who is logged in:

$uid = $_SESSION['user_id'];

Ell20 · November 6, 2007

Latest error:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'hello')'' at line 1

Cheers

MadTechie · November 6, 2007

'PASSWORD('$confirmnew')'

to

PASSWORD('$confirmnew')

'PASSWORD('$newpassword')'

to

PASSWORD('$newpassword')

Ell20 · November 6, 2007

Thanks alot, had to change the first query varaible to password = PASSWORD('$oldpassword')" but its working now, thanks alot for your help

Elliot

revraz · November 6, 2007

Now go and change all of your PASSWORD entries to either sha1 or md5

Sign In

[SOLVED] Change Password.php

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Join the conversation

Important Information