Struggling with PHP update users

Question

I've just created a page where users are able to change details such as their password and email address. It works, but now I want to allow a user to change their email without having to change their password as well.

So basically, if a user only wanted to change their email it will update in the database without having to change their password as well.

How would I do this?

Code:

<title>Honda |</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
<link href='http://fonts.googleapis.com/css?family=Julius+Sans+One' rel='stylesheet' type='text/css'>
<link href="../css/style.css" rel="stylesheet" type="text/css" media="all"/>

<?php
session_start();
$username = $_SESSION['sess_user'];

echo '<div class="search1"><h2>' . $username . '</h2></div>';

if (isset($_SESSION['sess_user'])) {
    //user is logged in

    if (isset($_POST['submit'])) {
        //start changing password
        //check fields

        $oldpassword = md5($_POST['oldpassword']);
        $newpassword = md5($_POST['newpassword']);
        $email = $_POST['email'];


        $repeatnewpassword = md5($_POST['repeatnewpassword']);


        //check password against db
        include('../includes/config.php');

        $queryget = mysql_query("SELECT password FROM login WHERE username='$username'") or die ("change password failed");
        $row = mysql_fetch_assoc($queryget);
        $oldpassworddb = $row['password'];

        //check passwords
        if ($oldpassword == $oldpassworddb) {
            //check two new passwords
            if ($newpassword == $repeatnewpassword) {
                //successs
                //change password in db
                $querychange = mysql_query("UPDATE login SET password='$newpassword' WHERE   username='$username'");
                $querychange = mysql_query("UPDATE login SET email='$email' WHERE   username='$username'");
                die("<div class='successmate'>Your password has been changed. <a href='index2.php'><br><br> Return</a></div>");
            } else
                die("<div class='results'>New password doesn't match!</div>");

        } else
            die("<div class='results'>Old password doesn't match!</div>");

    } else {

        echo "
<form class='search1' action='changepassword.php' method='POST'>
<label>Current Password:</label> <input type='password' id='password' name='oldpassword'><p>
<label>New Password:</label> <input type='password' id='password' name='newpassword'><p>
<label>Repeat New Password:</label> <input type='password'  name='repeatnewpassword'><p>
<label>Email:</label> <input type='email'  name='email'><p>
<input type='submit' name='submit' class='submit' value='submit'><br><br><br>
<h2><p><a href='index2.php'>Back</a></p></h2>
</form>
";
    }

} else
    die ("You must be logged in to change your password");
?>

<img src="../images/main.jpg">

Any help would be appreciated!

EDIT-Michael:

<title>Honda |</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
<link href='http://fonts.googleapis.com/css?family=Julius+Sans+One' rel='stylesheet' type='text/css'>
<link href="../css/style.css" rel="stylesheet" type="text/css" media="all" />



<?php
session_start();



$username = $_SESSION['sess_user'];

echo '<div class="search1"><h2>'.$username.'</h2></div>';


if (isset($_SESSION['sess_user']))
{
//user is logged in

if (isset($_POST['submit']))
{
//start changing password
//check fields

$oldpassword = md5($_POST['oldpassword']);
$newpassword = md5($_POST['newpassword']);
$email = $_POST['email'];


$repeatnewpassword = md5($_POST['repeatnewpassword']);


//check password against db
include('../includes/config.php');

$queryget = mysql_query("SELECT password FROM login WHERE username='$username'") or die ("change password failed");
$row = mysql_fetch_assoc($queryget);
$oldpassworddb = $row['password'];

//check passwords
if ($oldpassword==$oldpassworddb)
{
//check two new passwords
if ($newpassword==$repeatnewpassword)
{
   //successs
    //change password in db
    if (isset($_POST['repeatnewpassword']) AND isset($_POST['newpassword']) AND $_POST['newpassword'] != '') {
  if ($newpassword==$repeatnewpassword)
    {
    $querychange = mysql_query("UPDATE login SET password='$newpassword' WHERE   username='$username'");
}}
  if (isset($_POST['email']) AND $_POST['email'] != '') {
    $querychange = mysql_query("UPDATE login SET email='$email' WHERE   username='$username'");
    die("<div class='successmate'>Your password has been changed. <a href='index2.php'><br><br> Return</a></div>");
    }
else 
die("<div class='results'>New password doesn't match!</div>");

}else 
die("<div class='results'>Old password doesn't match!</div>");

}
else
{

echo"
<form class='search1' action='changepassword.php' method='POST'>
<label>Current Password:</label> <input type='password' id='password' name='oldpassword'><p>
<label>New Password:</label> <input type='password' id='password' name='newpassword'><p>
<label>Repeat New Password:</label> <input type='password'  name='repeatnewpassword'><p>
<label>Email:</label> <input type='email'  name='email'><p>
<input type='submit' name='submit' class='submit' value='submit'><br><br><br>
<h2><p><a href='index2.php'>Back</a></p></h2>
</form>
";
 }

 }else 
die ("You must be logged in to change your password");


