change password in mysql table?

Question

Hi im having a problem with my change password script. im trying to allow a user to change their password in the mysql table 'ptb_users.password' it's suppose to store this as md5.

When i hit submit in my form, i'm assuming it goes to changepassword.php but the page is just blank, nothing is echoed and im not getting any errors.

Can someone please show me where im going wrong with this, thanks

Here's my form:

<?php 
// CONNECT TO THE DATABASE
    require('includes/_config/connection.php');
// LOAD FUNCTIONS
    require('includes/functions.php');
// GET IP ADDRESS
    $ip_address = $_SERVER['REMOTE_ADDR'];  
?>

  <?php require_once("includes/sessionframe.php"); 
  require('includes/checks.php');
?>


<?php

if (isset ($_GET['to'])) {
$user_to_id = $_GET['to'];

}

?> 

<?php 
//We check if the form has been sent
if(isset($_POST['subject'], $_POST['message_content']))
{
    $subject = $_POST['subject'];
    $content = $_POST['message_content'];
        //We remove slashes depending on the configuration
        if(get_magic_quotes_gpc())
        {
                $subject = stripslashes($subject);
                $content = stripslashes($content);
        }
        //We check if all the fields are filled
        if($_POST['subject']!='' and $_POST['message_content']!='')
        {
            $sql = "INSERT INTO ptb_messages (id, from_user_id, to_user_id, subject, content) VALUES (NULL, '".$_SESSION['user_id']."', '".$user_to_id."', '".$subject."', '".$content."');";
            mysql_query($sql, $connection);

            echo "<div class=\"infobox2\">The message has successfully been sent.</div>";
        }
}


if(!isset($_POST['subject'], $_POST['message_content']))

if (empty($_POST['subject'])){
        $errors[] = 'The subject cannot be empty.';

    if (empty($_POST['body'])){
        $errors[] = 'The body cannot be empty.';

    }
    }

{
?>


<form method="post" action="includes/changepassword.php" name="form1" id="form1">
<input type="password" name="oldpassword" id="password" class="subject" placeholder="Old Password">

<input type="password" name="oldpassword" id="password" class="message" placeholder="Old Password">

<input type="password" name="newpassword" id="newpassword" class="message" placeholder="New Password">

<input type="image" src="assets/img/icons/loginarrow1.png" name="submit" id="submit" class="submit">
</form>

And here's my mysql function:

<?php
require_once("session.php"); 
require_once("functions.php");
require('_config/connection.php');
?>
<?php 

session_start();

include '_config/connection.php'; 

$password = $_POST['password'];
$newpassword = $_POST['newpassword'];
$confirmnewpassword = $_POST['confirmnewpassword'];

$result = mysql_query("SELECT password FROM ptb_users WHERE id=".$_SESSION['user_id']."");





if(!$result) 
{ 
echo "The username you entered does not exist"; 
} 
else 
if($password!= mysql_result($result, 0)) 
{ 
echo ""; 
} 
if($newpassword=$confirmnewpassword) 
{
    $newpassword=md5($newpassword);
    $sql=mysql_query("UPDATE ptb_users SET password='$newpassword' WHERE id=".$_SESSION['user_id'].""); 
}
    if($sql) 
    { 
    echo "Thank You. Your Password has been successfully changed."; 
    }
else
{ 
echo "The new password and confirm new password fields must be the same"; 
}  
?>

make sure your php.ini file has error reporting and diplay errors turned on, and you should start seeing some error messages. — Sam Dufel, Feb 09 '13 at 01:04
one error: `if($newpassword=$confirmnewpassword)` must be `if($newpassword==$confirmnewpassword)`..and please learn how to format code properly..look at psr-2 coding standard [here](https://github.com/php-fig/fig-standards/blob/master/accepted/PSR-2-coding-style-guide.md) — bitWorking, Feb 09 '13 at 01:06
To start with, put `die('this page shows up');` on the second line after` — asifrc, Feb 09 '13 at 01:07

score 1 · Answer 1 · answered May 23 '13 at 10:45

if(isset($_POST['submit']))
{

   $email = $_POST['email'];
   echo $newpassword = ($_POST['password1']);
   echo $confirmpasssword = ($_POST['password2']);

        if($newpassword=$confirmpassword) 
        {
            echo $newpassword = md5($newpassword);
            echo $result = mysql_query("UPDATE users SET password='$newpassword' WHERE email='$email' "); 
        }
                if($result) 
                { 
                echo "Thank You. Your Password has been successfully changed."; 
                }
            else
            { 
            echo "The new password and confirm password fields must be the same"; 
            }  
}

can anyone tell me is this correct coding, to change password and store in mysqldb.

score 0 · Answer 2 · edited May 23 '17 at 12:12

There are many things wrong with this.

