update only the last value inserted

Question

am just a newbie in PHP and i am trying to create a forgot password function i do have this following code

<?php

    $con = mysql_connect("localhost","root","");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db("inventory", $con);

$a=$_POST['password'];
$b=$_POST['newpassword'];
$c=$_POST['retypepassword'];

$result = mysql_query("SELECT * from admins " );

while($row = mysql_fetch_array($result))
  { 

  $password = $row['password'] ;

  }
              if($_POST['retypepassword'] != $b){     
                echo "<script type='text/javascript'>alert('Password Not match');
                window.location.href='forgotpass.php?id=0';
            </script>";
            exit();
                }
             if($_POST['password'] != $password){
                    echo "<script type='text/javascript'>alert('You Provide wrong Password');
                    window.location.href='forgotpass.php?id=0';
            </script>";
            exit();
                }       
            else {
            mysql_query("UPDATE admins SET password = '$b'
                    WHERE password = '$a' ");
                    header("location: index.php?id=0");
};

?>

now, the problem is i can only update the last account inserted in database. let say for example i have this following account from my database, and i would like to change "greeg" there is no any problem with this. BUT if i change "gejel" ("first value in database") it show me this "You Provide wrong Password" i don't know why i always get here. i guess there is something wrong with "WHERE" ? pls help help help me :D

id |password |
1  |  gejel  |
2  |  greeg  |

Answer 1

I believe the problem is in your while loop. The mysql_query is selecting all the entries in the table and then you iterate through them all so will always end up with the last one in the table. Your query needs to look something like:

$result = mysql_query("SELECT * from admins WHERE id = $id"); <-- added WHERE clause

You need to know which account you want to change the password for, you must not do this depending on the current password provided. What if 2 admins have the same password?

Secondly, this should be impossible because you should be salting and hashing your password: http://php.net/manual/en/faq.passwords.php

Thirdly, the mysql_* extensions are now deprecated and you should stop using them immediately. Use MySQLi or PDO_MySQL instead. Read the big red box here: http://php.net/manual/en/function.mysql-query.php

Lastly, I would advise some research on SQL Injection as it would appear your app is most likely vulnerable. Getting these things right from the offset is better than trying to patch them all later and will make it a lot easier for you: http://en.wikipedia.org/wiki/SQL_injection

Answer 2

Put the account ID in both query's and escape correctly your variables to avoid SQL injection.

Like the other user said mysql_* extensions are deprecated, I recommend you to use PDO instead.

<?php

    $con = mysql_connect("localhost","root","");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db("inventory", $con);

$id=$_POST['id'];
$a=$_POST['password'];
$b=$_POST['newpassword'];
$c=$_POST['retypepassword'];

$result = mysql_query("SELECT * FROM admins WHERE id = '" .$id. "'");

while($row = mysql_fetch_array($result))
  { 

  $password = $row['password'] ;

  }
              if($_POST['retypepassword'] != $b){     
                echo "<script type='text/javascript'>alert('Password Not match');
                window.location.href='forgotpass.php?id=0';
            </script>";
            exit();
                }
             if($_POST['password'] != $password){
                    echo "<script type='text/javascript'>alert('You Provide wrong Password');
                    window.location.href='forgotpass.php?id=0';
            </script>";
            exit();
                }       
            else {
            mysql_query("UPDATE admins SET password = '" .$b. "'
                    WHERE id = '" .$id. "'");
                    header("location: index.php?id=0");
};

?>

And like today I'm in good mood I'll give you an PDO Example:

constants.php

<?php
define("DB_SERVER", "localhost");
define("DB_USER", "root");
define("DB_PASS", "");
define("DB_NAME", "inventory");
?>

connection.php

<?php
require("constants.php");
try {
    $con = new PDO('mysql:host=' . DB_SERVER . ';dbname=' . DB_NAME, DB_USER, DB_PASS,
    array(PDO::MYSQL_ATTR_INIT_COMMAND => "SET NAMES utf8",PDO::ATTR_PERSISTENT => true));
    $con->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );
    }
catch(PDOException $e)
    {
    echo 'Could not connect: ';
    echo $e->getMessage();
    }
?>

your_file.php

<?php
include("connection.php");

$id=$_POST['id'];
$password=$_POST['password'];
$newpassword=$_POST['newpassword'];
$retypepassword=$_POST['retypepassword'];

$sql = "SELECT * FROM admins WHERE id = :id";

$sth = $dbh->prepare($sql);
$sth->bindValue(':id', $id, PDO::PARAM_INT);
$sth->execute();

while($row = $sth->fetch(PDO::FETCH_ASSOC)) {
    $db_password = $row['password'] ;
}

if($retypepassword != $newpassword){     
    echo "<script type='text/javascript'>alert('Password Not match');
window.location.href='forgotpass.php?id=0';
</script>";
exit();
}

if($password != $db_password){
    echo "<script type='text/javascript'>alert('You Provide wrong Password');
window.location.href='forgotpass.php?id=0';
</script>";
exit();

}else {

    $sql = "UPDATE admins SET password = :newpassword WHERE id = :id";

    $sth = $dbh->prepare($sql);
    $sth->bindValue(':newpassword', $newpassword, PDO::PARAM_STR);
    $sth->bindValue(':id', $id, PDO::PARAM_INT);
    $sth->execute();

    if($sth){
        header("location: index.php?id=0");
    }
};
?>

Another point that you need to search is Secure hash and salt for PHP passwords