0

the password in database doesnt changet when i press change button in the page i show me the pass is change but when i log in with the new pass it show incorrect pass help please

<?php

session_start ();

$user = @$_SESSION['username'];

if ($user)
{
//user is logged in
if (@$_POST['submit'])
{
//check fields
$oldpassword =md5(@$_POST['oldpassword']);
$newpassword = md5(@$_POST['newpassword']);
$repeatnewpassword =md5(@$_POST['repeatnewpassword']);
//check password against db

//connect to db
$connect = mysql_connect ("localhost","root","") or die();
mysql_select_db("phplogin")or die();

$queryget = mysql_query ("SELECT password FROM users WHERE username='$user'")or die ("Query didnt work");
$row = mysql_fetch_assoc($queryget);

$oldpassworddb = $row ['password'];


//check passwords
if($oldpassword==$oldpassworddb)
{
//check the new password
if ($newpassword==$repeatnewpassword)
{
//succes
//change password in db
$querychange = mysql_query ("
UPTADE users SET password='$newpassword' WHERE username='$user'
");
session_destroy();
die ("Your password has been changed.<a href='index.php'>Return </a>to the main page");

}
else 
 die ("New password dont match!");
}
else 
 die("Old password doesnt match!");
}
else
{
echo("
<form action ='changepassword.php' method='POST'>
 Old password: <input type ='text' name ='oldpassword'><p>
 New password: <input type='password' name='newpassword'><br>
 Repeat new password <input type='password' name='repeatnewpassword'><p>
 <input type='submit' name='submit' value='Change password'>
</form>
");
}

}
else
   die ("You must be logged in to change your password");
?>

Edited by pritaeas: Changed code snippet into discussion thread

6
Contributors
13
Replies
67
Views
4 Years
Discussion Span
Last Post by codeandtuts
Featured Replies
  • 1
    diafol 3,669   1 Year Ago

    This code is 3 years old. The last addition uses deprecated code (mysql_* functions). It also uses the "dead" md5 hashing algorithm. I really don't get the throwing of client-side alerts and redirects mashed up in server side code. PHP has the ability to redirect and pass a message - … Read More

  • 1
    diafol 3,669   1 Year Ago

    @codetuts I don.t know why you pointed to that tute as it clearly doesn.t work. Firstly it uses md5 hash which is not considered safe. Secondly the error listing is ridiculous. Thirdly the update sql does not update the pw, it simply changes the surname etc of the user. Frankly … Read More

0

yess :) the pass can change example: i put asdfg in the change password field and in the data base it is asdfg not encrypted,so when i try to log in it display incorrect password,so it is a problem with the md5,i have to make it manualy from the database for each, what should i do??

0

i have fix this no problem i remuved the md5 from $password =@$_POST['password'] ; thnx

0

can everybody recomend me some basic book of php or fondamental ideas of a complex page

0

There are lots of books based on php... there are a lot of good ones and a lot of repetitive ones... Good ones are the For Dummies series, o'Reily series, WROX, and a few others.

0
 <?php
        include('connection.php');
        session_start();
            if(!empty ($_SESSION["logged_in"])){
                    $logged_in=$_SESSION['logged_in'];
                    $id_user=$logged_in['id_user'];
                if(isset($_POST['submit']) && $_POST['submit'] = "submit"){
                        $password = md5($_POST['old_passoword']);
                        $new_password = md5($_POST['new_passoword']);
                        $confirm_passoword =md5 ($_POST['confirm_passoword']);
                        $result = mysql_query("SELECT passoword FROM users WHERE id_user='$id_user'");
                        $row = mysql_fetch_assoc($result);
                        $passworddb = $row['passoword']; //password from Data Base
                            if(!$result)
                            {
                                echo "ERROR, Unexisted User";
                            }
                            else if($password!= mysql_result($result, 0))
                            {
                                ?> <script>
                                alert('password dont match');
                                window.location.href='change_passoword.php';
                                </script> <?php
                            }
                            if($password==$passworddb){
                                if($new_password==$confirm_password){
                                    $sql=mysql_query("UPDATE usuario SET password='$new_password' where id_user='$id_user'");
                                    ?> <script>
                                    alert('Password changed!');
                                    window.location.href='change_password.php';
                                    </script> <?php
                                }

                            else{
                                ?> <script>
                                alert('Error, new password and confirm password must be the same');
                                window.location.href='change_password.php';
                                </script> <?php
                            }
                        }   
                    }
            }
    ?>

//Also work This way.. if you are using a data base connection separated, like me... if You find this useful, let me know!

1

This code is 3 years old. The last addition uses deprecated code (mysql_* functions). It also uses the "dead" md5 hashing algorithm. I really don't get the throwing of client-side alerts and redirects mashed up in server side code. PHP has the ability to redirect and pass a message - no need for ugly browser alert boxes.

Please look up password_hash() and password_verify(). You need PHP >= 5.5
For mysql_* alternatives, see mysqli or PDO
For PHP redirects, see header()

1

@codetuts I don.t know why you pointed to that tute as it clearly doesn.t work. Firstly it uses md5 hash which is not considered safe. Secondly the error listing is ridiculous. Thirdly the update sql does not update the pw, it simply changes the surname etc of the user. Frankly the code is a crock of poo. Just shows any idiot can post a tutorial. Don.t use it.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.