How to update a user's password in the database using a form

Question

I've written this code to update a user's password, and it seems to be posting according to the echo, but when trying to log in, neither the new or old password work! need a hand with this, here's the code:

if(isset($_POST['confirmReset'])){

    $q = "SELECT * FROM user WHERE email = '".$_POST['email']."'";

    $resObj = mysqli_query($conn, $q);
    $rowcount=mysqli_num_rows($resObj);
    //var_dump($rowcount);

    if ($rowcount == 1) {   

        $q = "UPDATE user SET password = '".md5($password)."' WHERE email = '".$_POST['email']."'";
        if (mysqli_query($conn, $q)) {
            echo "New record created successfully";
        } else {
            echo "Error: " . $sql . "<br>" . mysqli_error($conn);
        }

        $rowcount=mysqli_num_rows($resObj);
    } else {

    }

var_dump($_POST);
}

Please note that your code as well as all current answers are vulnerable to SQL injection and the use of md5 is highly insecure. http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php — Pier-Luc Gendreau, Nov 26 '14 at 19:28

score 0 · Answer 1 · answered Nov 26 '14 at 19:05

0

You have to define the $password variable.

As your code is lean , maybe " $_POST['confirmReset']" is the input that contains the password ?

$password = $_POST['confirmReset'];

Like that :

if(isset($_POST['confirmReset'])) {
    $password = $_POST['confirmReset'];

    // Following the code ...

answered Nov 26 '14 at 19:05

w3spi

4,380
9
47
80

that's fixed it!! thank you. thanks everyone else who replied too. – Nina Bishop-Bolt Nov 27 '14 at 10:24
Although, I have another question, how do I get it to check that both fields are correct? I tried putting it in the sql like 'AND password == confirm_password' or in the if statement like if (password == confirmpassword) but nothing is wronging =[ – Nina Bishop-Bolt Nov 27 '14 at 10:26
Cool. Remember to mark my post as resolved then :) You have to check it in PHP. You have to select the field password in your database and check if this value is the same as the user entered in the input. Also I recommend you encrypt passwords. – w3spi Nov 27 '14 at 11:41
how do I mark your post as resolved? haha sorry it's my first time ever using this site! – Nina Bishop-Bolt Nov 27 '14 at 15:01

score 0 · Answer 2 · answered Nov 26 '14 at 19:17

Where do you take the value of $password?

if(isset($_POST['confirmReset'])){
$password = $_POST['password']; // Change this with the name of the POST variable.
$q = "SELECT * FROM user WHERE email = '".$_POST['email']."'";

$resObj = mysqli_query($conn, $q);
$rowcount=mysqli_num_rows($resObj);
//var_dump($rowcount);

if ($rowcount == 1) {   

$q = "UPDATE user SET password = '".md5($password)."' WHERE email = '".$_POST['email']."'";
if (mysqli_query($conn, $q)) {
echo "New record created successfully";
} else {
echo "Error: " . $sql . "<br>" . mysqli_error($conn);
}
$rowcount=mysqli_num_rows($resObj);
} else {

}

score 0 · Answer 3 · answered Nov 26 '14 at 19:20

0

To check if the password was updated you can use :

mysqli_affected_rows()

This will give you the num of updated rows.

answered Nov 26 '14 at 19:20

Neuro

144
1
3

score 0 · Answer 4 · answered Nov 27 '14 at 18:26

0

Do your md5 encryption sepretally & than use that veriable

$v1 = $_POST['password'];
$v2 = md5($v1);

use this $v2 to update password in sql query

Update tb_name set password = '".$v2."' where email = '".$email."'

answered Nov 27 '14 at 18:26

jay.jivani

1,560
1
16
33

How to update a user's password in the database using a form

4 Answers4