?>

<img src="../images/main.jpg">

Not using `mysql` would be the first step towards self-help. `mysql` is deprecated, learn to use `mysqli` or `PDO` instead — Elias Van Ootegem, Oct 21 '14 at 12:29
@Peter Thanks for the feedback, but in the database they are hashed using MD5 — Emilia, Oct 21 '14 at 12:43
@Peter You're right and wrong; while they _are_ hashed, it's a really insecure way to hash them. Emilia, I'd advise giving [this](http://stackoverflow.com/a/401684/899126) a read; it talks about secure ways to store passwords. — Chris Forrence, Oct 21 '14 at 12:44
@ChrisForrence Thanks for letting me know Chris, I don't plan on putting this website live. But if I were I'd use more secure functions (PDO) — Emilia, Oct 21 '14 at 12:46
@Peter I mean, if you meant unencrypted in the sense that unsalted MD5 is a lousy way to hash them, then you're right ;) — Chris Forrence, Oct 21 '14 at 12:47
//check two new passwords if ($newpassword==$repeatnewpassword) { <<< here is the error, delete the entire line (if and { ) — baao, Oct 21 '14 at 12:47

Kisaragi · Answer 1 · 2014-10-21T12:44:01.707

0

Do a check to see if they are interested in resetting anything else other than email:

if (isset($_POST['submit'])) {
    //start changing password
    //check fields

    if(isset($_POST['oldpassword']) && (! empty($_POST['oldpassword']))){
          //password was posted, they may want to change it
            $oldpassword = md5($_POST['oldpassword']);
            $newpassword = md5($_POST['newpassword']);
     }
     ...

edited Oct 21 '14 at 12:44

answered Oct 21 '14 at 12:38

Kisaragi

2,198
3
16
28

Be careful; 'oldpassword' _will_ be set to a value: [an empty string](http://stackoverflow.com/a/13045314/899126)! – Chris Forrence Oct 21 '14 at 12:40

baao · Accepted Answer · 2014-10-21T13:27:44.377

You can change your code as follows:

    //successs
    //change password in db
    if (isset($_POST['repeatnewpassword']) AND isset($_POST['newpassword']) AND $_POST['newpassword'] != '') {
  if ($newpassword==$repeatnewpassword)
    {
    $querychange = mysql_query("UPDATE login SET password='$newpassword' WHERE   username='$username'");
}}
  if (isset($_POST['email']) AND $_POST['email'] != '') {
    $querychange = mysql_query("UPDATE login SET email='$email' WHERE   username='$username'");
    die("<div class='successmate'>Your password has been changed. <a href='index2.php'><br><br> Return</a></div>");
    }

EDIT

Complete Page:

    $username = $_SESSION['sess_user'];

    echo '<div class="search1"><h2>'.$username.'</h2></div>';


    if (isset($_SESSION['sess_user']))
    {
        //user is logged in

        if (isset($_POST['submit']))
        {
            //start changing password
            //check fields

            $oldpassword = md5($_POST['oldpassword']);
            $newpassword = md5($_POST['newpassword']);
            $email = $_POST['email'];


            $repeatnewpassword = md5($_POST['repeatnewpassword']);


            //check password against db
            include('../includes/config.php');

            $queryget = mysql_query("SELECT password FROM login WHERE username='$username'") or die ("change password failed");
            $row = mysql_fetch_assoc($queryget);
            $oldpassworddb = $row['password'];

            //check passwords
            if ($oldpassword==$oldpassworddb)
            {

                if (isset($_POST['repeatnewpassword']) AND isset($_POST['newpassword']) AND $_POST['newpassword'] != '') {
                    if ($newpassword==$repeatnewpassword)
                    {
                        $querychange = mysql_query("UPDATE login SET password='$newpassword' WHERE   username='$username'");
                        echo "Password changed";
                    }
                    else {echo "New PASSWORDs doesn't match";}

                }


            }
            else {echo "New PASSWORDs doesn't match";}


            if (isset($_POST['email']) AND $_POST['email'] != '') {
                $querychange = mysql_query("UPDATE login SET email='$email' WHERE   username='$username'");
                echo "EMAIL changed";
            }}


        else
        {

            echo"
        <form class='search1' action='changepassword.php' method='POST'>
        <label>Current Password:</label> <input type='password' id='password' name='oldpassword'><p>
        <label>New Password:</label> <input type='password' id='password' name='newpassword'><p>
        <label>Repeat New Password:</label> <input type='password'  name='repeatnewpassword'><p>
        <label>Email:</label> <input type='email'  name='email'><p>
        <input type='submit' name='submit' class='submit' value='submit'><br><br><br>
        <h2><p><a href='index2.php'>Back</a></p></h2>
        </form>
        ";


        }}
    else
        die ("You must be logged in to change your password");


    ?>

<img src="../images/main.jpg">

Thanks for the feedback, but I've used your code. I'll update it above in my post. — Emilia, Oct 21 '14 at 12:45
You have the line if ($newpassword==$repeatnewpassword) { two times in your code, you need to delete one of the lines — baao, Oct 21 '14 at 12:48
When I try to change email without entering new password or previous password I get this "Old password doesn't match!" — Emilia, Oct 21 '14 at 12:50
Thanks for giving me a hand but I am unable to see the input boxes anymore after I go to the page I want to change the details? Thanks — Emilia, Oct 21 '14 at 13:04
You're an absolute life saver! I just need to style it but it works perfect! — Emilia, Oct 21 '14 at 13:08
I'm just having a bit of an issue, are you able to edit and update if I enter a password wrong? When I try to update a password and if I type it wrong nothing shows up? — Emilia, Oct 21 '14 at 13:18
Now they should. It always depends on when you close a if with } — baao, Oct 21 '14 at 13:28
I am very sorry, last one. Are you able to make an error for "Current password isn't correct"? Thanks!!! — Emilia, Oct 21 '14 at 13:37

Struggling with PHP update users

2 Answers2