How to make a change password PHP script work

Question

I am a simpleton with less than a cursory knowledge of programming. I have a family web site where we share photos, videos, files and other resources. The site has a simple login feature that begins a session, and I want to be able to provide people with the ability to change their password once logged in.

The database is in MySQL and is extremely simple with only; ID, username, and, password columns (not encrypted or hashed at all).

When it comes to PHP and MySQL I tend to research other people's examples and make them my own, and with the login script I found this very easy to do. However, I have tried and tried and tried to find a PHP snippet that fits with my site and will allow users to change their passwords and have unfortunately failed at every attempt.

I am hoping that someone can assist me in developing what I have already to make it work for my site, any help will be hugely appreciated!

My form simply asks for the logged in user to enter a new password, and then confirm the same password:

    <form name="frmChange" role="form" class="form-signin" method="POST" action="changepword_script.php">

  <div class="form-group">

    <label for="InputPassword2">New Password</label>
    <input type="password" class="form-control" id="InputPassword2" placeholder="New Password" name="newPassword">
     <label for="InputPassword3">Confirm New Password</label>
    <input type="password" class="form-control" id="InputPassword3" placeholder="Confirm Password" name="confirmPassword">  </div>
   <button class="btn btn-lrg btn-default btn-block" type="submit" value="send">Change it</button>


      </div>


      </form>

And my php script (also very simple) just needs to check that the passwords match and then update the database if they do (I have removed the IP address of the database and replaced with zeros):

<?php
session_start();

if (!(isset($_SESSION['username']) && $_SESSION['username'] != ''))
{
    header("location:login.php");
}

$dbcon = mysql_connect ('000.000.000.00', 'my_db_username', 'my_db_password')

$password1 = $_POST['newPassword'];
$password2 = $_POST['confirmPassword'];

$password1 = mysql_real_escape_string($password1);
$password2 = mysql_real_escape_string($password2);

if ($password1 <> $password2){ echo "Your passwords do not match.";}
{
    echo "your passwords do not match";
}
if (mysql_query(UPDATE ebsmembers SET password='$password1' WHERE username='$session[username]'))
{
    echo "You have successfully changed your password.";
}

mysql_close($dbcon);
header("location:login.php");

?>

Again, any help would be massively appreciated as I have really struggled with making this work!

Many thanks, Paul

you need to update in all. It seems that you have missed select database. — Awlad Liton, Jun 20 '14 at 11:47

bloodyKnuckles · Accepted Answer · 2016-09-23T16:51:31.810

2

Tweaked a few things that where errors or didn't make sense to me. Also switched to mysqli_*.

<?php

session_start();

if (!(isset($_SESSION['username']) || $_SESSION['username'] == ''))
{
    header("location:login.php");
}

$dbcon = mysqli_connect('000.000.000.00', 'my_db_username', 'my_db_password', 'my_db_name') or die(mysqli_error($dbcon));

$password1 = mysqli_real_escape_string($dbcon, $_POST['newPassword']);
$password2 = mysqli_real_escape_string($dbcon, $_POST['confirmPassword']);
$username = mysqli_real_escape_string($dbcon, $_SESSION['username']);

if ($password1 <> $password2)
{
    echo "your passwords do not match";
}
else if (mysqli_query($dbcon, "UPDATE ebsmembers SET password='$password1' WHERE username='$username'"))
{
    echo "You have successfully changed your password.";
}
else
{
    mysqli_error($dbcon);
}
mysqli_close($dbcon);

?>

edited Sep 23 '16 at 16:51

answered Jun 20 '14 at 11:56

bloodyKnuckles

11,551
3
29
37

Thank you, this is extremely helpful - however I receive the following error when submitting: Warning: mysqli_real_escape_string() expects exactly 2 parameters, 1 given in \\winnas01.winvh1.fasthosts.co.uk\Domains\e\ebsworth.co.uk-1071379550\user\htdocs\changepword_script.php on line 11 – Pebbles Jun 20 '14 at 12:03
Oh ya, forgot to add DB handle...updated response. – bloodyKnuckles Jun 20 '14 at 12:05
Thanks again - I get the same error warning on the update table query as well, do I also need to add $dbcon to this query? – Pebbles Jun 20 '14 at 12:10
Yes, you got it! :) I added another error report if the query fails too. – bloodyKnuckles Jun 20 '14 at 12:13
Sir, you are a legend and a scholar - thank you very much – Pebbles Jun 20 '14 at 12:22

score 1 · Answer 2 · answered Jun 20 '14 at 11:45

1

Your use of the session is wrong. In your SQL query, it should be:

UPDATE ebsmembers SET password = '$password1' WHERE username= '$_SESSION[username]'

Also your syntax is very bad. It's missing quotes in several places. You should start with the PHP basics again before making your changes.

answered Jun 20 '14 at 11:45

RemyG

486
5
11

1

Thanks, I know it's awful. I have purchased books and plan to go back to the basics rather than editing code made available by others, however I really just want to get this part of the site up and working as it has been bugging me for ages. – Pebbles Jun 20 '14 at 12:12

score 0 · Answer 3 · edited May 23 '17 at 12:08

0

Query should be quoted:

if (mysql_query("UPDATE ebsmembers SET password='$password1' WHERE username='$_SESSION[username]'"))

Don't use mysql, it's deprecated. Use mysqli or PDO instead: The mysql extension is deprecated and will be removed in the future: use mysqli or PDO instead
Don't store passwords in plain text. Use bcrypt encryption with password_hash() and password_verify() functions: How do you use bcrypt for hashing passwords in PHP?

edited May 23 '17 at 12:08

Community

1
1

answered Jun 20 '14 at 11:48

Gergo Erdosi

40,904
21
118
94

Cheers - I will look to encrypt the passwords in good time, I know it's important, but I am not overly fussed due to the simple reason this is a family site and I am not hugely precious about what is shared on here yet. – Pebbles Jun 20 '14 at 12:13

score 0 · Answer 4 · answered Jun 20 '14 at 11:55

0

$password1 = $_POST['newPassword']; $password2 = $_POST['confirmPassword'];

must be

$password1 = $_POST['InputPassword2']; $password2 = $_POST['InputPassword3'];

answered Jun 20 '14 at 11:55

banjoAtix

151
2
4

Looks like "InputPassword2" and "InputPassword3" are IDs not names. Please double check your response. – bloodyKnuckles Jun 20 '14 at 11:57
Yes, these are IDs rather than names, but thank you for your response anyway. – Pebbles Jun 20 '14 at 12:13

score 0 · Answer 5 · answered Jun 20 '14 at 12:06

you can use update statement for this purpose, create a same form with:

username(name=$name)
existing password(password=$pw1)
new password
submit

First select the current user name using sql select statement:

$my_qry ="select * from table_name where name= $name";

for updation use the statement:

$query = mysql_query("UPDATE table_name SET password='".$pw1."' WHERE name='".$name."'");
    if(!$query)
{   
    mysql_error();
    echo "hello";
}

use if else conditions for this, if the first select query is true then only the update query with work

How to make a change password PHP script work

5 Answers5