Ell20 Posted November 6, 2007 Share Posted November 6, 2007 Hey, Im working on a change password.php. I want the user to have to type in there original password then there new password, followed by the confirmed new password. I have pretty much written the code to do this however the password which is stored in the database is encryped using PASSWORD ('$password') at registration. This means that when I attempt to match the password in the database with the current password they do not match. How can I do this? I assume it must be something to do with how the current password is retrieved from the database so here is my code to retrieve the password from the database: $password = mysql_query("SELECT password FROM users WHERE user_id = '$uid'") OR DIE(mysql_error()); $row = mysql_fetch_assoc($password); $password = $row['password']; I displayed the contents of what each variable contained to check and this is what I was given: Passowrd in DB: 37e455b94f62fb0d Current password to match password in DB: comps10 Typed in new password: hello Confirmation of password typed in: hello Cheers Quote Link to comment https://forums.phpfreaks.com/topic/76221-solved-change-passwordphp/ Share on other sites More sharing options...
rajivgonsalves Posted November 6, 2007 Share Posted November 6, 2007 SELECT password FROM users WHERE user_id = '$uid' and password = PASSWORD('$password') this should do it in one query Quote Link to comment https://forums.phpfreaks.com/topic/76221-solved-change-passwordphp/#findComment-385756 Share on other sites More sharing options...
MadTechie Posted November 6, 2007 Share Posted November 6, 2007 try this $password = mysql_query("SELECT password FROM users WHERE user_id = '$uid' and PASSWORD ('$password')") OR DIE(mysql_error()); if(mysql_num_rows($password)>0) { //valid } it should be the same as the login script Quote Link to comment https://forums.phpfreaks.com/topic/76221-solved-change-passwordphp/#findComment-385757 Share on other sites More sharing options...
Ell20 Posted November 6, 2007 Author Share Posted November 6, 2007 Im affraid I still cant do it. All I want to do is take the password value from the users table and store it in variable $password in its normal form? Cheers Quote Link to comment https://forums.phpfreaks.com/topic/76221-solved-change-passwordphp/#findComment-385764 Share on other sites More sharing options...
MadTechie Posted November 6, 2007 Share Posted November 6, 2007 well thats a security risk.. if you do, do that then just remove the oneway encryption.. but your need to reset all the passwords PS the examples above should work.. Quote Link to comment https://forums.phpfreaks.com/topic/76221-solved-change-passwordphp/#findComment-385767 Share on other sites More sharing options...
revraz Posted November 6, 2007 Share Posted November 6, 2007 Why do people use PASSWORD instead of md5 or sha1? What will you do if your DB crashes or they move you to a different sql server? Quote Link to comment https://forums.phpfreaks.com/topic/76221-solved-change-passwordphp/#findComment-385779 Share on other sites More sharing options...
Ell20 Posted November 6, 2007 Author Share Posted November 6, 2007 The query you have give me gives a result of Resource id #9 which wont work for this situation? When the user types in the current password to see if the password matches that in the DB it is not encrypted as it never enters the DB its just a variable used to check whether the 2 match. Im getting confused about this now, I have the rest of the code in place to check they all match, I just cant get the current password to match what is the in the database! Cheers Quote Link to comment https://forums.phpfreaks.com/topic/76221-solved-change-passwordphp/#findComment-385788 Share on other sites More sharing options...
MadTechie Posted November 6, 2007 Share Posted November 6, 2007 The query you have give me gives a result of Resource id #9 which wont work for this situation? erm you did something wrong.. post what you have Quote Link to comment https://forums.phpfreaks.com/topic/76221-solved-change-passwordphp/#findComment-385791 Share on other sites More sharing options...
Ell20 Posted November 6, 2007 Author Share Posted November 6, 2007 Why do people use PASSWORD instead of md5 or sha1? What will you do if your DB crashes or they move you to a different sql server? I use it because I have only been doing PHP for 1 week and that is just what I saw from the book I was learning from. Not everyone is a professional. Elliot Quote Link to comment https://forums.phpfreaks.com/topic/76221-solved-change-passwordphp/#findComment-385793 Share on other sites More sharing options...
Ell20 Posted November 6, 2007 Author Share Posted November 6, 2007 <?php if (isset($_POST['submit2'])) { $oldpassword = escape_data($_POST['oldpassword']); $newpassword = escape_data($_POST['newpassword']); $confirmnew = escape_data($_POST['confirmnew']); $password = mysql_query("SELECT password FROM users WHERE user_id = '$uid' and password = PASSWORD('$password')") OR DIE(mysql_error()); if ($oldpassword == $password) { if ($newpassword == $confirmnew) { $update = "UPDATE users SET password='$confirmnew' where user_id='$uid'" or die(mysql_error()); mysql_query($update) or die(mysql_error()); echo '<h3>Password Changed!</h3>'; } else { echo '<h3>New password and confirmed password to not match</h3>'; } } else { echo '<h3>Current passwords do not match</h3>'; } } ?> Thanks Quote Link to comment https://forums.phpfreaks.com/topic/76221-solved-change-passwordphp/#findComment-385798 Share on other sites More sharing options...
