-3

I'm new to php and I'm having some trouble with the following code:

$code = $_COOKIE['user'];
$db=mysql_connect ("XXX.XXX.XXX",  "XXX", "XXX") or die ('I cannot connect  to the database because: ' . mysql_error());
$mydb=mysql_select_db("XXX");
$sql="SELECT * FROM accounts WHERE UserCode = '$code'";
$result=mysql_query($sql); 
while($row=mysql_fetch_array($result)){ 
    $current = $row['Userpassword'];
};
$toldcurr = $POST["oldpass"];
$pass1 = $_POST["newpass1"];
$pass2 = $_POST["newpass2"];
if ($current !== $toldcurr) {
    header ('Location: changepasserror1.html');
};
if ($pass1 !== $pass2) { 
    header ('Location: changepasserror2.html');
};
$timywhimy = gmdate('Y-m-d H:i:s e');
$query1 = "UPDATE accounts SET Userpassword='$pass2' WHERE UserCode='$code'";
$query2 = "INSERT INTO accountupdate (`User`, `Change`, `From`, `To`, `Time`) 
VALUES ('$code', 'Password', '$current', '$pass2', '$timywhimy')";
mysql_query($query1);
mysql_query($query2);
header ('Location: changepass.html');

The problem i'm having is the

if ($current !== $toldcurr) {
        header ('Location: changepasserror1.html');
    };
if ($pass1 !== $pass2) { 
        header ('Location: changepasserror2.html');
    };

is not working. When I know that the two variables are not equal, it still continues the script and changes the data in the MySQL database.

Any help is appreciated.

Update

I've updated my code to

 if ($current !== $toldcurr) {
    header ('Location: changepasserror1.html');
    exit();
}
if ($pass1 !== $pass2) { 
    header ('Location: changepasserror2.html');
    exit();
}

Apart from that, the only changes are mysql_ to mysqli_.

The problem i'm having is it's always sending me to changepasserror2.html, even if $pass1 and $pass2 are identical. Also, it never sends me to changepasserror1.html, even when $current and $toldcurr are different.

What should happen is if $pass1 = $pass2 and $current = $toldcurr, then the database should be updated and the redirect to a success page. If one of those variable does not equal each other, then it will redirect to an error page and no update should happen to the database.

Community
  • 1
  • 1
Alexander Wright
  • 13
  • 2
  • 2
    1. I would highly recommend you to change your code to `mysqli_*` or `PDO` 2. Add `exit();` after each header call, to make sure the script execution stops 3. The semicolons at the end of the if statements are just useless – Rizier123 Mar 01 '15 at 17:23
  • Also, you're open to SQL injections with this code. You shouldn't put data users directly access in your queries. – chris85 Mar 01 '15 at 17:29
  • @Rizier123 I've added `exit();` after the header calls, and changed the code to `mysqli_` but still the if statements don't work – Alexander Wright Mar 01 '15 at 17:40
  • @AlexanderWright Good! Now [updated](http://stackoverflow.com/posts/28796608/edit) your question (Don't overwrite your old question) add the new code with the changes and tell us if you get any errors, what's not working e.g. What output do you get now and what would you expect – Rizier123 Mar 01 '15 at 17:42
  • possible duplicate of [How to make a redirect in PHP?](http://stackoverflow.com/questions/768431/how-to-make-a-redirect-in-php) – Blackhole Mar 01 '15 at 17:59
  • @AlexanderWright please up vote my answer or remove correct answer, I don't want any down vote in my profile – Varun Naharia Oct 13 '17 at 09:47

2 Answers2

-1

first change this $toldcurr = $POST["oldpass"]; to $toldcurr = $_POST["oldpass"];

Varun Naharia
  • 5,318
  • 10
  • 50
  • 84
-2

just use the statement as below it would help 

  if ($current !== $toldcurr) {
            header ('Location: changepasserror1.html');
            return false;
        }
     if ($pass1 !== $pass2) { 
            header ('Location: changepasserror2.html');
          return false;
        }

use above when u do your code in oops style it would be clear and help you out try to write proper conditional

user3417046
  • 11
  • 2
  • 6