-1

I'm just trying to allow a user to change their details, 'Username' and 'Password' I'm trying to allow a user to also update their email which then updates PHP my 'Username' and 'Password' works but I am struggling with Email. Any have an idea?

<?php
session_start();



$username = $_SESSION['sess_user'];

echo '<div class="search1"><h2>'.$username.'</h2></div>';


if (isset($_SESSION['sess_user']))
{
//user is logged in

if (isset($_POST['submit']))
{
//start changing password
//check fields

$oldpassword = md5($_POST['oldpassword']);
$newpassword = md5($_POST['newpassword']);
$email = md5($_POST['email']);


$repeatnewpassword = md5($_POST['repeatnewpassword']);

//check password against db
include('../includes/config.php');

$queryget = mysql_query("SELECT password FROM login WHERE username='$username'") or die ("change password failed");
$row = mysql_fetch_assoc($queryget);
$oldpassworddb = $row['password'];

//check passwords
if ($oldpassword==$oldpassworddb)
{
//check two new passwords
if ($newpassword==$repeatnewpassword)
{
//successs
//change password in db

$querychange = mysql_query("UPDATE login SET password='$newpassword' WHERE   username='$username'");
$querychange = mysql_query("UPDATE login SET email='$email' WHERE   email='$email'");
die("<div class='successmate'>Your password has been changed. <a href='index2.php'><br><br> Return</a></div>");
}
else 
die("<div class='results'>New password doesn't match!</div>");

}else 
die("<div class='results'>Old password doesn't match!</div>");

}
else
{

echo"
<form class='search1' action='changepassword.php' method='POST'>
<label>Old Password:</label> <input type='text' id='password' name='oldpassword'><p>
<label>New Password:</label> <input type='password' id='password' name='newpassword'><p>
<label>Repeat New Password:</label> <input type='password'  name='repeatnewpassword'><p>
<label>Email:</label> <input type='email'  name='email'><p>
<input type='submit' name='submit' class='submit' value='submit'><br><br><br>
<h2><p><a href='index2.php'>Back</a></p></h2>
</form>
";
 }

 }else 
die ("You must be logged in to change your password");


?>

<img src="../images/main.jpg">

Thanks!

Ariana
  • 31
  • 5
  • You are using [an **obsolete** database API](http://stackoverflow.com/q/12859942/19068) and should use a [modern replacement](http://php.net/manual/en/mysqlinfo.api.choosing.php). You are using [an **unsuitable** hashing algorithm](http://php.net/manual/en/faq.passwords.php) and need to [take better care](https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet) of your users' passwords. – Quentin Oct 20 '14 at 15:57
  • [`Don't use md5($_POST...`](http://en.wikipedia.org/wiki/MD5) – Funk Forty Niner Oct 20 '14 at 15:58
  • @Quentin Thanks for the feedback, but I will not be making this website live. – Ariana Oct 20 '14 at 15:58

2 Answers2

1

Look at this VERY closely:

$querychange = mysql_query("UPDATE login SET email='$email' WHERE   email='$email'");

$email is an md5 hash of the NEW email that user's entered. And since it's the new email address, presumably it won't be in the database yet, so that update will do nothing.

Marc B
  • 356,200
  • 43
  • 426
  • 500
  • It did update the email but t made it hash. I am unsure of why it's doing so? I'd like the email to be normal text – Ariana Oct 20 '14 at 16:03
0

Both of the answers above should tell you what the problem is, however the proper way to fix it is to implement an autoincrement column or some other unique/primary column. If multiple users have the same username or you are going to update all of them.

Also, what good reason do you have to md5 the email address?

$email = md5($_POST['email']);

should be 

$email = $_POST['email'];

Final Thought: You're query might be vulnerable to injection. Don't forget to escape, or even better, use PDO :)

I wrestled a bear once.
  • 22,983
  • 19
  • 69
  • 116