Change User password

I need password changing code Please help!

Database :-members
Table:-
userid int(12)
name varchar(150)
surname varchar(150)
username varchar(150)
password varchar(20)

How to allow user to change their old password and set new password?

use update query.

use update query.

THANKS FOR THE REPLY!!!!!!!!!!!!!!!!!!!

I hve tried to change the password but I get different errors.
I hve tried UPDATE query but I failed to write code for changing password.
Thats why I hve posted this problem here,

u can little code for this hope this will guide... u can set your field values in below query......

if(isset($_POST['subpass']))
     {   
               include("../config.php");
global $conn;

	         if(!$_POST['curr_pass'] || !$_POST['new_pass'] ||!$_POST['re_pass'] )
			 {
			   $message="All the Fields Required Below";  
			 }
			 if($currpass!=$Lpass)
			 {
			   	$message="Your Current Password isn't Valid Try Again !!!";  
              }
			 else{ 
			          //$CP=$_POST['curr_pass']
                      $query="update register_users set password='.md5($NP).' where user_id='$user_id_db' and login='$Lname'";
		              mysql_query($query,$conn);
                      $message="Password has been Changed Successfully";  
					  }
      }

FORM IN PAGE:

<form id="change_pw" name="change_pw" method="post" action="formhandler.php">
   <label for="username">Username:</label>
   <input type="text" name="username" id="username" />
   <label for="old_pw">Old password:</label>
   <input type="password" name="old_pw" id="old_pw" />
   <label for="new_pw">New password:</label>
   <input type="password" name="new_pw" id="new_pw" />
   <label for="re_pw">Retype password:</label>
   <input type="password" name="re_pw" id="re_pw" />
   <input type="submit" id="send_pw" name="send_pw" value="Change Password" />
</form>

[B]formhandler.php[/B]
if(isset($_POST['send_pw'])){
   $username = mysql_real_escape_string($_POST['username']);
   $old_pw = mysql_real_escape_string($_POST['old_pw']);
   $new_pw = mysql_real_escape_string($_POST['new_pw']);
   $re_pw = mysql_real_escape_string($_POST['re_pw']);

   $r = mysql_query("SELECT userid FROM members WHERE username='$username' AND password='$password'")
   if(mysql_num_rows($r)>0){
      $d = mysql_fetch_array($r);
      if($new_pw == $re_pw && $new_pw != ""){ 
         $r = mysql_query("UPDATE members SET password = '$new_pw' WHERE userid = '{$d['userid']}'");
         if(mysql_affected_rows() > 0){
            $response = "Changes effected.";
         }else{
            $response = "Database could not be updated at this time.";
         }
      }else{
         $response = "New passwords must match.";
      }
   }else{
      $response = "Your login details do not match any records in the database."; 
   }
}

//send the $response variable to the desired page (via session/cookie/get)

This is pretty basic stuff - so more work is req'd. The previous post mentioned md5-ing the pw - good idea, but won't work with your table setup unless you change the password varchar length to 32. If this is a problem you could use md5 with raw_output to 'digest' the string length to 16.

this is passch.php file

<html>
	<head></head>
	<body>
	<?php

		//Start session
	session_start();
	
	//Include database connection details
	require_once('config.php');
	
	
	//Connect to mysql server
	$link = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD);
	if(!$link) {
		die('Failed to connect to server: ' . mysql_error());
	}
	
	//Select database
	$db = mysql_select_db(DB_DATABASE);
	if(!$db) {
		die("Unable to select database");
	}
	

	//Sanitize the POST values
	$user = clean($_POST['username']);
	$opass = clean($_POST['opass']);
	$npass = clean($_POST['npass']);
	$cpass = clean($_POST['cpass']);
	

	//Check for password and login ID
	if($login != '') {
		$qry = "SELECT * FROM members WHERE login='$user'";
		$result = mysql_query($qry);
		if($result) {
			if(mysql_num_rows($result) > 0) {
				
$qry = "UPDATE members set passwd ='$npass' where login='$user'".md5($_POST['npass'])."')";
	$result = @mysql_query($qry);
				
			}
			@mysql_free_result($result);
		}
		else {
			die("Query failed");
		}
	}
		
	mysql_close($link)	

	?>
	</body>

</html>

the second is changepass.html

<h1>Change Password</h1>  

<form method="POST" action="passch.php"><br/>


Enter your UserName      <input type="username" size="10" name="username"> <br/>

Enter your existing password: <input type="password" size="10" name="opass"><br/>


Enter your new password:      <input type="password" size="10" name="npass"><br/>

Confirm your new password:      <input type="password" size="10" name="cpass"><br/>



<input type="submit" value="Update Password">

</form>

HERE IT SAYS EVERYTHING SUCCESSFULLY BUT ACTUALLY IT DOES NOT UPDATES DATABASE. EVEN IT DISPLAYS VALUE BEFORE SUBMITTING BUT IT DOES NOT GO TO DATABASE. I HVE GIVEN DATABASE STRUCTURE ALREADY CAN ANYBODY HELP ME???

