2

I have a page in my members section of my website that allows users to change their password. It all functions correctly if all details are entered correctly.

The form asks for username, current password, new password, confirm new password.

If a user enters the incorrect username, the form does not change their password (as expected) but directs them to the confirmation page instead of an error page.

Also, if a user enters the wrong password, the form changes their password anyway and directs them to the confirmation page, instead of NOT changing the password and directing them to the error page.

My code is pasted below, if anyone can help, I would be grealt appreciative! Thanks!

Mel

php for change password form:

 <?php 

session_start();

$host="localhost"; // Host name 

$username="username"; // Mysql username 

$password="password"; // Mysql password 

$db_name="database"; // Database name 

$tbl_name="table"; // Table name 

// Connect to server and select databse.

mysql_connect("$host", "$username", "$password")or die("cannot connect"); 

mysql_select_db("$db_name")or die("cannot select DB");



$username = $_POST['username'];

$password = $_POST['password'];

$newpassword = $_POST['newpassword'];

$repeatnewpassword = $_POST['repeatnewpassword'];


$result = mysql_query("SELECT password FROM $tbl_name WHERE username='$username'");

if(!$result) 
{ 
    header("location:error1.php"); 
} 

if ($row = mysql_fetch_assoc($result))
{ 
     header("location:error.php"); 
} 

if($newpassword==$repeatnewpassword) 

    $sql=mysql_query("UPDATE $tbl_name SET password='$newpassword' where username='$username'"); 

if($sql) 
{ 
        header("location:success.php");
}
else
{ 
   header("location:error3.php");
}  

?>
Improve this question
1
  • 3
    SQL can be injected in your query. Even if you are novice, make sure you read security tips for PHP code, specially SQL injection. Commented Apr 22, 2011 at 6:40

5 Answers 5

Reset to default
1

Your sql should like this:

$result = mysql_query("SELECT password FROM $tbl_name WHERE username='$username' AND password = '$password'");
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I was going to say that. Currently there is no verification whether the old password was correct, neither in SQL, not in PHP. And if the old password was wrong, there's indeed a huge chance that the user isn't who he pretends to be.
1

Your problem lies here - 

if(!$result)

When a user enters a wrong username, the query searches for that user in the database, but won't find one. So the result will contain empty dataset, but the query is still valid, since you can query a database and return empty datasets. So your !$result check will always evaluate to true unless a DB error occurs.

Instead of just checking the $result, you should do the following - 

if($newpassword==$repeatnewpassword) 
{
    // User's provided new password and repeatpassword matches, so keep going forward,
    // query the database.

    $result = mysql_query("SELECT password FROM $tbl_name WHERE username='$username'");

    if($result)
    {
        // Database query successful. Now check if that username exists in the database.
        if(mysql_num_rows($result) <= 0)
        {
            // user has provided wrong username, take action accordingly
        }
        else
        {
            // Username found, now check for old password match
            $row = mysql_fetch_array($result);

            if($password==$row['password'])
            {
                // User's old password matches with DB. So, update password and
                // forward him to confirmation page
            }
            else
            {
                // User's old password doesn't match with db. Show appropriate message
            }
        }
    }
    else
    {
        // Some DB error occurred. Handle it appropriately.
    }
}
else
{
    // User's new and repeat password don't match, so take action accordingly
}

P.S.

Your site is vulnerable to SQL Injection attack. You should at least sanitize your input as follows - 

$username = mysql_real_escape_string($_POST['username']);

$password = mysql_real_escape_string($_POST['password']);

$newpassword = mysql_real_escape_string($_POST['newpassword']);

$repeatnewpassword = mysql_real_escape_string($_POST['repeatnewpassword']);

To know more, go here: mysql_real_escape_string() manual.

Also storing passwords in database in plain old text format is another bad idea. Even you should not be able to see the passwords that your site's user provide. Use md5() function to encrypt passwords and then store it in the database.

Improve this answer

5 Comments

Sorry, I am an absolute novice when it comes to php. struggling to even update my php file with your changes! :-/
@Novice: Keep trying, you will be able to figure it out easily :-).
I know I am a pain, but any chance you could show me what the full code should look like?
@Novice: Probably you didn't use if-else appropriately. If you've copy and pasted the above code then you shouldn't do that. My above answer is just to show you how you can solve your problem, you have to translate it for your own use.
Yay, got it working! Thanks a million! Now to figure out the encryting passwords
0 
if(isset($_POST['submit'])){

$sql = "SELECT * FROM $tbl_name WHERE ".
       "username='$username' AND password = '$password' LIMIT 1";


$result = mysql_query($sql);

$numrow = mysql_num_rows($result);

if($numrows != 1){ /**go to error page**/ }

}
Improve this answer

Comments

0

this 

$result = mysql_query("SELECT password FROM $tbl_name WHERE username='$username'");

and this

 if ($row = mysql_fetch_assoc($result))
{ 
     header("location:error.php"); 
}

implies that if user has enter correct user name it will redirect to the error page

change to 

$result = mysql_query("SELECT password FROM $tbl_name WHERE username='$username' AND password = '$password'");
Improve this answer

Comments

0

I have edited your code as more simplified way.

You should try this ::

<?php 

session_start();

$host="localhost"; // Host name 

$username="username"; // Mysql username 

$password="password"; // Mysql password 

$db_name="database"; // Database name 

$tbl_name="table"; // Table name 

// Connect to server and select databse.

mysql_connect("$host", "$username", "$password")or die("cannot connect"); 

mysql_select_db("$db_name")or die("cannot select DB");



$username = $_POST['username'];

$password = $_POST['password'];

$newpassword = $_POST['newpassword'];

$repeatnewpassword = $_POST['repeatnewpassword'];


$result = mysql_query("SELECT password FROM $tbl_name WHERE username='$username' and password = '$password'");

if(!$result) 
{ 
    header("location:error1.php"); 
} 

if(mysql_num_rows($result)){
    if($newpassword==$repeatnewpassword){
        $sql=mysql_query("UPDATE $tbl_name SET password='$newpassword' where username='$username'");        
        if($sql) 
        { 
                header("location:success.php");
        }
        else
        {
            // In case when problem while updating your new password
           header("location:error3.php");
        }       
    } else {
        // In case when new-password and retype-password do not match
        header("location:error_password_not_matched.php");
    }
} else {
    // In case of you have not correct User name and password
    header("location:error.php"); 
}

?>
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.