-2

I'm having a bit of trouble with my update query in mysql database. I have a login form which, when the user logs in, creates the email, password and ID of the user and stores it in a session(not sure if this is the safest way, please advise me the correct/safest way). When they are logged in, they can go and change their password(or supposed to be). The problem is that the update password query is not working for me.

Here is my code that sets the ID, email and password of the user when they log in:

session_start();
$_SESSION['id'] = $id;
$_SESSION['email'] = $email;
$_SESSION['password'] = $password;

Here is the code that is meant to update their password: 

session_start();
if  (isset($_POST['email']) && isset($_POST['password']) && isset($_POST['newPassword']) && isset($_POST['oldPassword'])) {
                    $email = $_POST['email'];
                    $password = $_POST['password'];
                    $newPassword = $_POST['newPassword'];
                    $oldPassword = $_POST['oldPassword'];

                mysql_select_db("users", $conn);

        if(isset($_POST['update'])) {
            $update = "UPDATE users SET Password='$newPassword' WHERE Password='$_POST[hidden]'";
            mysql_query($update, $conn);
            $_SESSION['password'] = $newPassword;
        }

I have an 'Old password' box that checks if their old password is correct and a 'New password' box that is meant to be the new password of the user when they click 'update'.

The problem is that when I click update nothing happens. I tried using the mysql_error() function, but it didn't work. The page refreshes too fast. Please note that this is not all of the code, if you want to download it: https://www.mediafire.com/?fkjwt58hk5kyt3w Hi guys, I'm having a bit of trouble with my update query in mysql database. I have a login form which, when the user logs in, creates the email, password and ID of the user and stores it in a session(not sure if this is the safest way, please advise me the correct/safest way). When they are logged in, they can go and change their password(or supposed to be). The problem is that the update password query is not working for me.

I know this mysql way of doing things is very insecure, vulnerable to sql injection and old way of doing it, but this is just practice and is for fun. Afterwards, I will learn how to prevent sql injection and XSS.

I have ready mean other possts on this site with similar problems, but they have not helped me at all, I've searched Google alot and searched it on YouTube. Nowhere works for me!!!

Please help! Thanx in advance

If there is anything else you would like me to post or I haven't said something, just let me know.

PS: If you can, please download all the files and check them and run them yourself :)

Shankar Narayana Damodaran
  • 68,075
  • 43
  • 96
  • 126
user3122088
  • 205
  • 1
  • 2
  • 5
  • 3
    **Danger**: You are using [an **obsolete** database API](http://stackoverflow.com/q/12859942/19068) and should use a [modern replacement](http://php.net/manual/en/mysqlinfo.api.choosing.php). You are also **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that a modern API would make it easier to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. – Quentin Dec 20 '13 at 09:18
  • You are using [an unsuitable hashing algorithm](http://php.net/manual/en/faq.passwords.php) (in this case that's "no hashing algorithm at all"!) and need to [take better care](https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet) of your users' passwords. – Quentin Dec 20 '13 at 09:19
  • 1
    whats in $_POST[hidden]? – R R Dec 20 '13 at 09:20
  • 1
    Your update logic is nuts. You'll change multiple users' passwords if they have the same password. – Quentin Dec 20 '13 at 09:20
  • 2
    "this is just practice" — Why are you practising something you know you should never do? – Quentin Dec 20 '13 at 09:21
  • 1
    "I tried using the mysql_error() function, but it didn't work. The page refreshes too fast" — How can it refresh too fast? Why aren't you dying without outputting any refresh code if there is an error? – Quentin Dec 20 '13 at 09:22
  • try $update = "UPDATE users SET Password='$newPassword' WHERE email='$email'"; as email address will be unque for every user – R R Dec 20 '13 at 09:25

3 Answers3

0
  1. please escape the post parameters for example with mysql_real_escape_string
  2. dont use mysql_* functions -> use mysqli or PDO for your Queries

Have you tried to debug? ;)

$result = mysql_query($update, $conn);
if(!$result){
    echo mysql_error();
    exit;
}
MaiKaY
  • 4,422
  • 20
  • 28
0

You need to post the error you are getting.

From what I see I can guess the where clause is not getting resolved as desired.

you have written WHERE Password='$_POST[hidden]' may be you should use a variable instead.

$oldpassword=$_POST['hidden'] and

WHERE Password='$oldpassword'

Subir Kumar Sao
  • 8,171
  • 3
  • 26
  • 47
  • your approach is wrong .there may be multiple users with same password,in that case it will update all those rows. – R R Dec 20 '13 at 09:22
  • @RishabhRaj I am just trying to help resolve his query. And yes I agree the where clause should be against the ID. – Subir Kumar Sao Dec 20 '13 at 09:23
0

Please use the debug the code when sql is run

mysql_query($update, $conn)or die(mysql_error);

by this you can get the error

Manish Patel
  • 1,877
  • 1
  • 14
  • 15