0

I'm new to database. My Question is I want to update users password using his/her security code.Here Security code will be Entered by the users while the time of registration.(Name of any place/city/friend/uncle etc).I have table created named details

FNAME
LNAME
PASS
BDAY
EMAIL
CODES(//users security code)

I have an php file which checks this out but, somethings going wrong Secured.php:

<? $CODES = $_POST['CoDes'];
$PASS = $_POST['pass'];

mysql_connect('localhost','user','pass');
mysql_selectdb('userdb') or die(mysql_error());

$query = mysql_query(sprintf("UPDATE `details` SET PASS = '$PASS' WHERE CODES = '$CODES'"));   
mysql_real_escape_string($CODES) or die(mysql_error()); while($row = mysql_fetch_assoc($query))
{$rows[1] = $row;}
if(empty($rows[1][CODES]))
{ header("Location: http://localhost/Error.html"); }
else{
echo "Welcome,";
echo " your password has changed successfully to $PASS";
}
?>
<b>You can login</b><a href="http://localhost/login.html><em> here.</em></a><br> 
<img src="http://localhost/images/logo.gif">

This page doesn't give me any php Error, but goes to /Error.html Even when users security code exists in coloumn CODES Any help would be really thankfull.

Mario
  • 35,726
  • 5
  • 62
  • 78
Sanjay Kelkar
  • 1
  • 3
  • 2
    You are using [an **obsolete** database API](http://stackoverflow.com/q/12859942/19068) and should use a [modern replacement](http://php.net/manual/en/mysqlinfo.api.choosing.php). You are also **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that a modern API would make it easier to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. – Quentin Jul 16 '13 at 09:37
  • 2
    Besides SQL injection: Never ever save a password without hashing it and never ever print out a password for confirmation. Plus, never ever use real URLs when posting code, especially something security related. – Mario Jul 16 '13 at 09:41
  • Yeah you are 100% right about real urls & security risks,but i am learner and will surely remove the post code & use much secure option.Will definately take care on next arrival.Thanks-Mario. – Sanjay Kelkar Jul 16 '13 at 09:49

2 Answers2

2

UPDATE/INSERT/DELETE doesn't give resultset ,so you can't retrieve the result using mysql_fetch_assoc.

SELECT query only gives resultset.

You have to check in this way

if($query) {
    // query executed successfully
} else {
    // query not executed successfully
}

OR 

if(mysql_affected_rows() > 0) {
    // query executed successfully
} else {
    // query not executed successfully
}
Yogesh Suthar
  • 30,424
  • 18
  • 72
  • 100
  • 3
    Thanks very much your Second code did my stuff correctly. And also got more knowledge from you about resultset & what was wrong in my code. Thanks again – Sanjay Kelkar Jul 16 '13 at 10:34
0
$pass = some_type_of_security($_POST['pass']);

SELECT ... FROM ... WHERE codes=:codes AND user=:user

if the row count equal 1 then

UPDATE table SET pass=:pass WHERE user=:user

I recomend to use PDO to database operations

Sbml
  • 1,907
  • 2
  • 16
  • 26