0

ok so i am running a reset password script, its supposed to replace the password with the sha1 hashed version of password01 if successful it should return the success message if not then the failed message, but its returning the failure message weather it works or not which it always does! any ideas? i have inserted the code below:

<?php 
session_start();
$host= $_SESSION["dbhost"]; 
$username= $_SESSION["dbuser"]; 
$password= $_SESSION["dbpass"]; 
$db_name= $_SESSION["dbname"];
$tbl_name="users"; // Table name 

mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

$userid = $_POST['id'];
$password = 'password01';    
$hashpass = sha1($password);

//$result = mysql_query("SELECT password FROM $tbl_name WHERE id='$userid'");
$sql=mysql_query("UPDATE $tbl_name SET password='$hashpass' where id='$userid'"); 

if (mysql_query($sql)) {
echo "<ul id='breadcrumbs-one'>";
echo "<li><a href=''>Users</a></li>";
echo "<li><a href='' class='current'>Reset</a></li>";
echo "</ul>";
echo "<div class='tn-box tn-box-color-3 mcenterlow'>";
echo "<p>The Opperation was Sucessful!<br><a href='?users'>Add Another?</a></p>";
echo "<div class='tn-progress'></div>";
echo "</div>";
}
else {
echo "<ul id='breadcrumbs-one'>";
echo "<li><a href=''>Users</a></li>";
echo "<li><a href='' class='current'>Reset</a></li>";
echo "</ul>";
echo "<div class='tn-box tn-box-color-1 mcenterlow'>";
echo "<p>The Opperation was Not Sucessful!<br><a href='?users'>Try Again?</a></p>";
echo "<div class='tn-progress'></div>";
echo "</div>";
}
?>
Improve this question
7
  • 3
    Side note: it is usually considered a bad practice to mix application logic with presentation code. Commented Jan 31, 2013 at 2:15
  • 2
    Call mysql_error() in your else {} case to see why it failed. Note that this is vulnerable to SQL injection. At a minimum, call mysql_real_escape_string() on $userid. Commented Jan 31, 2013 at 2:15
  • 1
    Apart from the sql injection, any user can change the password of any other user. You should store the user ID in the session after a successful login. Unless only the administrator can run this script of course... Commented Jan 31, 2013 at 2:17
  • 1
    You should be using PHP's crypt (blowfish) functionality for passwords, unsalted sha1's are a very bad idea. Commented Jan 31, 2013 at 2:45
  • yeah im aware of the injection attack vulnerability, i am writing this as part of a practice program for myself locally, i know the basics of php, but im really trying to expand my knowledge. appreciate the input tho, and the program code is because this is called by my mvc code so the code is run within a template wrapper kind of thing. kinda a merge of several practice projects. @jeroen, only the admin can run this, it comes from a user list with a reset button that submits the form with the userid. Commented Jan 31, 2013 at 3:40

3 Answers 3

Reset to default
1

Apart from the comments below your question, the reason your if is failing, is that you are using mysql_query on the result of another call to mysql_query.

To solve that, you should change your condition to:

if ($sql) {

(for an UPDATE query, mysql_query return true on success and false on failure)

And you should really switch to PDO (or mysqli) with prepared statements and bound variables to get rid of the sql injection problem you have.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

Your code is calling mysql_query() twice, once with the actual SQL string, and again with the returned result value from the first call! Hence, the second call which is checked by the "if" always fails; it's not valid SQL.

I think you want to say something like

$sql = "UPDATE $tbl_name SET password='$hashpass' where id='$userid'";

if (mysql_query($sql)) {
    // etc.
Improve this answer

1 Comment

yup that was the ide! looked over it too many times and just missed the error! haha! thanks!
1

You are setting $sql equal to the result of mysql_query("UPDATE $tbl_name SET password='$hashpass' where id='$userid'");. On an UPDATE statement, mysql_query returns a boolean. You are THEN called mysql_quert($sql) in the if statement. This is logically incorrect, as you are checked the result of mysql_query(<bool>); because $sql is the RESULT of a query.

Either:

$sql=mysql_query("UPDATE $tbl_name SET password='$hashpass' where id='$userid'"); 

if ($sql) {

or

$sql = "UPDATE $tbl_name SET password='$hashpass' where id='$userid'"; 

if (mysql_query($sql)) {

Matt

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.