2

I have a page title changepassword.php ... In this page, users are able to change their password for an account. The query goes through and gives the message that it sent, however, the database does not change. The password stays the same as it used to be. I am using a sha1 hash that I am not used to (first time using it). Anyone know what is happening with it? Thanks!

    <?php

    session_start ();

    $user_name = $_SESSION['user_name'];

    if($user_name)
    {
    //user is logged in

    if(isset($_POST['submit']))
    {
    //check fields

    $oldpassword = $_POST['oldpassword'];
    $newpassword = $_POST['newpassword'];
    $repeatnewpassword = $_POST['repeatnewpassword'];

    //check password against db

    $connect=mysql_connect("localhost","root","passssssssword") or die();
    mysql_select_db("database") or die();

    $queryget= mysql_query ("SELECT user_pass FROM users WHERE user_name='$user_name'")         or die("Query didn't work.");
    $row = mysql_fetch_assoc ($queryget);

    $oldpassworddb = $row['user_pass'];

    //check passwords

if (sha1($oldpassword)==$oldpassworddb)
{
    if ($newpassword==$repeatnewpassword)
    {
        if (strlen ($newpassword)>25 || strlen ($newpassword)<6)
        {
        echo "Password must be between 6 and 25 characters";
        }
        else
        {
        //change password in db 

        $newpassword = sha1($newpassword);

        $querychange = mysql_query("UPDATE users SET         password='$newpassword' WHERE user_name='$user_name'");
        session_destroy();
        die ("Your password has been changed. <a         href='index.php'>Return</a> to the main page and login with your new password.");
        }

    }
    else
        die ("New passwords do not match!");

}
else
    die ("Old password is inncorrect!");

    }

    else
    {
    echo
    "<form action = 'changepassword.php' method = 'POST'>
    <table>
    <tr>
        <td>
    Old password: 
        </td>
        <td>
    <input type='text' name='oldpassword'><p>
        </td>
    </tr>
    <tr>
        <td>
    New password: 
        </td>
        <td>
    <input type='password' name='newpassword'>
        </td>
    </tr>
    <tr>
        <td>
    Repeat new password: 
        </td>
        <td>
    <input type='password' name='repeatnewpassword'>
        </td>
    </tr>
    <table>
    <input type='submit' name='submit' value='Change password'>
    </form>
    ";
    }


    }
    else
die("You must be logged in to change your password!");
    ?>
Improve this question
4
  • 1
    @Delan Azabani: "What do you think will happen if the new password has a single quote in it" --- nothing would happen, it is hashed Commented Jun 3, 2012 at 5:13
  • 2
    @zerkms: Yes, but the username, at the very least, should definitely be sanitized. Commented Jun 3, 2012 at 5:15
  • why would you limit the max length of password ? Commented Jun 3, 2012 at 12:09
  • just a test site to see what i can actually do with php and sql. Im not planning on actually releasing it. More or less... a practice in syntax. Commented Jun 3, 2012 at 17:10

2 Answers 2

Reset to default
4

Query_1:

SELECT user_pass FROM users WHERE user_name='$user_name'

Your Query_2:

UPDATE users SET **password**='$newpassword' WHERE user_name='$user_name'

But, Query_2 should be:

UPDATE users SET **user_pass**='$newpassword' WHERE user_name='$user_name'
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

$querychange would be false
1

Not sure if literal/single quotes will allow PHP to interpolate the variables. I usually use sprintf, too. Also, in general you don't want to just check on username, but username AND old password. 

"SELECT user_pass FROM users WHERE user_name='$user_name'"

should be: $sql = sprintf("select user_pass from users where user_name = "%s",$user_name);

also, your "die()" would be better if you output the mysql_error(), i.e.

  $connect=mysql_connect("localhost","root","passssssssword") or die();
mysql_select_db("database") or die("cannot connect".mysql_error());

But, probably the fastest way to troubleshoot is to put an error on the mysql_query:

$sql = sprintf("UPDATE users SET  password="%s" WHERE user_name="%s"",$newpassword,$user_name);
$querychange = mysql_error($sql) or die ("Error updating: ".mysql_error());
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.