phpanon Posted March 4, 2008 Share Posted March 4, 2008 Hello there, I have a function on my system that allows the users to change their passwords. For security reasons I want to make the user enter their current password in, then their new password, then repeat their new password before it saves the changes. I currently have it working so that the new password has to be verified, so if they are different from each other it will not save. But its still saving the change if the user does not type in their current password correctly. Any guidance on changes would be excellent. Thanking you kindly in advance. <?php require "connect.php"; $empID = $_GET['empID']; $password = $_GET['password']; $password2 = $_GET['password2']; $password3 = $_GET['password3']; if(($password == $password2) || ($password3 == $_SESSION['password'])) { $query = "update employee set password = '".$password2."' where empID = ".$empID; $result = @mysql_query($query, $connection) or die ("Unable to perform query<br>$query"); header("Location: changePasswordForm.php"); exit(); } else { $message1 = "Unable to update Password"; header("Location: changePasswordForm.php?message1=$message1"); exit(); } ?> Here is the form it is reading from <?php session_start(); if (isset($_SESSION['username']) == false){ header("Location: login.php"); exit(); } require "connect.php"; $empID = $_SESSION['empID']; $query = "select * from employee where empID = " .$empID; $result = @mysql_query($query, $connection) or die ("Unable to perform query<br>$query".mysql_error()); $row= mysql_fetch_array($result); ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <title>Update Password</title> <link rel="stylesheet" type="text/css" href="mystylelogin.css" /> </head> <body> <!-- BIS Portal LOGO --> <table width="100%" border="0"> <tr> <td><img src="images/BISPortal2.gif"></td> </tr> </table> <div id="passForm"> <p>Change Password</p> </div> <form action="changePassword.php" method="get"> <table width="64%" border="0"> <tr> <td width="11%"> </td> <td width="21%"> </td> <td width="32%"></td> <td width="36%"><input name="empID" type="hidden" value=" <?php echo $row['empID']?>" size="3" readonly="true" /></td> </tr> <tr> <td> </td> <td> </td> <td> </td> <td> </td> </tr> <tr> <td> </td> <td> </td> <td> </td> <td> </td> </tr> <tr> <td> </td> <td> </td> <td>Current Password: </td> <td><input name="password3" type="password" /></td> </tr> <tr> <td> </td> <td> </td> <td> </td> <td> </td> </tr> <tr> <td> </td> <td> </td> <td>New Password: </td> <td><input name="password" type="password" /></td> </tr> <tr> <td> </td> <td> </td> <td> </td> <td> </td> </tr> <tr> <td> </td> <td> </td> <td>Verify New Password: </td> <td><input name="password2" type="password" /></td> </tr> <tr> <td> </td> <td> </td> <td> </td> <td> </td> </tr> <tr> <td> </td> <td> </td> <td> </td> <td> </td> </tr> <tr> <td> </td> <td> </td> <td> </td> <td><?php if(isset($_GET['message1'])) { echo $_GET['message1']; }?></td> </tr> <tr> <td> </td> <td> </td> <td> </td> <td> </td> </tr> <tr> <td> </td> <td> </td> <td> </td> <td><div align="center"> <input name="Save" type="submit" value="Update" /> </div></td> </tr> <tr> <td> </td> <td> </td> <td> </td> <td> </td> </tr> </table> </form> </body> </html> Quote Link to comment Share on other sites More sharing options...
phpanon Posted March 4, 2008 Author Share Posted March 4, 2008 preferably I would like it to do this without me having to store the password variable in the session, for obvious security risks but is there any other way?! Quote Link to comment Share on other sites More sharing options...
phpanon Posted March 5, 2008 Author Share Posted March 5, 2008 anyone have any suggestions? Quote Link to comment Share on other sites More sharing options...
phpanon Posted March 5, 2008 Author Share Posted March 5, 2008 ...Im sure its something small that needs to be changed for this to work but im just not sure how to do it!? Any help would be hugely appreciated! Quote Link to comment Share on other sites More sharing options...
aebstract Posted March 5, 2008 Share Posted March 5, 2008 Well, you have a login script don't you? Do something with the same effect. Run the login credentials first (checking the password to the user in the db) and if it passes, then move on to check the second part (where you match the passwords). Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.