1

I have 2 tables :

  • newpw_ask

    email
code

  • users

    id
username
password
email
sid
newpw_code

I have this PHP code:

$code = $_POST['code2'];
$email = mysql_query("SELECT email FROM pw_ask WHERE code='$code'");

if ($pass == $pass2) {
    if ($email) {
        $pass3 = md5($pass);

        mysql_query("UPDATE users SET password='$pass3' WHERE email='$email'");
        mysql_query("UPDATE users SET newpw_code='' WHERE email='$email'");
        mysql_query("DELETE FROM pw_ask WHERE code='$code'");

        header("Location: index.php?ret=pw");
    } else {
        echo 'Wrong code';
    }
}

Only this query got executed:

mysql_query("DELETE FROM pw_ask WHERE code='$code'");

Also when I enter the right code, it says “Wrong code”.

Improve this question
4
  • Please read this guide on hashing passwords. md5 is not nearly good enough. php.net/manual/en/faq.passwords.php Commented Feb 10, 2014 at 16:49
  • Good Lord, don't use this. $this="Everything"; - Whoever contributes to answering this, shouldn't; period. And if they do, give a reason why. I never contribute to question that use passwords stored in plain text or md5. Commented Feb 10, 2014 at 16:49
  • Just a comment: use mysqli_* instead of mysql_* Commented Feb 10, 2014 at 16:56
  • You're not properly escaping values, creating several severe SQL injection bugs. You're also using the deprecated mysql_query which should not be used in new applications because it's being removed from future versions of PHP. A modern replacement like PDO is not hard to learn. A guide like PHP The Right Way shows how to avoid making these sorts of mistakes. Commented Feb 10, 2014 at 17:24

1 Answer 1

Reset to default
3

You need to select the email correctly :

$sql    = mysql_query("SELECT email FROM pw_ask WHERE code='$code'");
$row    = mysql_fetch_array($sql);
$email  = $row['email'];

btw you can also update multiple fields in 1 query :

mysql_query("UPDATE users SET password='$pass3' , newpw_code='' where email='$email'");
Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

Was going to put that but trying to remember the syntax as I use PDO
print email to see what it contains , you "$codes" are unique ?
@user3287874 what was the problem ?
Actually i don't know,i just re-pasted your code to try something and it's worked,thanks.
Ah i know why,i modified $row string to $row2 and i didn't modified $row['email'].

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.