PHP RSS PHP RSS

another MySQL question ?

Reply

Join Date: Apr 2009
Posts: 119
Reputation: genieuk is an unknown quantity at this point 
Solved Threads: 0
genieuk genieuk is offline Offline
Junior Poster

another MySQL question ?

 
0
  #1
May 13th, 2009
Hi,

Don't know why but i always seem to mess my, mysql querys up somewhere, usually silly things like quotes etc.

The code below, i have a problem. Basically when user gets an email they click the link and they are taken to a page where they can change there password,

Problem i am having, again i think this is a query problem, i have tried many many ways with no luck.

When i enter a new password the password does not get updated in the database.

Basically that the only problem i am having, if someone could take a look and tell me where i am going wrong again.

here is my code, thanks as always
genieuk

PHP Syntax (Toggle Plain Text) 
  1. <?php @include("top.inc"); ?>
  2. <?php include("db_connect.php"); // Database Connection ?>
  3.  
  4. <?php
  5. if (isset($_POST['submitted'])) { // Handle the form.
  6.  
  7. $pass1 = $_POST['pass1'];
  8. $pass2 = $_POST['pass2'];
  9.  
  10. // Validation enter password
  11. if ( empty ( $_POST['pass1'] ) ) {
  12. 	echo "<span class=\"error\"><p>You must type in a password</p></span>";
  13. 	$err++;
  14. }
  15.  
  16. // Validation Confirm Password
  17. if ( empty ( $_POST['pass2'] ) ) {
  18. 	echo "<span class=\"error\"><p>You must confirm your password</p></span>";
  19. 	$err++;
  20. }
  21.  
  22. // Validation passwords do not match
  23. if ( $_POST['pass1'] != $_POST['pass2'] ) {
  24. 	echo "<span class=\"error\"><p>Your passwords do not match</p></span>";
  25. 	$err++;
  26. }
  27.  
  28. // If all is ok 
  29. if ($err == 0) {
  30.  
  31. $queryString = $_GET['key'];
  32.  
  33. $query = "SELECT * FROM userinformation"; 
  34.  
  35. $result = mysql_query($query) or die(mysql_error());
  36.  
  37. // Ecnrypt new password
  38. $pass1 = sha1( $pass1 ) ;
  39.  
  40.   while($row = mysql_fetch_array($result)){
  41.  
  42.     if ($queryString == $row["activationkey"]){
  43.  
  44. 		$sql = "UPDATE userinformation SET password = '$pass1' WHERE activationkey = '$queryString'";
  45.  
  46. 		echo "<span class=\"error\"><p>Your password has been successfully updated</p>
  47. 			 <p>You will automatically be redirected in 5 seconds</p></span>";
  48.  
  49. 		 redirect( "login.php" , "5" );
  50.  
  51.     } 
  52. 	}  
  53. }
  54.  
  55. }
  56.  
  57. ?>
  58.  
  59. <h1>Please enter a new password</h1>
  60.  
  61. <form action="verifypasswordreset.php" method="post">
  62.  
  63. New Password 
  64. <p><input type="password" name="pass1" maxlength="20"  /></p>
  65.  
  66. Confirm New Password
  67. <p><input type="password" name="pass2" maxlength="20"  /></p>
  68.  
  69. <input type="submit" name="submit" value="Update My Password"  />
  70. <input type="hidden" name="submitted" value="TRUE" />
  71.  
  72. <?php @include("footer.inc"); ?>
Reply With Quote Quick reply to this message  
Join Date: Jun 2007
Posts: 1,227
Reputation: kkeith29 has a spectacular aura about kkeith29 has a spectacular aura about kkeith29 has a spectacular aura about 
Solved Threads: 167
kkeith29's Avatar
kkeith29 kkeith29 is offline Offline
Nearly a Posting Virtuoso

Re: another MySQL question ?

 
0
  #2
May 13th, 2009
You are not even running the update query. Its just a string. You need to put it into the mysql_query function.

If you run into problems like this again, take a break and then come back and look at the code again. You will see silly mistakes like that.

You also need to rethink the activation key stuff. You are looping through all of the users just to compare a key. This should be done by the sql statement itself.
Last edited by kkeith29; May 13th, 2009 at 10:47 am.
Reply With Quote Quick reply to this message  
Join Date: Apr 2009
Posts: 119
Reputation: genieuk is an unknown quantity at this point 
Solved Threads: 0
genieuk genieuk is offline Offline
Junior Poster

Re: another MySQL question ?

