-1

I have a problem with my change-password script. Can you please help me with this code? It should work, but it is not working. After clicking on the submit button, page just refreshes.

<?php
session_start();
require_once 'dbconnect.php';

if (isset($_POST['ulozitzmeny']) && ($_SESSION['user']) && strlen($_SESSION['user']) > 0) {

    $password = hash('sha512', mysql_real_escape_string($_POST['heslo']));
    $newpassword = hash('sha512', mysql_real_escape_string($_POST['noveheslo']));
    $passwordconf = hash('sha512', mysql_real_escape_string($_POST['potvrzenihesla']));

    $res = mysql_query("SELECT password FROM users WHERE username='$_SESSION[user]'");
    $row = mysql_fetch_array($res);

    if ($password != $row[0]) {

        echo" <div style='position:absolute;left:29.5%;top:10%;width:41%;' class='alert alert-danger fade in'>
             <a href='#' class='close' data-dismiss='alert' aria-label='close'>&times;</a>
             <strong>Chyba!</strong> Nesprávné heslo!
             </div>";
    } else {

        if ($newpassword != $passwordconf) {

            echo" <div style='position:absolute;left:29.5%;top:10%;width:41%;' class='alert alert-danger fade in'>
             <a href='#' class='close' data-dismiss='alert' aria-label='close'>&times;</a>
             <strong>Chyba!</strong> Hesla se neshodujĂ­!
             </div>";
        } else {

            if (mysql_query("UPDATE users SET password='$newpassword' WHERE username = '$_SESSION[user]'")or die(mysql_query)) {

                echo" <div style='position:absolute;left:29.5%;top:10%;width:41%;' class='alert alert-success'>
             <a href='#' class='close' data-dismiss='alert' aria-label='close'>&times;</a>
             <strong>Úspěch!</strong> Změny proběhly úspěšně!               
             </div>";
            }
        }
    }
}
?>
Halvor Holsten Strand
  • 19,829
  • 17
  • 83
  • 99
JDaveth
  • 37
  • 4
  • Can you show us your form ? – Thomas Rollet Jan 04 '16 at 10:03
  • Here is my form: http://pastebin.com/9FCsebpt – JDaveth Jan 04 '16 at 10:05
  • 1
    please try to print password value getting from $_POST and from database and try to check what you will get same value or not – jilesh Jan 04 '16 at 10:08
  • @iWispy put in your question – Thomas Rollet Jan 04 '16 at 10:08
  • Check if the posted attributes has values and make sure the session['user'] is set. Your code should works normally. – Mohammad Jan 04 '16 at 10:10
  • print your update query and check – user3040610 Jan 04 '16 at 10:13
  • Please have a look into [password_hash](http://php.net/manual/en/book.password.php). Using the `hash` function is not recommended for storing passwords. [**Please, don't use `mysql_*` functions in new code**](http://bit.ly/phpmsql). They are no longer maintained [and are officially deprecated](http://j.mp/XqV7Lp). See the [**red box**](http://j.mp/Te9zIL)? Learn about [*prepared statements*](http://j.mp/T9hLWi) instead, and use [PDO](http://php.net/pdo) or [MySQLi](http://php.net/mysqli) - [this article](http://j.mp/QEx8IB) will help you decide which. – DarkBee Jan 04 '16 at 10:48
  • @iWispy if you're going to create a pastebin file, don't make it expire. – Funk Forty Niner Jan 04 '16 at 12:29
  • possible duplicate of [PHP: Notice: Undefined variable and Notice: Undefined index](http://stackoverflow.com/questions/4261133/php-notice-undefined-variable-and-notice-undefined-index) – Funk Forty Niner Mar 20 '16 at 14:46

2 Answers2

2

Please check your form tag. From the one I saw at http://pastebin.com/9FCsebpt. I noticed that two necessary attributes are missing.

  • Your form has no method attribute, so definitely will notpass through this condition isset($_POST['ulozitzmeny'])
  • Your form has no action attribute. Hence, has not file to use for processing the script.

Correct these things in your form, and am sure your code will work.

Mr Heart
  • 142
  • 1
  • 10
1

I think the error is in this request 

"SELECT password FROM users WHERE username='$_SESSION[user]'"

If you use an array to get data you need to put ' arround the key.

Try this request instead of : 

"SELECT password FROM users WHERE username='".$_SESSION['user']."'"
Thomas Rollet
  • 1,573
  • 4
  • 19
  • 33