2

So I'm new to php and mysql and over the past few days have created a log in system using php and mysql. I am trying to make a function where a user can change their password with the following query:

$query2 =  mysql_query("SELECT password FROM adminusr WHERE id =$idToChange");
$result = mysql_query($query2) or die($idToChange.mysql_error());
Callum
  • 25
  • 1
  • (1) You are not going to change anything with a `SELECT` query. (2) Quite using "mysql_". It is no longer supported. – Gordon Linoff Oct 25 '15 at 14:38
  • $query2 in line 1 is your result set to traverse. Line 2 makes no sense. One should hash their passwords, and password verify them. And as Gordon said, mysql* functions are deprecated. Use mysqli or pdo, much of the above can be [Seen in this Link](http://stackoverflow.com/a/32556010) – Drew Oct 25 '15 at 14:40
  • This code is supposed to grab the password in the database. The select query is supposed to grab the password from the database from the users id. In another query later on I then change the password. – Callum Oct 25 '15 at 14:45
  • 1
    do not *grab* the password (saving it as cleartext). Hash it and verify it. Hashing is a one-way function. Best practices are for you to verify a hash, not confirm in human terms that cleartext=cleartext. Now I would bet because you are starting out that this is not what you are going to do, but that is what you should do – Drew Oct 25 '15 at 14:45
  • I'm not. I am using the md5 function before this. "$oldPass = md5($oldPass).md5($oldPass);" It is also saved in the database using the md5 feature twice. – Callum Oct 25 '15 at 14:47
  • Please describe what the problem is. What result do you expect and what do you obtain instead – PaulH Oct 25 '15 at 14:48
  • 1
    Here is the manual page on the [deprecated function](https://dev.mysql.com/doc/apis-php/en/apis-php-function.mysql-query.html). Plus don't use md5 – Drew Oct 25 '15 at 14:49
  • Right the query is supposed to grab the password stored in the database. It then checks if it matches the one the user provided. As so: while($row=mysql_fetch_array($result)) { if ($row['password'] == $oldpass) { $factor = "true1"; } – Callum Oct 25 '15 at 14:54

1 Answers1

0

With SELECT statements you only select rows. To change them you need UPDATE. Consider using PDO because mysql_* functions are deprecated. Also try to hash your passwords and don't store them in plain text.

You need something like this:

$query2 =  mysql_query("UPDATE adminusr SET password = '$new_password' WHERE id = '$idToChange'");

Using PDO

//Make the connection using PDO

try {
    $conn = new PDO("mysql:host=$hostname;dbname=mysql", $username, $password);
    echo "PDO connection object created";
}
catch(PDOException $e) {
    echo $e->getMessage();
}
//Make your query
$sql = 'UPDATE adminusr SET password = :new_password WHERE id = :id';
$stmt = $conn->prepare($sql);
$stmt->execute(array(':new_password'=>$new_password, ':id'=>$idToChange));

EDIT answering to comment

Then you need to have also username and password fields at your form. So, you need four fields: username, oldPassword, newPassword, confirmNewPassword. Before the update statement you need to select the user having credentials username, oldPassword. If you find only one then you have to check if newPassword and confirmNewPassword match. If match then proceed to update. Otherwise print some error message.

Kostas Mitsarakis
  • 4,772
  • 3
  • 23
  • 37
  • How would I make it so before it updates the password it checks that the old password entered matches the one in the database, for security purposes. This is what the form looks like http://prntscr.com/8v5cra – Callum Oct 25 '15 at 14:50