Hello Everyone, I have a problem with the change password box, code is working and when i submit the form its showing "Record updated successfully" but when i check the database i find its old password in database .
May anyone help me please..
Thanks in advence.

<?php
require_once("checklogin.php");
include ("../include/connect_db.php");
?>
<html lang="en">
  <head>
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <meta name="description" content="">
    <meta name="author" content="">
    <title></title>


  </head>

  <body>

        <form action="change_pass.php" method="POST">
            Current Password: <input type="password" class="form-control" name="password" />
            New Password: <input type="password" name="newpassword" class="form-control" />
            Retype New Password: <input type="password" name="confirmnewpassword" class="form-control" />
                                 <input type="submit" name="submit" value="Submit" class="btn btn-default" />
        </form>  
        <?php
            if (isset($_POST['submit'])) {
                $password = $_POST['password'];
                $newpassword = $_POST['newpassword'];
                $confirmnewpassword = $_POST['confirmnewpassword'];
                $user_ad = $_SESSION['user'];

                $sql = "SELECT password FROM user WHERE username='$$user_ad'";
                $result = $conn->query($sql);

                if ($result->num_rows > 0) {
                    while($row = $result->fetch_assoc()) {
                    $oldpassword = $row['password'];
                    }                       
                    if ($password==$oldpassword) 
                        {                           
                            if($newpassword==$confirmnewpassword) {
                            $sql = "UPDATE user SET password='$password' WHERE username='$user_ad'";
                                if ($conn->query($sql) === TRUE) {
                                    echo "Record Updated Seccessfully";
                                    session_destroy();                              
                                } 
                                else {
                                    echo "Error updating record: ";
                                }
                            }
                            else {
                                echo "Retype Password doesn't match";
                            }
                        }
                        else {
                            echo "Current Password doesn't match";
                        }
                    }
                    else {
                        echo "Password Update failed";
                    }
                }

            ?>


</body>
</html>

Line 32, you have double $$?

PS: This is a BAD idea saving password in PLAIN TEXT in your database... Also, it is a VERY BAD idea to allow SQL injection attack.

thanks for your kind information..

at line 32 it was a mistake. but same result

Try to check if all your variables retrieved from the page exist? Also, output something when not found result in else to make sure that the user is found? That would give you more insight of what's going on in your script.

PS: Just saw that you are using $_SESSION but I don't see that you start a session???

PSS: Line 43, you could simply use if($conn->query($sql)) instead of attempting to compare it with TRUE.

PSS: Are you certain that all records have different username (case-insensitive)?

OK i got the mistake.. at line 42 i used SET password='$password'. it will be SET password='$newpassword'..

Anyway thanks for your help...

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.