UPDATE members set passwd

But in your first post you said password field was called 'password' not 'passwd'. Also the 'login' field doesn't exist:

userid int(12)
name varchar(150)
surname varchar(150)
username varchar(150)
password varchar(20)

"SELECT * FROM members WHERE login='$user'"

Also the value ascribed to it here makes v. little sense:

where login='$user'".md5($_POST['npass'])."')"

Why are you appending the new password to the username?

UPDATE members set passwd

But in your first post you said password field was called 'password' not 'passwd'. Also the 'login' field doesn't exist:

"SELECT * FROM members WHERE login='$user'"

Also the value ascribed to it here makes v. little sense:

where login='$user'".md5($_POST['npass'])."')"

Why are you appending the new password to the username?

Sorry.
During experiments database is changed
CREATE TABLE `members` (
`member_id` int(20) unsigned NOT NULL auto_increment,
`firstname` varchar(200) default NULL,
`lastname` varchar(200) default NULL,
`login` varchar(120) NOT NULL default '',
`passwd` varchar(30) NOT NULL default '',
PRIMARY KEY (`member_id`)
) TYPE=MyISAM;

I check 'login' for login & 'passwd' for password.
I want to change passwd value in database.
At registration it encrypts password so I am taking, where login='$user'".md5($_POST)."')"

$user it is used to check value of `login` varchar(100)
$opass it is used to check value of `passwd` varchar(32)
$npass it stores new password
$cpass it confirms new password

Please solve the Prblem

CREATE TABLE `members` (
`member_id` int(20) unsigned NOT NULL auto_increment,
`firstname` varchar(200) default NULL,
`lastname` varchar(200) default NULL,
`login` varchar(120) NOT NULL default '',
`passwd` varchar(30) NOT NULL default '',
PRIMARY KEY (`member_id`)
) TYPE=MyISAM;

I really don't understand why you're using 'login' as a concatenation of username and password. Is DB 'login' field = username?
If you are going to store encrypted passwords as opposed to the real string, your field size needs to be 32 NOT 30. Your 'login'/firstname/lastname fields look horrendously long - why not cut them to 20/20/30? In addition you have member_id as 20 digits long - this equates to approx. 15,000,000,000 accounts for EACH living person on the Earth.

Besides which INT only goes from 0 to 4,294,967,295 (unsigned)
Even BIGINT only scrapes 20 digits: from 0 to 18,446,744,073,709,551,615 (unsigned)

Cut this down to something credible - even 5 would be optimistic for membership of a new site.

Get your DB sorted first of all.

CREATE TABLE `members` (
`member_id` int(20) unsigned NOT NULL auto_increment,
`firstname` varchar(200) default NULL,
`lastname` varchar(200) default NULL,
`login` varchar(120) NOT NULL default '',
`passwd` varchar(30) NOT NULL default '',
PRIMARY KEY (`member_id`)
) TYPE=MyISAM;

I really don't understand why you're using 'login' as a concatenation of username and password. Is DB 'login' field = username?
If you are going to store encrypted passwords as opposed to the real string, your field size needs to be 32 NOT 30. Your 'login'/firstname/lastname fields look horrendously long - why not cut them to 20/20/30? In addition you have member_id as 20 digits long - this equates to approx. 15,000,000,000 accounts for EACH living person on the Earth.

Besides which INT only goes from 0 to 4,294,967,295 (unsigned)
Even BIGINT only scrapes 20 digits: from 0 to 18,446,744,073,709,551,615 (unsigned)

Cut this down to something credible - even 5 would be optimistic for membership of a new site.

Get your DB sorted first of all.

I have made changes to my database according to your reply.
But I have problem with updating database.
Problem is that my coding shows appropriate values but it doesn't update database?
Can you make this code running?
If possible please upload coding file with zipped format(.zip or .rar)

"I really don't understand why you're using 'login' as a concatenation of username and password. Is DB 'login' field = username?"

I use 'login' & 'passwd' field from database to check login name & password of user to start user session.

DB 'login' field = username
DB `passwd` = password
I want to update the field `passwd`, as user can change existing password with new one
THANKS FOR HELP !