Problem with md5 password change

[giannis]

Hello, I've got the following code, who doesn't change the password on the database:

 

<?php
include "connect.php";
session_start();
session_register("session");
$new_password = $_POST['new_password']; 
$new_password_again = $_POST['new_password_again'];
if(!isset($session['connection_status']))
{
echo "<center><font face='Verdana' size='2' color=red>Sorry, Please login and use this page </font></center>";
exit;}
?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">  
<head>  
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />  
<title>Change Password</title> 
<script type="text/javascript" src="js/jquery.min.js"></script>
<script type="text/javascript" src="js/jquery.ketchup.js"></script>
<script type="text/javascript" src="js/jquery.ketchup.messages.js"></script>
<script type="text/javascript" src="js/jquery.ketchup.validations.basic.js"></script>
<script language="javascript" type="text/javascript" src="niceforms.js"></script>
<link rel="stylesheet" type="text/css" media="all" href="niceforms-default.css" />
<link rel="stylesheet" type="text/css" media="screen" href="css/jquery.ketchup.css" />
</head>

<body>
<div id="container">
        <fieldset>
          <legend>Change Password</legend>  
          <p>Please enter your new password below</p>  
          <form method="post" action="change_password.php" name="changepassword" id="changepassword"class="niceform" >  
          <dl>
          <dt><label for="new_password">New Password:</label><br /></dt>
          <dd><input type="password" name="new_password" id="new_password" class= "validate(required, rangelength(4,30))" /></dd>
          </dl>
          <dl>
          <dt><label for="new_password_again">Password (again):</label><br /></dt>
          <dd><input type="password" name="new_password_again" id="new_password_again" class= "validate(required, match(#new_password))" /></dd>
          </dl>
          <dl>
          <dt>
          <dd><input type="submit" name="change_password" id="change_password" value="Change Password" />  
          <input type="reset" name="reset" id="reset" value="Reset" /></dd>
          </dt>
          </dl>
          </form>
       </fieldset>  
</div>    
   
<?php
if (empty($_POST['new_password']) && empty($_POST['new_password_again']))  
{
?>
<div id="container">
     <form method="post" action="<?php echo $_SERVER['REQUEST_URI']; ?>" name="loginform" id="loginform" class="niceform" >  
          <fieldset>
          <legend>Error</legend>
          <p>Please go back and complete all the fields in the form</p>
          <p>Click <a href="index.php">here</a> to try again.</p>
          </fieldset>
        </form>
   </div>
    
<?php
}
else 
{ 
$db_new_password=md5(mysql_real_escape_string($new_password));
$status = "OK";
$msg="";
if ( strlen($new_password) < 3 or strlen($new_password) > 10 )
{
$msg=$msg."Password must be more than 3 characters in length and maximum 10 characters in length<BR>";
$status= "NOTOK";
}     
if (strcmp( $new_password,$new_password_again ) !=0)
{
$msg=$msg."Both passwords do not match<BR>";
$status= "NOTOK";
}     
if($status<>"OK")
{ 
echo "<font face='Verdana' size='2' color=red>$msg</font><br><center><input type='button' value='Retry' onClick='history.go(-1)'></center>";
}
else
{ 
if(mysql_query("update users set password='$db_new_password' where userid='$session[userid]'"))
{
echo "<font face='Verdana' size='2' ><center>Thanks <br> Your password changed successfully. Please keep changing your password for better security</font></center>". $new_password ;
}
}
} 
?>

<script type = "text/javascript">
       $(document).ready(function() {
  $('#changepassword').ketchup();
});
</script>  
</body>  
</html>  

[Pikachu2000]

Then what does happen? Any errors, or just nothing at all?

[giannis]

I've done a few changes, the php runs but doesn't save in database the new password, it still remains the old one even though the returning message says that it was change. Any ideas?

<?php
include "connect.php";
$user=$_SESSION['userid'];
session_start();
session_register("session");

if(!isset($_SESSION['connection_status']))
{
echo "<center><font face='Verdana' size='2' color=red>Sorry, Please login and use this page </font></center>";
exit;
}
$empty_fields_message = "<p>Please go back and complete all the fields in the form.</p>Click <a class=\"two\" href=\"javascript:history.go(-1)\">here</a> to go back";
$password1 = $_POST['password1']; 
$password2 = $_POST['password2'];
?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:fb="http://www.facebook.com/2008/fbml">  
<head>  
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />  
<title>Change password</title> 
<script type="text/javascript" src="js/jquery.min.js"></script>
<script type="text/javascript" src="js/jquery.ketchup.js"></script>
<script type="text/javascript" src="js/jquery.ketchup.messages.js"></script>
<script type="text/javascript" src="js/jquery.ketchup.validations.basic.js"></script>
<script language="javascript" type="text/javascript" src="niceforms.js"></script>
<link rel="stylesheet" type="text/css" media="all" href="niceforms-default.css" />
<link rel="stylesheet" type="text/css" media="screen" href="css/jquery.ketchup.css" />
</head>
<body>

<?php
if (!isset($_POST['password1'])) 
{
?>
  <h2> Change password! <? echo $_SESSION['email']; ?> </h2>
  <form method="post" action="index.php; ?>" >
    <p class="style3" > <label for="password1"> New password:</label> 
    <input type="password" title="Please enter a password" name="password1" size="30" class= "validate(rangelength(4,30))"></p>
    <p class="style3"> <label for="password2"> Re-enter Password:</label>
    <input type="password" title="Please re-enter password" name="password2" size="30" class= "validate(rangelength(4,30))"></p>
    <p style="stext-align:left"> <label for="submit"> &nbsp </label>
    <input type="submit" name="submit" id="submit" value="Change password" />
  </form>

<?php

}
  elseif (empty($password1) && empty($password2))  
  {
    echo $empty_fields_message;
  }
  else 
  { 
    $db_password1=md5(mysql_real_escape_string($_POST['password1']));
    /*Setting flags for checking*/
    $status = "OK";
    $msg="";
      
     if ( strlen($password1) < 4 or strlen($password1) > 10 )
      {
        $msg=$msg."Password must be more than 4 characters in length and maximum 10 characters in length<BR>";
        $status= "NOTOK";
      }   
        
        if (strcmp( $password1,$password2 ) !=0)
        {
          $msg=$msg."Both passwords do not match<BR>";
          $status= "NOTOK";
        }  
           
          if($status<>"OK")
          { 
            echo "<font face='Verdana' size='2' color=red>$msg</font><br><center><input type='button' value='Retry' onClick='history.go(-1)'></center>";
          }
          
            else
            { 
            /* if all validations are passed */
            
              mysql_query("UPDATE users SET password='.$db_password1' WHERE userid='.$user'");
              ?>
                <p>Thanks <br> Your password changed successfully Please keep changing your password for better security</p>
                <p> Click <a href="index.php">here</a> to logout if you want</p>
                <?php
              
            }
      }
      
?> 

[the182guy]

I suspect this is the problem

 

include "connect.php";
$user=$_SESSION['userid'];
session_start();

 

You're trying to access a $_SESSION variable before the session has been started, which means your $user variable will be null. You're using that variable to do the update later in the script. Move the session_start() to above the line that is accessling the variable.