naveendk.55 Posted November 17, 2011 Share Posted November 17, 2011 Hi, I'm trying to change the password after logging in to web site. Following is the code that change the password. However, the password is not changing in the table. Please let me know if I'm making any error in below code. Thanks. <?php $password=mysql_real_escape_string($_POST['newpassword']); $password2=mysql_real_escape_string($_POST['confirmnewpassword']); if ( strlen($password) < 5 or strlen($password) > 12 ){ echo "Password must be more than 5 char legth and maximum 12 char lenght<BR>"; } if ( $password <> $password2 ){ echo "Both passwords are not matching"; } if($password == $password2){ if(mysql_query("update users set password='$password' where empid='$_SESSION[login]'")){ echo "<font face='Verdana' size='2' ><center>Thanks <br> Your password changed successfully. Please keep changing your password every 2 monthsfor better security</font></center>"; } } Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted November 17, 2011 Share Posted November 17, 2011 There's no session_start() You aren't checking if the query failed and produced any errors with mysql_error(). It appears you're storing plaintext passwords in the database? That's a bad idea. Quote Link to comment Share on other sites More sharing options...
phporcaffeine Posted November 17, 2011 Share Posted November 17, 2011 We need to see more of the code; is the value of $_POST['password'] what you expect it to be? Quote Link to comment Share on other sites More sharing options...
naveendk.55 Posted November 17, 2011 Author Share Posted November 17, 2011 Session is added at the top of the code. If the password change works for normal password, then I'll be able to do it for sha1 encryption. below is the HTML code: <form name=tracker method=post action=checkpassword.php> <table width="100%" border="0" cellpadding="2" cellspacing="2" id="changepass" align="center" style="border-color:#39C; border-width:medium; border-style:outset;"> <tr> <td style="text-align:left">Enter your New Password:</td> <td><input type="password" name="newpassword" id="newpassword" size='50'/></td> </tr> <tr> <td style="text-align:left">Confirm New Password:</td> <td><input type="password" name="confirmnewpassword" id="confirmnewpassword" size='50'/></td> </tr> <tr> <td scope="row" > </td> <td colspan="2"><div id="submit"><input id="changepass" class="mainForm" type="submit" value="Change Password"/></div></td> </tr> </table> </form> Below is the login check code that has the login session variable. This file name is checkpassword.php. <?php session_start(); ?> <?php include_once("includes/connections.php"); ?> <?php include_once("functions/funphp.php"); ?> <?php if (isset($_POST['password']) && isset($_POST['login'])) // if the password is set then the form has been submitted on login.php page { $login = mysql_real_escape_string($_POST['login']); $password = mysql_real_escape_string($_POST['password']); $qstr = "SELECT * from users where empid='$login' and password ='$password'"; $result = mysql_query($qstr); $_SESSION['login']=$login['login']; if (mysql_num_rows($result)==1) { redirect("home.php"); } else { echo "<font color=#000000><b>Invalid User Name or Password. <a href=index.php> Click here</a> to go back to the login screen </a></Center></font>"; } mysql_close(); } ?> Below is my session code (redirect has a function for Location). This file is included at the top of the checkpassword.php. <?php include_once("functions/funphp.php"); ?> <?php session_start(); function logged_in() { return isset($_SESSION['login']); } function confirm_logged_in() { if (!logged_in()) { redirect("index.php"); } } ?> Quote Link to comment Share on other sites More sharing options...
Drummin Posted November 17, 2011 Share Posted November 17, 2011 Give this a go. NOTE: This should all be happening before anything is sent to the browser so I would change the error message to a variable to echo within body tags. <?php session_start(); include_once("includes/connections.php"); include_once("functions/funphp.php"); if (isset($_POST['password']) && isset($_POST['login'])) // if the password is set then the form has been submitted on login.php page { $login = mysql_real_escape_string($_POST['login']); $password = mysql_real_escape_string($_POST['password']); $qstr = "SELECT * from users where empid='$login' and password ='$password'"; $result = mysql_query($qstr); if (mysql_num_rows($result)==1) { //I don't believe $login['login'] is correct. //Also don't set the session unless you get a result. $_SESSION['login']=$_POST['login']; redirect("home.php"); } else { $loginerror="<span style=\"color:#000000\"><b>Invalid User Name or Password.</b> <a href=index.php> Click here</a> to go back to the login screen </span>"; } mysql_close(); } ?> Quote Link to comment Share on other sites More sharing options...
naveendk.55 Posted November 18, 2011 Author Share Posted November 18, 2011 Hi I'm able to log in successfully. The issue is only with changing password. The password is not updating in database after changing it. Thank you. Quote Link to comment Share on other sites More sharing options...
Drummin Posted November 18, 2011 Share Posted November 18, 2011 As I pointed out in my post, it doesn't look like you were setting $_SESSION['login'] correctly, which may be the reason you can't update your password. Check to see that $_SESSION['login'] holds what you expect it to. Quote Link to comment Share on other sites More sharing options...
naveendk.55 Posted November 18, 2011 Author Share Posted November 18, 2011 Yes, you're absolutely right. When I echo the session variable, it only printed one digit. My user id is a 10 digit code. Please check if I'm making any error while creating the session.. <?php session_start(); ?> <?php include_once("includes/connections.php"); ?> <?php include_once("functions/funphp.php"); ?> <?php if (isset($_POST['password']) && isset($_POST['login'])) // if the password is set then the form has been submitted on login.php page { $login = mysql_real_escape_string($_POST['login']); $password = mysql_real_escape_string($_POST['password']); $qstr = "SELECT * from users where empid='$login' and password ='$password'"; $result = mysql_query($qstr); $_SESSION['login']=$login['login']; $_SESSION['username'] = $username['username']; if (mysql_num_rows($result)==1) { redirect("home.php"); } else { echo "<font color=#000000><b>Invalid User Name or Password. <a href=index.php> Click here</a> to go back to the login screen </a></Center></font>"; } mysql_close(); } ?> Quote Link to comment Share on other sites More sharing options...
cyberRobot Posted November 18, 2011 Share Posted November 18, 2011 Is there a reason you're using array syntax here: <?php //... $_SESSION['login']=$login['login']; $_SESSION['username'] = $username['username']; //... ?> Maybe I'm missing something, but isn't $login a plain variable. Also, where does $username come from? Quote Link to comment Share on other sites More sharing options...
naveendk.55 Posted November 18, 2011 Author Share Posted November 18, 2011 Can you tell me how to rewrite it according to your syntax? Quote Link to comment Share on other sites More sharing options...
cyberRobot Posted November 18, 2011 Share Posted November 18, 2011 Since $login doesn't seem to be an array, it would be written as: $_SESSION['login'] = $login; I'm not sure where $username comes from, but it's probably not an array... $_SESSION['username'] = $username; Quote Link to comment Share on other sites More sharing options...
cyberRobot Posted November 18, 2011 Share Posted November 18, 2011 Ah, so you can use array syntax on regular variables. But it treats the variable as an array of characters. To see what happens, try this out: <?php $test = 'abs'; print $test['test'] . '<br />'; print $test; ?> That would explain why you're only getting the first character. Quote Link to comment Share on other sites More sharing options...
Drummin Posted November 18, 2011 Share Posted November 18, 2011 In the sample code I posted, I moved the session till after verification of the user and used the $_POST value because you have mysql_real_escape_string on the variable $login. if (mysql_num_rows($result)==1) { //I don't believe $login['login'] is correct. //Also don't set the session unless you get a result. $_SESSION['login']=$_POST['login']; redirect("home.php"); } else {etc Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.