 
0
  #3
May 13th, 2009
hi,

thanks, sometimes i dont know, ur rite take a break and come back.

the silly mistakes sometimes it makes me laugh.

Also when you say

You also need to rethink the activation key stuff. You are looping through all of the users just to compare a key. This should be done by the sql statement itself.
what do you mean exactly? not sure how else i could do it, and ur idea sounds good.

Thank you,
genieuk
Reply With Quote Quick reply to this message  
Join Date: Jun 2007
Posts: 1,227
Reputation: kkeith29 has a spectacular aura about kkeith29 has a spectacular aura about kkeith29 has a spectacular aura about 
Solved Threads: 167
kkeith29's Avatar
kkeith29 kkeith29 is offline Offline
Nearly a Posting Virtuoso

Re: another MySQL question ?

 
0
  #4
May 13th, 2009
Do your rows in the userinformation table have id's? In my projects I base all of my updates on ids. Since you are using an activation key, you need to compare that along with an id so its harder to crack.

Are you requiring your users to login before they update their password? (I am trying to figure out why you need the activation key stuff anyway)
Reply With Quote Quick reply to this message  
Join Date: Apr 2009
Posts: 119
Reputation: genieuk is an unknown quantity at this point 
Solved Threads: 0
genieuk genieuk is offline Offline
Junior Poster

Re: another MySQL question ?

 
0
  #5
May 13th, 2009
Hi, yes users does have unique IDs, they auto increment when they register.

Also as i use sha1 password encryption users cannot retrieve there passwords, so on my login page i have a link where users can reset there password.

Basically they click the reset password link then enter there email address in the text box and hit submit.

Once they submit a new activation key is generated on the account, they then have to click on the link which will also contain the unqiue activation key and enter in a new password, once they enter a new password it then checks the DB for that activation key, when found it will then update there password, as the activation key is unique to that account and cannot be used more than once.

If user wants to change password they can after the login without any activation etc. This is password reset so if they forget password and cannot login they can reset there password via a unique id.

I use $activationkey = mt_rand() . mt_rand() . mt_rand() . mt_rand() . mt_rand();

so basically an mt_rand() is generated over 5 times. Which is what i use to auto generate the unique keys.

Thank you
genieuk
Last edited by genieuk; May 13th, 2009 at 11:15 am.
Reply With Quote Quick reply to this message  
Join Date: Jun 2007
Posts: 1,227
Reputation: kkeith29 has a spectacular aura about kkeith29 has a spectacular aura about kkeith29 has a spectacular aura about 
Solved Threads: 167
kkeith29's Avatar
kkeith29 kkeith29 is offline Offline
Nearly a Posting Virtuoso

Re: another MySQL question ?

 
0
  #6
May 13th, 2009
Ok, so its used for resetting forgotten passwords. Is the link with the activation code sent to the user by email?

I usually generate a new one and send it to them via email. Then I have a prompt telling them to change their password after they login.

Here is a better way of checking the activation key. Its easier on the database.
PHP Syntax (Toggle Plain Text) 
  1. <?php
  2.  
  3. include 'top.inc';
  4. include 'db_connect.php';
  5.  
  6. if ( isset( $_POST['submitted'] ) ) {
  7. 	$err = 0;
  8. 	$pass1 = mysql_real_escape_string( $_POST['pass1'] );
  9. 	$pass2 = mysql_real_escape_string( $_POST['pass2'] );
  10. 	if ( empty( $pass1 ) ) {
  11. 		echo "<span class=\"error\"><p>You must type in a password</p></span>";
  12. 		$err++;
  13. 	}
  14. 	if ( empty( $pass2 ) ) {
  15. 		echo "<span class=\"error\"><p>You must confirm your password</p></span>";
  16. 		$err++;
  17. 	}
  18. 	if ( $pass1 !== $pass2 ) {
  19. 		echo "<span class=\"error\"><p>Your passwords do not match</p></span>";
  20. 		$err++;
  21. 	}
  22. 	if ( $err == 0 ) {
  23. 		$key = mysql_real_escape_string( $_GET['key'] ); //to prevent sql injection
  24. 		$query = mysql_query( "SELECT COUNT(*) FROM `userinformation` WHERE `activationkey` = '{$key}' LIMIT 1" ) or die(mysql_error());
  25. 		list( $total ) = mysql_fetch_row( $query );
  26. 		if ( $total == 0 ) {
  27. 			echo "<span class=\"error\"><p>Activation Key is invalid</p></span>";
  28. 		}
  29. 		else {
  30. 			$pass1 = sha1( $pass1 );
  31. 			$query = mysql_query( "UPDATE `userinformation` SET `password` = '{$pass1}' WHERE `activationkey` = '{$key}'" );
  32. 			echo "<span class=\"error\"><p>Your password has been successfully updated</p><p>You will automatically be redirected in 5 seconds</p></span>";
  33. 			redirect( "login.php",5 );
  34. 		}
  35. 	}
  36. }
  37.  
  38. echo <<<HTML
  39. <h1>Please enter a new password</h1>
  40. <form action="verifypasswordreset.php" method="post">
  41. New Password 
  42. <p><input type="password" name="pass1" maxlength="20"  /></p>
  43. Confirm New Password
  44. <p><input type="password" name="pass2" maxlength="20"  /></p>
  45. <input type="submit" name="submit" value="Update My Password"  />
  46. <input type="hidden" name="submitted" value="TRUE" />
  47. </form>
  48. HTML;
  49.  
  50. include 'footer.inc';
  51.  
  52. ?>
Reply With Quote Quick reply to this message  
Join Date: Apr 2009
Posts: 119
Reputation: genieuk is an unknown quantity at this point 
Solved Threads: 0
genieuk genieuk is offline Offline
Junior Poster

