0

the password in database doesnt changet when i press change button in the page i show me the pass is change but when i log in with the new pass it show incorrect pass help please

<?php

session_start ();

$user = @$_SESSION['username'];

if ($user)
{
//user is logged in
if (@$_POST['submit'])
{
//check fields
$oldpassword =md5(@$_POST['oldpassword']);
$newpassword = md5(@$_POST['newpassword']);
$repeatnewpassword =md5(@$_POST['repeatnewpassword']);
//check password against db

//connect to db
$connect = mysql_connect ("localhost","root","") or die();
mysql_select_db("phplogin")or die();

$queryget = mysql_query ("SELECT password FROM users WHERE username='$user'")or die ("Query didnt work");
$row = mysql_fetch_assoc($queryget);

$oldpassworddb = $row ['password'];


//check passwords
if($oldpassword==$oldpassworddb)
{
//check the new password
if ($newpassword==$repeatnewpassword)
{
//succes
//change password in db
$querychange = mysql_query ("
UPTADE users SET password='$newpassword' WHERE username='$user'
");
session_destroy();
die ("Your password has been changed.<a href='index.php'>Return </a>to the main page");

}
else 
 die ("New password dont match!");
}
else 
 die("Old password doesnt match!");
}
else
{
echo("
<form action ='changepassword.php' method='POST'>
 Old password: <input type ='text' name ='oldpassword'><p>
 New password: <input type='password' name='newpassword'><br>
 Repeat new password <input type='password' name='repeatnewpassword'><p>
 <input type='submit' name='submit' value='Change password'>
</form>
");
}

}
else
   die ("You must be logged in to change your password");
?>

Edited by pritaeas: Changed code snippet into discussion thread

7
Contributors
15
Replies
78
Views
5 Years
Discussion Span
Last Post by diafol
Featured Replies
  • 1
    diafol 3,720   2 Years Ago

    This code is 3 years old. The last addition uses deprecated code (mysql_* functions). It also uses the "dead" md5 hashing algorithm. I really don't get the throwing of client-side alerts and redirects mashed up in server side code. PHP has the ability to redirect and pass a message - … Read More

  • 1
    diafol 3,720   1 Year Ago

    @codetuts I don.t know why you pointed to that tute as it clearly doesn.t work. Firstly it uses md5 hash which is not considered safe. Secondly the error listing is ridiculous. Thirdly the update sql does not update the pw, it simply changes the surname etc of the user. Frankly … Read More

  • 1
    diafol 3,720   1 Month Ago

    I sincerely hope you do not have that in your login form. You do not sanitize your input nor escape it so you are wide open to SQL injection. Sort this out before moving on. Also you include js to redirect. No need use php's`header()`. Finally - start your own … Read More

0

yess :) the pass can change example: i put asdfg in the change password field and in the data base it is asdfg not encrypted,so when i try to log in it display incorrect password,so it is a problem with the md5,i have to make it manualy from the database for each, what should i do??

0

i have fix this no problem i remuved the md5 from $password =@$_POST['password'] ; thnx

0

can everybody recomend me some basic book of php or fondamental ideas of a complex page

0

There are lots of books based on php... there are a lot of good ones and a lot of repetitive ones... Good ones are the For Dummies series, o'Reily series, WROX, and a few others.

0
 <?php
        include('connection.php');
        session_start();
            if(!empty ($_SESSION["logged_in"])){
                    $logged_in=$_SESSION['logged_in'];
                    $id_user=$logged_in['id_user'];
                if(isset($_POST['submit']) && $_POST['submit'] = "submit"){
                        $password = md5($_POST['old_passoword']);
                        $new_password = md5($_POST['new_passoword']);
                        $confirm_passoword =md5 ($_POST['confirm_passoword']);
                        $result = mysql_query("SELECT passoword FROM users WHERE id_user='$id_user'");
                        $row = mysql_fetch_assoc($result);
                        $passworddb = $row['passoword']; //password from Data Base
                            if(!$result)
                            {
                                echo "ERROR, Unexisted User";
                            }
                            else if($password!= mysql_result($result, 0))
                            {
                                ?> <script>
                                alert('password dont match');
                                window.location.href='change_passoword.php';
                                </script> <?php
                            }
                            if($password==$passworddb){
                                if($new_password==$confirm_password){
                                    $sql=mysql_query("UPDATE usuario SET password='$new_password' where id_user='$id_user'");
                                    ?> <script>
                                    alert('Password changed!');
                                    window.location.href='change_password.php';
                                    </script> <?php
                                }

                            else{
                                ?> <script>
                                alert('Error, new password and confirm password must be the same');
                                window.location.href='change_password.php';
                                </script> <?php
                            }
                        }   
                    }
            }
    ?>

//Also work This way.. if you are using a data base connection separated, like me... if You find this useful, let me know!

1

This code is 3 years old. The last addition uses deprecated code (mysql_* functions). It also uses the "dead" md5 hashing algorithm. I really don't get the throwing of client-side alerts and redirects mashed up in server side code. PHP has the ability to redirect and pass a message - no need for ugly browser alert boxes.

Please look up password_hash() and password_verify(). You need PHP >= 5.5
For mysql_* alternatives, see mysqli or PDO
For PHP redirects, see header()

1

@codetuts I don.t know why you pointed to that tute as it clearly doesn.t work. Firstly it uses md5 hash which is not considered safe. Secondly the error listing is ridiculous. Thirdly the update sql does not update the pw, it simply changes the surname etc of the user. Frankly the code is a crock of poo. Just shows any idiot can post a tutorial. Don.t use it.

0
            <?php
              if($_POST['submit']) {
                include("conn.php");
                $username = $_POST['username'];
                $password = $_POST['password'];

                $sql = "select username,accesslevel from tblusers
                    where username='$username' and password='$password'";

                $res = $conn->query($sql);

                if($res->num_rows>0){
                  $row = $res->fetch_assoc();
                  extract($row);
                  $_SESSION['username'] = $username;
                  $_SESSION['accesslevel'] = $accesslevel;
                  echo "<script>window.location='listproducts.php';</script>";

                }
                $conn->close();
              }

            ?>

            i have that in my log in form..

            what must be the codes in my change password form?
1

I sincerely hope you do not have that in your login form. You do not sanitize your input nor escape it so you are wide open to SQL injection. Sort this out before moving on. Also you include js to redirect. No need use php'sheader().

Finally - start your own thread - you have resurrected a thread that finally died after many attempts, a year ago.

Votes + Comments
Robert'); DROP TABLE Students; - Little Bobby Tables!
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.