0

im trying to change the password of the signed in user but when i run the code it always changes the top row of the table and the signed in user is somewhere in the middle.

the code for the user

validation code

<?php
session_start();
include ('dbc.php');
if (!isset($_SESSION['user'])) {
    header("Location: login.php");
}
$id = mysql_real_escape_string($_SESSION['id']);
$todo=$_POST['todo'];
$oldpwd=$_POST['oldpwd'];
$newpwd=$_POST['newpwd'];
if ($_POST['Submit']=='Change') {
    $result = mysql_query("select * from users where id='$id'") 
              or die("asdasdsd".mysql_error());
    while($row=mysql_fetch_array($result)) {
        if ($_POST["oldpwd"] == $row["user_pwd"]) {
            mysql_query("UPDATE users set user_pwd='$newpwd' WHERE id='$id'");
            header("Location: userpanel.php?msg=Password updated...");              
        } else { 
            header("Location: userpanel.php?msg=ERROR: Password does not match...");
        }
    }          
}         
?>
Isaac Bennetch
  • 11,830
  • 2
  • 32
  • 43
arre
  • 1
  • 1
  • 2
    The code looks confused/confusing: do you really store the users _session id_ as column 'id' inside the "users" table? I doubt that... – arkascha Oct 12 '14 at 09:54
  • i don't know yet how to do change the text of the password in the database – arre Oct 12 '14 at 09:54
  • what happens if `$id` is empty? Did you check the value of `$id`? – RST Oct 12 '14 at 09:55
  • For storing user passwords inside a database: generally only store a hash of the password. And when testing access, compare two hases against each other. – arkascha Oct 12 '14 at 09:55
  • @arkascha im trying to select the row of the table using id and that's what i think will do it... – arre Oct 12 '14 at 09:55
  • Sure, I saw that. But storing the session id inside the database makes no sense. I doubt it is actually in there. But we cannot help here if you don't post your database scheme. – arkascha Oct 12 '14 at 09:56
  • You tagged phpmyadmin, so I assume you have access to that. Can you please show us the row that gets changed and the row that has to be changed with the relevant column names? Remember to edit out the passwords before you edit it in. Can you `var_dump(..)` the `$id` variable and tell us what it is? – Sumurai8 Oct 12 '14 at 09:57
  • i use id as primary key and auto incrementing it. and other rows are bunch of user files like full_name, user_email etc.. – arre Oct 12 '14 at 09:58
  • Also unrelated, but useful reading: http://stackoverflow.com/questions/401656/secure-hash-and-salt-for-php-passwords – Sumurai8 Oct 12 '14 at 09:58
  • @arkascha, everyone starts to learn the hard way :P – Deval Khandelwal Oct 12 '14 at 09:59
  • @devaldcool Sure, so did I. All fine. Did I step on someones toes? Didn't want to... – arkascha Oct 12 '14 at 10:00
  • The session ID isn't meant to be stored in the database, nor is it meant to refer to a user account in the table. You should use the unique username of the user. The SQL would then be something like UPDATE users SET user_pwd='$newpwd' WHERE username='$username'. When this works, read what Sumurai8 linked, about storing passwords securely. Then you'll want to only allow password updating after a user has successfully logged in, i.e. in an authenticated session. – Wouter Thielen Oct 12 '14 at 10:05
  • tried UPDATE users SET user_pwd='$newpwd' WHERE id='$_SESSION[user]' but it still selects the first row. but when i use user_email = '$_SESSION[user]' it doesn't work – arre Oct 12 '14 at 10:12
  • You need to dump out the contents of `$_SESSION` and use these values in a mysql session with your query. It's updating that first value for a reason. – ethrbunny Oct 12 '14 at 12:10

0 Answers0