Re: another MySQL question ?

 
0
  #7
May 13th, 2009
Hi,

Thanks Kkeith29 for your time and effort.

Sadly it still do not work.

But what i have done is removed the activation for password reset and now have made it so it generates a new password and sends it to user whilst encrypting it as it is sent to DB.

I found it much easier and much less problematic. It has taken me all day and i got no where the other way. Within a matter of minutes of doing what you said you do on your site, i had it working in literally minutes without problems.

Thanks for everything, very much appreciate your time, patience and effort.

May i ask, when you said you force your users to have to change there password on login after doing a password reset.

May i ask how you yourself do this.?

I mean do you have a field in DB where you get the login page to firstly check whether status of the particular field is set to let say changepassword and if it finds that field it forces them to change password? ,

I do something similar see on activation after change of email via a unique key. Where if the status verify is found on there account after changing email, in DB it wont log them in until they re-verify there email address by the unique link in email.

Interested to see how you go about it.

Thanks as always,
genieuk
Last edited by genieuk; May 13th, 2009 at 2:10 pm.
Reply With Quote Quick reply to this message  
Join Date: Jun 2007
Posts: 1,227
Reputation: kkeith29 has a spectacular aura about kkeith29 has a spectacular aura about kkeith29 has a spectacular aura about 
Solved Threads: 167
kkeith29's Avatar
kkeith29 kkeith29 is offline Offline
Nearly a Posting Virtuoso

Re: another MySQL question ?

 
0
  #8
May 13th, 2009
I put a field in the database for it, like you said. I have some code that check for it and redirects to the change password area.
Reply With Quote Quick reply to this message  
Join Date: Apr 2009
Posts: 119
Reputation: genieuk is an unknown quantity at this point 
Solved Threads: 0
genieuk genieuk is offline Offline
Junior Poster

Re: another MySQL question ?

 
0
  #9
May 13th, 2009
Originally Posted by kkeith29 View Post
I put a field in the database for it, like you said. I have some code that check for it and redirects to the change password area.
Thanks kkeith, yeah thought that how you may have done it.

I will do the same.

Thanks for everything.

genieuk
Reply With Quote Quick reply to this message  
Reply

Quick Reply to Thread
This thread is more than three months old.
Perhaps start a new thread instead?
Message:



Similar Threads
Other Threads in the PHP Forum
Thread Tools Search this Thread



.htaccess ajax apache api array back basic beginner binary broken cakephp checkbox class cms code computing cron curl customizableitems database date delete display dynamic echo email error file files filter folder form forms function functions gc_maxlifetime google host href htaccess html image include insert integration ip java javascript joomla limit link login loop mail memmory memory menu mlm mod_rewrite multiple mysql navigation oop parsing paypal pdf php problem query radio random recursion regex remote script search server sessions sms snippet soap source space sql syntax system table thesishelp trouble tutorial update upload url validation validator variable video web xml youtube
About Us | Contact Us | Advertise | DaniWeb | Acceptable Use Policy | RSS Feed

©2003 - 2009 DaniWeb® LLC