0

Hi, I have been trying to create a login facility using PHP/mySQL and so far I have managed to get everything working apart from changing/updating the stored user password.

The code I have used is basically just the registration script with a few changes so that it will update a current record. I have tested the registration/login form and have had no problems creating and logging in new users and the script is working as it definately updates the record in the database.

The problem is that after I update a users details using the script below, the login script reports that the username/passwords do not match. I have compared the MD5 outputs from both the registration and update form using the same password and both match in the database. Once I change it using this script however, the user can no longer login. any ideas?

<?php
	//Start session
	session_start();
	
	//Include database connection details
	require_once('config.php');
	
	//Array to store validation errors
	$errmsg_arr = array();
	
	//Validation error flag
	$errflag = false;
	
	//Connect to mysql server
	$link = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD);
	if(!$link) {
		die('Failed to connect to server: ' . mysql_error());
	}
	
	//Select database
	$db = mysql_select_db(DB_DATABASE);
	if(!$db) {
		die("Unable to select database");
	}
	
	//Sanitize the POST values
	$fname = clean($_POST['fname']);
	$lname = clean($_POST['lname']);
	$login = clean($_POST['login']);
	$password = clean($_POST['password']);
	$cpassword = clean($_POST['cpassword']);
	
	//Function to sanitize values received from the form. Prevents SQL injection
	function clean($str) {
		$str = @trim($str);
		if(get_magic_quotes_gpc()) {
			$str = stripslashes($str);
		}
		return mysql_real_escape_string($str);
	}
	
	//Sanitize the POST values
	$fname = clean($_POST['fname']);
	$lname = clean($_POST['lname']);
	$login = clean($_POST['login']);
	$password = clean($_POST['password']);
	$cpassword = clean($_POST['cpassword']);
	
	//Input Validations
	if($fname == '') {
		$errmsg_arr[] = 'First name missing';
		$errflag = true;
	}
	if($lname == '') {
		$errmsg_arr[] = 'Last name missing';
		$errflag = true;
	}
	if($login == '') {
		$errmsg_arr[] = 'Login ID missing';
		$errflag = true;
	}
	if($password == '') {
		$errmsg_arr[] = 'Password missing';
		$errflag = true;
	}
	if($cpassword == '') {
		$errmsg_arr[] = 'Confirm password missing';
		$errflag = true;
	}
	if( strcmp($password, $cpassword) != 0 ) {
		$errmsg_arr[] = 'Passwords do not match';
		$errflag = true;
	}
	

	
	//If there are input validations, redirect back to the registration form
	if($errflag) {
		$_SESSION['ERRMSG_ARR'] = $errmsg_arr;
		session_write_close();
		header("location: register-form.php");
		exit();
	}

	//Create INSERT query
	$qry = "UPDATE Staff SET FirstName = '$fname', LastName = '$lname', Login = '$login', Password = '
	".md5($password)."' WHERE LastName = '$lname' AND FirstName = '$fname'";
	$result = @mysql_query($qry);
	
	//print $qry;
	
	//Check whether the query was successful or not
	if($result) {
		header("location: register-success.php");
		exit();
	}else {
		die("Query failed");
	}
?>
7
Contributors
11
Replies
27
Views
7 Years
Discussion Span
Last Post by aareyes00
0

echo your login select query and try to debug it.
md5 is just for encryption there might be some issue in coding.

0

Check your query with the following statement:

$result = mysql_query($query) or die ("Error in query: $query. ".mysql_error());

So you'll come to know the error.

0

Thx for the replies, I added the line to the code and there was no error reported. So i added print $query; just to show what information was being stored and it returned the correct information:

UPDATE Staff SET FirstName = 'a', LastName = 'a', Login = 'a', Password = ' 5f4dcc3b5aa765d61d8327deb882cf99' WHERE LastName = 'a' AND FirstName = 'a'

However, I checked the data in the database and for some reason the passwords i have changed with this script have a blank line above the actual password.

I'm not sure what has caused this but it must be the problem as the password hash is still correct. I'm not sure how this could be caused though, any ideas?

0
$qry = "UPDATE Staff SET FirstName = '$fname', LastName = '$lname', Login = '$login', Password = '".md5($password)."' WHERE LastName = '$lname' AND FirstName = '$fname'";
$result = @mysql_query($qry);

I thing there is blank space before Password = ' and ".md5
This causes issue.

0

Yeah that has fixed it thank you.

In dreamweaver it appeared as though the code had just carried on to the next line and the sql output didnt seem to show there was a space there either so i never thought to check it.

0

As I mentioned before, when you are going to store password as MD5 hash, it is really necesarry to use salt variable. Perfect if it is unique for every entry.

Otherwise, it would be easy to hack MD5 hash by various tools, for example, http://www.md5-online.com/ project.

0

If you were to update your code to the folowing it will work. I just banged my head against the wall ON THE SAME ISSUE. Notice the quotes
This is the way I was beating myself up before:

$qry = "UPDATE members SET passwd = md5($password) WHERE login='$login'";

This is the way that works:

//Create UPDATE query to replace password in DB
	
	$qry = "UPDATE members SET passwd = md5('$password') WHERE login='$login'";
	$result = @mysql_query($qry);
	echo $result[userid];
	//Check whether the query was successful or not
	if($result) {
		header("location: password-change-successful.htm");
		exit();
	}else {
		die("Query failed");
	}

Edited by Ezzaral: Added code tags. Please use them to format any code that you post.

0

Obviously, you're variables will be different, as well as your table & column names.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.