MadTechie Posted November 6, 2007 Share Posted November 6, 2007 try this <?php if (isset($_POST['submit2'])) { $oldpassword = escape_data($_POST['oldpassword']); $newpassword = escape_data($_POST['newpassword']); $confirmnew = escape_data($_POST['confirmnew']); //WHERE is $uid comming from ? $password = mysql_query("SELECT password FROM users WHERE user_id = '$uid' and password = 'PASSWORD('$password')'") OR DIE(mysql_error()); if(mysql_num_rows($password)>0) { if ($newpassword == $confirmnew) { $update = "UPDATE users SET password = 'PASSWORD('$password')' where user_id='$uid'" or die(mysql_error()); mysql_query($update) or die(mysql_error()); echo '<h3>Password Changed!</h3>'; } else { echo '<h3>New password and confirmed password to not match</h3>'; } } else { echo '<h3>Current passwords do not match</h3>'; } } ?> EDIT: quick fix WHERE is $uid comming from ? Quote Link to comment https://forums.phpfreaks.com/topic/76221-solved-change-passwordphp/#findComment-385799 Share on other sites More sharing options...
trq Posted November 6, 2007 Share Posted November 6, 2007 You really ought to remove any references from the mysql PASSWORD function from all your code as well. Its not meant to be used externally, but is an internall mysql function. It will break your code if you ever need to upgrade your mysql server. Quote Link to comment https://forums.phpfreaks.com/topic/76221-solved-change-passwordphp/#findComment-385800 Share on other sites More sharing options...
Ell20 Posted November 6, 2007 Author Share Posted November 6, 2007 $uid is a function which get the details for the user logged in. An error occured in script c:\program files\easyphp1-8\www\html\personal.php on line 170: Undefined variable: password Line 170: $password = mysql_query("SELECT password FROM users WHERE user_id = '$uid' and password = PASSWORD('$password')") Quote Link to comment https://forums.phpfreaks.com/topic/76221-solved-change-passwordphp/#findComment-385801 Share on other sites More sharing options...
MadTechie Posted November 6, 2007 Share Posted November 6, 2007 $uid is a function which get the details for the user logged in. What.. $uid is NOT a function! where is it set? <?php if (isset($_POST['submit2'])) { $oldpassword = escape_data($_POST['oldpassword']); $newpassword = escape_data($_POST['newpassword']); $confirmnew = escape_data($_POST['confirmnew']); //WHERE is $uid comming from ? $password = mysql_query("SELECT password FROM users WHERE user_id = '$uid' and password = 'PASSWORD('$confirmnew')'") OR DIE(mysql_error()); if(mysql_num_rows($password)>0) { if ($newpassword == $confirmnew) { $update = "UPDATE users SET password = 'PASSWORD('$newpassword')' where user_id='$uid'" or die(mysql_error()); mysql_query($update) or die(mysql_error()); echo '<h3>Password Changed!</h3>'; } else { echo '<h3>New password and confirmed password to not match</h3>'; } } else { echo '<h3>Current passwords do not match</h3>'; } } ?> Quote Link to comment https://forums.phpfreaks.com/topic/76221-solved-change-passwordphp/#findComment-385808 Share on other sites More sharing options...
Ell20 Posted November 6, 2007 Author Share Posted November 6, 2007 Sorry got confused with the variable name. $uid is the user_id of the user who is logged in: $uid = $_SESSION['user_id']; Quote Link to comment https://forums.phpfreaks.com/topic/76221-solved-change-passwordphp/#findComment-385810 Share on other sites More sharing options...
Ell20 Posted November 6, 2007 Author Share Posted November 6, 2007 Latest error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'hello')'' at line 1 Cheers Quote Link to comment https://forums.phpfreaks.com/topic/76221-solved-change-passwordphp/#findComment-385814 Share on other sites More sharing options...
MadTechie Posted November 6, 2007 Share Posted November 6, 2007 'PASSWORD('$confirmnew')' to PASSWORD('$confirmnew') 'PASSWORD('$newpassword')' to PASSWORD('$newpassword') Quote Link to comment https://forums.phpfreaks.com/topic/76221-solved-change-passwordphp/#findComment-385820 Share on other sites More sharing options...
Ell20 Posted November 6, 2007 Author Share Posted November 6, 2007 Thanks alot, had to change the first query varaible to password = PASSWORD('$oldpassword')" but its working now, thanks alot for your help Elliot Quote Link to comment https://forums.phpfreaks.com/topic/76221-solved-change-passwordphp/#findComment-385824 Share on other sites More sharing options...
revraz Posted November 6, 2007 Share Posted November 6, 2007 Now go and change all of your PASSWORD entries to either sha1 or md5 Quote Link to comment https://forums.phpfreaks.com/topic/76221-solved-change-passwordphp/#findComment-385831 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.