Update passwords with form.

[Dada78]

I have a form that allows users to update their email and password. Now the password has two text fields. One for the new password, second to verify the first one. Problem is nothing is updated and the passwords don't verify. You can enter two different emails and it won't show an error. Also if you change the email it will say it has been updated but it hasn't.

 

Here is the code for the entire file.

 

<?php

require ('session.php');
include ('db_connect.php');

  $email = $_SESSION['email'];
if(isset($_POST['submit'])) {

      $email = $_POST['email'];
      $password = $_POST['password'];
      $verify = $_POST['newpass2'];
               if($verify != $password) {
      $update = "Passwords don't match";

  }
      $password = md5($password);

mysql_query("UPDATE users SET email = '$email', password = '$password' WHERE email='$email'");

$update = "Profile Updated";

}

  $email = $_SESSION['email'];
  $sql = "SELECT * FROM users WHERE email='$email'";
  if ($result = mysql_query($sql)) {
    if (mysql_num_rows($result)) {
      $row = mysql_fetch_array($result);
      $id = $row["id"];
      $email = $row["email"];
      $password = $row["password"];
    } else {
      die("No user found");
    }
  } else {
    die(mysql_error());
  }


?>

<table width="100%" border="0" cellpadding="0" cellspacing="0">
<tr>
<td>
	<table width="100%" border="0" align="left" cellpadding="0" cellspacing="1" bgcolor="#CCCCCC">
<tr>
<td>
<table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#FFFFFF">

<td><a href="user.php?action=editprofile">Edit Profile</a> | <a href="submit.php">Add Entry</a> | <a href="user.php?action=edit">Edit Display</a> | <a href="user.php?action=images">Edit Images</a> | <a href="logout.php">Log Out</a></td>
</tr>
</table>
</td>
</form>
</tr>
</table>
</td>
</tr>
<tr>
<td class="errorText"> <div align="center"><?php if($_POST['submit']) {
echo $update;
}
?></div></td>
</tr>
<tr>
<td>  </td>
</tr>
<tr>
<td>

<form action="user.php?action=editprofile" method="post">
<input type="hidden" name="email" value="">
<table width="100%" border="0" align="left" cellpadding="0" cellspacing="1" bgcolor="#CCCCCC">
<tr>
<td>
<table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#FFFFFF">

<td></p>Current E-mail:<br><input name="email" size="30" value="<? echo $email; ?>" type="text"><p>

		Desired Password:<br><input name="password" size="30" type="password"></p><p>
		Verify Password:<br><input name="newpass2" size="30" type="password"></p><p>
		<input value="Save Now" name="submit" type="submit"></p><p>
		 	</p></td>
</tr>
</table>
</form>
</td>
</form>
</tr>
</table>

 

-Thanks

 

 

[toplay]

You have logic flow flaws here.

 

The condition that checks if the passwords are different will just fall through and update anyway.

 

In your query put backtick marks around users and password since these are reserved words in MySQL. Also, you're not check if the update worked...you blindly set $update to just say it updated when it might not have worked.

 

[Dada78]

What are backtick marks and what do you mean I blindly set $update?

[toplay]

Example:

 

<?php

$result = mysql_query("UPDATE `users` SET `email` = '$email', `password` = '$password' WHERE `email` = '$email'");

if ($result) {
    $update = "Profile Updated";
} else { // Update didn't work so display error to see what's wrong
    $update = "Updated didn't work. Error: " . mysql_error();
}

?>

 

[Dada78]

I have never used those marks on any of my other UPDATE queries and they work. I tried the above suggestion and still doesn't work.

[toplay]

When posting always be as specific as you can and post current/latest code and don't simply state that something didn't work (not clear enough).

 

Well, did you fix the other logic problem I mentioned earlier (with the password check condition)?

 

 

[MikeDXUNL]

well

wouldnt it be cause you are trying to set something where the email does not exsist?

 

like

in the form, i put "test@aol.com" and password "123123"

 

now if my email in the db is "mike@yahoo.com", the query wont pull through.. it'd be say this

 

 

mysql_query("UPDATE users SET email = 'test@aol.com', password = '123123' WHERE email='test@aol.com'");

 

 

in which, test@aol.com does not exsist yet...

 

if you have a session var, $_SESSION['email]

 

try this

 

<?php
$old_email = $_SESSION['email'];
      $email = $_POST['email'];
      $password = $_POST['password'];
      $verify = $_POST['newpass2'];
               if($verify != $password) {
       echo "Passwords don't match";
} else { 
mysql_query("UPDATE users SET email = '$email', password = '$password' WHERE email='$old_email'");

echo "updated!"
}
?>

[Dada78]

well

wouldnt it be cause you are trying to set something where the email does not exsist?

 

like

in the form, i put "test@aol.com" and password "123123"

 

now if my email in the db is "mike@yahoo.com", the query wont pull through.. it'd be say this

 

 

mysql_query("UPDATE users SET email = 'test@aol.com', password = '123123' WHERE email='test@aol.com'");

 

 

in which, test@aol.com does not exsist yet...

 

if you have a session var, $_SESSION['email]

 

try this

 

<?php
$old_email = $_SESSION['email'];
      $email = $_POST['email'];
      $password = $_POST['password'];
      $verify = $_POST['newpass2'];
               if($verify != $password) {
       echo "Passwords don't match";
} else { 
mysql_query("UPDATE users SET email = '$email', password = '$password' WHERE email='$old_email'");

echo "updated!"
}
?>

 

I understand what you are saying but when you update the email field your session will still be registered by the email field regardless if you change the email or not. Once you navigate to another part of the User CP it will break session and ask for you to login again because you have redefined the variable for the session.