Change Password Script

[Adthegreat]

Hey,
I'm making a page for my users to change their passwords, you fill out a form where you type in your email, old pass new password and confirm your new password.

My PHP Code is
[code]
<?php
session_start();
include ("mysqlconnect.php");
if ($_POST[submitted] != 'TRUE')
   {
    header ("Location: profile.php");
   }

if ($_POST[password] || $_POST[password1] || $_POST[email] == "")
    {
    $sql = "SELECT email AND password FROM Member WHERE username = '{$_SESSION[username]}'";
    $result = mysql_query($sql);
    $row = mysql_fetch_array($result,MYSQL_NUM);
    if($row[0] == $_POST[email] && $row[1] == $_POST[password])
        {
        if( $_POST[password1] == $_POST[password2])
             {
             $newpass = md5($row[1]);
             $sql2 = "UPDATE Member SET password = $newpass WHERE username = '{$_SESSION[username]}'";
             $result2 = mysql_query($sql2);
             if(mysql_affected_row() == 1)
                 {
                  //if it ran okay
                  echo "Your password has been updated.";

                 }
             else
                 {
                  //if it did not run okay
                  echo "Your password could not be updated, please contact an admin.";
                  }
          echo "Your passwords did not match";
      }
    echo"Could not find the email or password in the database";
   }
  echo"Please fill in all the fields";
}
?>
[/code]

And unfortunatley when i go to this page, it is just white. No error messages or anything! I have checked that all $_POST variables all going through to the page okay, so it must be something else that is making it not work. The thing that is getting me is that it isnt showing any error messages just not appearing.

Thanks in Advance.

[.josh]

if ($_POST[password] || $_POST[password1] || $_POST[email] == "")
{

you have your script set to only do what it's supposed to do if they are equal to nothing. i think maybe you meant != ""

[Adthegreat]

Well i've done that and it is still a white screen.

[code]
<?php
session_start();
include ("mysqlconnect.php");

if ($_POST[submitted] != 'TRUE')
   {
    header ("Location: profile.php");
   }

if ($_POST[password] || $_POST[password1] || $_POST[email] = "")
{
header ("location : profile.php");
}
else{
    $sql = "SELECT email AND password FROM Member WHERE username = '{$_SESSION[username]}'";
    $result = mysql_query($sql);
    $row = mysql_fetch_array($result,MYSQL_NUM);
    if($row[0] == $_POST[email] && $row[1] == $_POST[password])
        {
        if( $_POST[password1] == $_POST[password2])
             {
             $newpass = md5($row[1]);
             $sql2 = "UPDATE Member SET password = $newpass WHERE username = '{$_SESSION[username]}'";
             $result2 = mysql_query($sql2);
             if(mysql_affected_row() == 1)
                 {
                  //if it ran okay
                  echo "Your password has been updated.";

                 }
             else
                 {
                  //if it did not run okay
                  echo "Your password could not be updated, please contact an admin.
                  }
          echo "Your passwords did not match";
      }
    echo"Could not find the email or password in the database";
   }
  
}
?>
[/code]

[.josh]

no, all you did was change == to =

you need to change it to !=

[alpine]

You also have several errors, like you should put quotes within post arrays, $_POST[[!--coloro:#CC0000--][span style=\"color:#CC0000\"][!--/coloro--]'[!--colorc--][/span][!--/colorc--]password[!--coloro:#CC0000--][span style=\"color:#CC0000\"][!--/coloro--]'[!--colorc--][/span][!--/colorc--]] and misspelling of mysql_affected_row[!--coloro:#CC0000--][span style=\"color:#CC0000\"][!--/coloro--]s[!--colorc--][/span][!--/colorc--]
You also seem to be updating the users profile with a new md5 version of the already stored password, isn't it the two posted matching passwords that is supposed to be the users new password?

i've tried to help you out with this snippet, test it and see what u get
[code]

<?php
session_start();
include ("mysqlconnect.php");

if(isset($_POST['submitted']))
{
if(!empty($_SESSION['username']) || !empty($_POST['password']) || !empty($_POST['password1']) ||  !empty($_POST['password2']) || !empty($_POST['email']))
{
if($_POST['password1'] == $_POST['password2'])
{
$username = htmlspecialchars($_SESSION['username']);
foreach( $_POST as $key => $value )
{
${$key} = htmlspecialchars($value);
}
$md_pass = md5($password);
$sql = mysql_query("SELECT email FROM Member WHERE password = '$md_pass' AND username = '$username' AND email = '$email'");
if(mysql_num_rows($sql<>1))
{
// unique user row not found
// old password or email is probably incorrect since the
// session username is most lightly to be correct when the
// user has made it to this page in the first place ???
echo "You have entered some incorrect data and cannot change your password";
}
else
{
$new_md_pass = md5($password1);
$sql2 = mysql_query("UPDATE Member SET password = '$new_md_pass' WHERE password = '$md_pass' AND username = '$username' AND email = '$email'");
if(mysql_affected_rows() == 1)
{
// if password was changed
echo "Your password has been updated.";
}
else
{
// password was not changed either due to query failure OR user has entered the same password as the one stored
echo "Your password was NOT changed.";
}
}
}
else
{
echo "Your new passwords did not match";
}
}
else
{
echo "You need to fill in all fields";
}
}
else
{
header ("location : profile.php");
exit();
}
?>

[/code]

[.josh]

putting quotes around the post array key is not technically a requirement but should always be practiced because it could lead to problems under certain circumstances.