Not able to update password into mysql using php

Question

So,i am trying to change the password in the table users,for that i am using the following php code,but it is not getting updated.

<?php
session_start();
$host="localhost"; // Host name 
$username="root"; // Mysql username 
$password=""; // Mysql password 
$db_name="bloodbank"; // Database name 
$tbl_name="users"; // Table name 

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

// username ,password and newpassword sent from form 
$username=$_POST['username']; 
$password=$_POST['password']; 
$newpassword=$_POST['newpassword']; 
$sql="UPDATE $tbl_name SET password='$newpassword' WHERE username='$username' and password='$password'";

?>

Then i tried to use this code,although i am getting "Updated Successfully",in reality it is not getting updated in the database,can anyone please tell me where error is.

<?php
session_start();
$host="localhost"; // Host name 
$username="root"; // Mysql username 
$password=""; // Mysql password 
$db_name="bloodbank"; // Database name 
$tbl_name="users"; // Table name 

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

// username,password and newpassword sent from form 
$username=$_POST['username']; 
$password=$_POST['password']; 
$newpassword=$_POST['newpassword'];
$sql="SELECT * FROM $tbl_name WHERE username='$username' and password='$password'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);

if($count==1)
{
$mysql="UPDATE $tbl_name SET password='$newpassword'";
echo "Updated Successfully";
}
else
{
echo "Wrong password or Username";
}
?>

You are using [an **obsolete** database API](http://stackoverflow.com/q/12859942/19068) and should use a [modern replacement](http://php.net/manual/en/mysqlinfo.api.choosing.php). You are also **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that a modern API would make it easier to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. — Quentin, May 31 '13 at 10:17
If you are going to [store passwords, do it securely](https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet) — don't store them in plain text. — Quentin, May 31 '13 at 10:18
This appears to be exactly the same problem (storing a query in a variable and not passing it to the database) as you asked about in your last question: **Duplicate**: [unable to insert data into mysql using php](http://stackoverflow.com/questions/16850564/unable-to-insert-data-into-mysql-using-php) — Quentin, May 31 '13 at 10:18
without WHERE condition in update, you will update field "password" in every row of your table... — Doc, May 31 '13 at 10:21
@manju please read the other answers here carefully as they noticed SQL/XSS/password vulnerability. :) — Edwin Lambregts, May 31 '13 at 10:21
very bad, i see a lot of SQL injections sir manju. please consider all comments above me :) — tomexsans, May 31 '13 at 10:23

score 5 · Answer 1 · edited May 23 '17 at 12:11

In this code

if($count==1)
{
$mysql="UPDATE $tbl_name SET password='$newpassword'";
echo "Updated Successfully";
}

there are the following problems:

1) is that you do nothing with the SQL you just constructed - you forgot to run a query using it.

2) is that you do not hash the password with a salt - storing passwords in plaintext in your database is SUPER SUPER bad, the first time anyone else gets your database by any means every single one of your users' passwords is on the internet, and now their bank accounts and emails are at risk. Don't think it won't happen, all it takes is one mistake or one thing you've overlooked, and a high proportion of people use one password for everything, so criminals LOVE it when username/password databases are leaked onto the internet. Read http://www.martinstoeckli.ch/php/php.html#bcrypt

3) is that the update statement, as written, will set EVERY SINGLE ROW's password to the value in $newpassword - you forgot to use a WHERE clause.

4) is that this code is vulnerable to SQL injection, meaning that if a hacker submits SQL code instead of a password the SQL code will be run. One solution is using prepared statements instead. See How can I prevent SQL injection in PHP?

Thank you,i am new to this subject,will do what you showed. – manju May 31 '13 at 10:22 — manju, May 31 '13 at 10:22

score 2 · Answer 2 · answered May 31 '13 at 10:18

Change:

$sql="UPDATE $tbl_name SET password='$newpassword' WHERE username='$username' and password='$password'";

if($count==1)
{
$mysql="UPDATE $tbl_name SET password='$newpassword'";
echo "Updated Successfully";
}

To:

$sql="UPDATE $tbl_name SET password='$newpassword' WHERE username='$username' and password='$password'";
$result=mysql_query($sql);

if($count==1)
{
$mysql="UPDATE $tbl_name SET password='$newpassword'";
$result2=mysql_query($mysql);
echo "Updated Successfully";
}

The reason it didn't update is because the $sql query wasn't executing.

No problem. If this worked for you, don't forget to mask as the correct answer. :) — SDZ, May 31 '13 at 10:40

mirkobrankovic · Answer 3 · 2013-05-31T10:23:30.000

1

You need WHERE condition in you UPDATE statement:

mysql="UPDATE $tbl_name SET password='$newpassword' WHERE username='$username' and password='$password'";

And also to execute query

$result2=mysql_query($mysql);

Regards.

edited May 31 '13 at 10:23

answered May 31 '13 at 10:17

mirkobrankovic

2,389
1
21
24

old password should also be checked, because otherwise all ppl could change password for certain user. – Bojan Kovacevic May 31 '13 at 10:21
You're right Bojane :) – mirkobrankovic May 31 '13 at 10:23

noamik · Accepted Answer · 2013-05-31T10:23:35.760

In your first code you never execute the mysql query. The second code simply makes an useless sql query. Try:

<?php
session_start();
$host="localhost"; // Host name 
$username="root"; // Mysql username 
$password=""; // Mysql password 
$db_name="bloodbank"; // Database name 
$tbl_name="users"; // Table name 

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

// username ,password and newpassword sent from form 
$username=mysql_real_escape_string($_POST['username']); 
$password=mysql_real_escape_string($_POST['password']); 
$newpassword=mysql_real_escape_string ($_POST['newpassword']); 
$sql="UPDATE $tbl_name SET password='$newpassword' WHERE username='$username' and password='$password'";
$result=mysql_query($sql);
?>

@manju make sure that you really take into account everything Patashu posted if you are planning on using this on a publicly available website. It's really important! — noamik, May 31 '13 at 10:26

Not able to update password into mysql using php

4 Answers4