Member Avatar for venetian_jigsaw

I am still a bit of a newb, but am getting the hang of webdev. My problem is in changing/updating a user's password. The good news is that I know I am hitting the mySQL table b/c I am able to see data appended. However, that's also my problem. When I try and update the password for Username: jdoe, a number displays in the table field 'pw'.

I have created the following SQL stmts:

//create sql statement
$oursql="insert into customerinfo (fn,ln,address1,address2,city,state,zip,telephone,email_address,un,pw) ";
$oursql.="values ('$fn','$ln','$add1','$add2','$city','$st','$zip','$ph','$email','$un','$pw')";
//echo $oursql;
//die;

//Execute SQL stmnt
$myresult = mysql_query($oursql) or die (mysql_error());

$oursql="update customerinfo set pw = password('$pw')". "Where pw='$pw' and un = '$un' ";
"flush privileges";
//echo $oursql;
//die;

//Execute SQL stmnt
$myresult = mysql_query($oursql) or die (mysql_error());

Do I need to foward any additional code? If so, please let me know.

Thanks

  • 2 Contributors
  • 3 Replies
  • 165 Views
  • 2 Days Discussion Span
  • Latest Post Latest Post by RamiroS

Recommended Answers

All 3 Replies

Member Avatar for RamiroS

I think the problem is in your WHERE claus... you are using WHERE pw='$pw'

at that time $pw contains the actual password... unencrypted ... and PASSWOR('$pw') holds the encrytped password

My sugestions:

FIRST!... dont use PASSWORD... use SHA1 or MD5 since PASSWORD was changed in the different MYSQL versions and if you migrate sooner or later you will have to update all the passwords.

THEN... do not check the password... don't use WHERE pw=something... just use something like UPDATE table SET pw=MD5('$pw') WHERE userid=1

The confirmation of the old password is better to do it with the script...

Hope it helps...

Member Avatar for venetian_jigsaw

RamiroS,

I used the code and at first, it did not work. In place of '$un', I tried the 1, but I would keep refering to mySQL and saw no changes. When I entered the var '$un', it changed the password, but now it's encrypted. I also tried single quotes around the 1, but that didn't work. Any suggestions? I would like to display the actual password instead of the encrypted one. Thanks again!

//create sql statement
$oursql="update customerinfo set pw=MD5('$pw') where un='$un'";
"flush privileges";
//echo $oursql;
//die;

//Execute SQL stmt
$myresult = mysql_query($oursql) or die (mysql_error());

Member Avatar for RamiroS

Ok, the problem is that storing unencrypted passwords is not secure.

When you said

When I try and update the password for Username: jdoe, a number displays in the table field 'pw'.

I'm asuming that is ok since you are updating using PASSWORD('$pw') and that will create an encryted password.

If you dont want to encrypt simply do not use the PASSWORD() function. The code you submitted should work. But I strongly recommend using encryption and something different to PASSWORD.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.