Let's get the basics out of the way first:

Don't use mysql_ functions. switch to PDO or mysqli while you can.
md5 is in its dying days. See this answer - understandably, you may be so entrenched in md5 you can't get out without pestering every user to update their pw.

Your problem then is this:

if($password!= mysql_result($result, 0))

You're not comparing against a md5 stored hash. It should be something like this:

if(md5($password) != mysql_result($result, 0))

and this:

if($newpassword=$confirmnewpassword)

is just reassigning a variable. I think you wanted

if($newpassword == $confirmnewpassword)

As for output, you may want to consider the if/else structures you're using here. This could be cleaned up significantly and all together looks out of date. Maybe just an opinion.

If you have a specific thing to hone in on, let me know and I may update.

EDIT

This whole block should be cleaned. Something like this may help:

if(!$result) 
{ 
    echo "The username you entered does not exist"; 
} 
else
{
    if(md5($password) != mysql_result($result, 0)) 
    { 
        echo "Current PW does not match what we have"; 
    }
    else
    {
        if($newpassword == $confirmnewpassword) 
        {
            $newpassword=md5($newpassword);
            $sql=mysql_query("UPDATE ptb_users SET password='$newpassword' WHERE id=".$_SESSION['user_id']."") or die(mysql_error());

            if($sql) 
            { 
              echo "Thank You. Your Password has been successfully changed."; 
            } 
        }
        else
        { 
            echo "The new password and confirm new password fields must be the same"; 
        }
    } 
}

The new password and confirm new password fields must be the same — Dave Smith, Feb 09 '13 at 01:13
i cleaned it a little. try replacing the code above in the relevant section — Kai Qing, Feb 09 '13 at 01:19

score 0 · Answer 3 · answered Feb 09 '13 at 01:08

0

first you do not check the old password properly (md5 stored, plaintext compare... won't work) second you do not have any confirmpassword set, so this wont work too

what would work is:

$password = md5($_POST['password']);
$newpassword = md5($_POST['newpassword']);

$result = mysql_query("SELECT password FROM ptb_users WHERE id=".$_SESSION['user_id']." AND password = '".$password."'");
if(!$result) 
{ 
echo "The username you entered does not exist or old password didn't match"; 
} 
else
{
     $sql=mysql_query("UPDATE ptb_users SET password='$newpassword' WHERE id=".$_SESSION['user_id'].""); 
}
if($sql) 
{ 
    echo "Thank You. Your Password has been successfully changed."; 
}

answered Feb 09 '13 at 01:08

itsid

801
7
16

yes this works and lets the user change their password, but it doesnt confirm the old password propperly and even if the user puts in the wrong old password it still lets the user change it. how can i get it to confirm the old password before letting a user change it? – Dave Smith Feb 09 '13 at 01:18
No it wont let you change the password when entering the wrong "OLD" password. `AND password = '".$password."'"` prevents that – itsid Feb 09 '13 at 01:22
have you tried running the code, im just saying because when i run the code it's lettig me put any old password in i want. – Dave Smith Feb 09 '13 at 01:27
it also allows a user to leave the new password boxes blank and set there password to nothing :/ – Dave Smith Feb 09 '13 at 01:28
didn't see you check anything ;) The code is as stupid as yours, it's just working (unlike yours) My password setters are completely different, As far as I got your question you wanted to know why you didn't get any response.. that's because you always end up in this line of your code `echo ""; ` I edited YOUR code so that it not only works but it also doesn't need said line anymore... (a coincidence).If you want a totally different solution for that task then your question was misleading. – itsid Feb 09 '13 at 03:29

change password in mysql table?

3 Answers3

Related