Jump to content

simple password check

lee2010

By lee2010
in PHP Coding Help

 Share

Recommended Posts

lee2010 Member

lee2010

Posted
Posted

Hi all, i have written a fairly simple profile page that users can see once they have logged in and i have a password change feature. the user is asked to enter there current password and then enter there desired new password, then confirm there new password to make sure they match. However the users current password isn't checked as im not sure how to code it. Heres my code so far:

 

<?PHP

session_start();

//Database Information

$dbhost = "localhost";
$dbname = "test";
$dbuser = "test";
$dbpass = "test";

//Connect to database

$conn = mysql_connect ( $dbhost, $dbuser, $dbpass)or die("Could not connect: ".mysql_error());
mysql_select_db($dbname, $conn) or die(mysql_error());

//Clean data

$_POST = array_map('strip_tags', $_POST);
$_POST = array_map('mysql_real_escape_string', $_POST);

$currentpassword = $_POST['currentpassword'];
$newpassword = $_POST['newpassword'];    
$cnewpassword = $_POST['cnewpassword'];

if($newpassword == $cnewpassword)
{  
    $query = "UPDATE `users` SET `password` = '".$newpassword."' WHERE `username` = '".$_SESSION['username']."' LIMIT 1";  
$run = mysql_query($query);
if($run) {
	echo "Congratulations You have successfully changed your password";
    include 'success.php'; 
	exit();
        	} 
  else {
	include 'password.php';
	exit;
     } 
}
else  {  
    echo "The new password and confirm new password fields must be the same";
    include 'password.php';
    exit();
        }   
?>

 

I'm guessing i need a && within the if statement to check the currentpassword with what is supplied within my database, but im not sure how to code this.

 

Lee

Link to comment
Share on other sites
smerny Advanced Member

smerny

Posted
Posted

you might want to hash passwords using something like md5 or sha1.

 

to check the current password you will have to pull the password from the database and check against that. if you use a hash, you cannot unhash so you will have to hash the password they input and then check that against the password in the database.

 

you can do this before you check that ($newpassword == $cnewpassword)

 

 

Link to comment
Share on other sites
doddsey_65 Advanced Member

doddsey_65

Posted
Posted 

<?PHP

session_start();

//Database Information

$dbhost = "localhost";
$dbname = "test";
$dbuser = "test";
$dbpass = "test";

//Connect to database

$conn = mysql_connect ( $dbhost, $dbuser, $dbpass)or die("Could not connect: ".mysql_error());
mysql_select_db($dbname, $conn) or die(mysql_error());

//Clean data

$_POST = array_map('strip_tags', $_POST);
$_POST = array_map('mysql_real_escape_string', $_POST);

$currentpassword = md5($_POST['currentpassword']);
$newpassword = $_POST['newpassword'];    
$cnewpassword = $_POST['cnewpassword'];

if($newpassword == $cnewpassword)
{  
    // get the current password
    $sql = mysql_query("SELECT password FROM users WHERE username='".$_SESSION['username']."'")or die(mysql_error());
    $result = mysql_fetch_array($sql);
    
    // check if the entered currentpassword is the same as password in database
    if ($currentpassword != $result['password'])
    {
        echo 'Entered Password Does Not Match Current Password';
    }
    else
    {
        $query = "UPDATE `users` SET `password` = '".md5($newpassword)."' WHERE `username` = '".$_SESSION['username']."' LIMIT 1";  
        $run = mysql_query($query);

        if($run) 
        {
            echo "Congratulations You have successfully changed your password";
            include 'success.php'; 
            exit();
        } 
        else 
        {
            include 'password.php';
            exit;
         } 
    }
}
else  
{  
    echo "The new password and confirm new password fields must be the same";
    include 'password.php';
    exit();
}   
?>

 

took the liberty of adding an md5 hash there for you aswell.

I would also advise against using array map on $_POST. reason is twofold:

1. strip_tags and escape_string are applied to the submit button and any hidden fields aswell. not really a problem but it's unneeded.

2. any multi dimensional $_POST arrays will be lost. not a problem now since you dont have any but something to be aware of.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.