0

I'm just new in PHP, I have the project which I'm still constructing and now Am working on Administrator area.

For now I'm writing the script which Update the password in the table by looking two criteria "username and fname" if the same with the entered one the password should change, And It does so successfully, but the problem is once I enter incorrect username it still update the password and doesn't show the message "The username you entered does not exist" as well as when I write wrong fname it doesn't show the message to, It real make me stacking where Am wrong, although I know there some where A'm wrong.

I request for any help to any one I'w be thankfully.

This my script

  <?php
       session_start(); 

    //include mysqli_connect

    $name = $_POST['fname']; 
    $newp = $_POST['newpword'];
    $user=$_POST['username'];

   $result = mysql_query("SELECT password FROM admin WHERE fname='$name' 
   AND username='$user'  "); 
     if(!$result)  
    {  
    echo "The username you entered does not exist";  
    }  
     elseif(mysql_num_rows($result)>0) 
   $result=mysql_query("UPDATE admin SET password='$newp' where fname='$name'");    
     {  
    echo "Password change successfully";
echo"<br>";
  echo"<a href=index.php> Click here to signin </a>";
exit; 
      }
    {  
    echo "The new password and confirm new password fields must be the same";
  }  
 ?>
Improve this question
1
  • 5
    1) this script is vulnerable to sql injects. 2) msyql_* is deprecated. Use mysqi or PDO.. Commented Dec 10, 2013 at 0:52

2 Answers 2

Reset to default
1

Your if statement and brackets are very mixed up in the code. I think I understood what you're trying to do, though... but you should really go through your own code and give everything the correct indentation.

I changed your code to use pdo.

I added a POST value for the old user password because you should really verify that, too, when updating a user password even if they are already logged in. You will need to add a field for that in the form this is being sent from. If you don't want to use it, you will just need to take the logic out of the code.

And - I really hope you aren't storing the password in plain text. If you are, please tell me what your exact PHP version is in a comment below this post and I can update my answer to show how you would go about storing and using hashed passwords. It does really depend on the version, though. 

<?php
session_start(); 

$_POST['fname']    = 'fname'; 
$_POST['newpword'] = 'newpword';
$_POST['username'] = 'username';

$name = (isset($_POST['fname']))    ? $_POST['fname']    : die("\$_POST['fname'] is not set");  
$newp = (isset($_POST['newpword'])) ? $_POST['newpword'] : die("\$_POST['newpword'] is not set");  
$user = (isset($_POST['username'])) ? $_POST['username'] : die("\$_POST['username'] is not set"); 

// you should get the old password, too, 
// so you can verify that it's the correct user
$_POST['oldpass'] = 'password';
$oldp = (isset($_POST['oldpass'])) ? $_POST['oldpass'] : die("\$_POST['oldpass'] is not set"); 



$pdo = new PDO("mysql:host=localhost;dbname=test", 'root', 'password');

$stmt = $pdo->prepare("SELECT password FROM admin WHERE fname=:fname AND username=:user"); 
$stmt->bindParam(':fname', $name);
$stmt->bindParam(':user',  $user);
$success = $stmt->execute();  
$result  = $stmt->fetch(PDO::FETCH_ASSOC); 

if ($success===false) {
   print "an error occurred in the query <br/>".print_r($stmt->errorInfo(),true); 
}  
elseif ($success!==false && $result===false)
{
   print "that username was not found in the database";
}
else
{  
   if ($result['password']==$oldp)
   { 
      $stmt2 = $pdo->prepare("UPDATE admin SET password=:newp where fname=:fname"); 

      /* You should really HASH this password before storing it*/ 
      $stmt2->bindParam(':newp',  $newp);
      $stmt2->bindParam(':fname', $name);
      $success2 = $stmt2->execute();   

      if ($success2!==false)
      {
         echo "Password change successfully";
         echo"<br>";
         echo"<a href=index.php> Click here to signin </a>"; 
      } 
      else
      { 
         print "an error occurred updating the password <br/>"; 
      }
   }
   else
   {
      print "old password didn't match";
   }
}  
?>
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

I think the problem is with if($result) condition. Instead of checking $result you should check if(mysql_num_rows($result)>0)

Improve this answer

6 Comments

Yeah am trying to insert elseif(mysql_num_rows($result)>0) for now it chechk all fname nad username but once I insert wrong fname or username it doesn't provide the message"The username you entered does not exist"
It has to be first condition not in elseif
I mean if(mysql_num_rows($result)>0) //Insert else // No username
O0hh year,Sorry I didn't chek it well, But still does the same
i think for password comparison you have to put separate condition before doing usernamecheck. so i think you will end up doing if($pass!=$npass){ echo "both password should be same";die;} then firequrey and put if(mysql_num_rows($result)>0)//insert else//error
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.