-1

can someone please help, i have this change password script that allows a user to change their password.

at the moment it lets the user change their password despite what they put in the old password box. can someone please show me how i can get it to check that the old password matches with that stored in 'ptb_users.password' ?

Also it currently lets a user set their password to nothing, is there a way i can make the enw password and confirm password fields compulsory?

Thanks.

<?php
require_once("session.php"); 
require_once("functions.php");
require('_config/connection.php');
?>
<?php 

session_start();

include '_config/connection.php'; 


$password = md5($_POST['password']);
$newpassword = md5($_POST['newpassword']);

$result = mysql_query("SELECT password FROM ptb_users WHERE id=".$_SESSION['user_id']." AND password = '".$password."'");
if(!$result) 
{ 
echo "The username you entered does not exist or old password didn't match"; 
} 
else
{
     $sql=mysql_query("UPDATE ptb_users SET password='$newpassword' WHERE id=".$_SESSION['user_id'].""); 
}
if($sql) 
{ 
    echo "Thank You. Your Password has been successfully changed."; 
}
?>
Dave Smith
  • 31
  • 4
  • 6

1 Answers1

0

For retrieving passwords and checking the match against query, you may use the answer suggested by @hexacyanide.

To get the password field from mysql to update password you need to change

mysql_query("UPDATE ptb_users SET password='$newpassword'
to
mysql_query("UPDATE ptb_users SET password='".$newpassword."'

Javier Brooklyn
  • 624
  • 3
  • 9
  • 25