0

I have an issue.

public function ChangePassword($username, $password, $new_password) {
    $canUserLogin = $this->isLoginExist($username, $password);
    if($canUserLogin){
        $query = "UPDATE users SET password = $new_password WHERE username = $username";
        $inserted = mysqli_query($this->db->getDb(), $query);
        if($inserted == 1){
            $json['success'] = 1;                                   
        }else{
            $json['success'] = 0;
        }
        mysqli_close($this->db->getDb());
    }else{
        $json['success'] = 2;
    }
    return $json;
}

I have an Android application with login and register system. I just created changePassword activity. So, when I type in the fields and press button it says that the password was changed. But when I go to database, the older password is still there. What is wrong? Thank you.

TheLietuvis
  • 23
  • 7
  • 1
    Strings need to be quoted. Use prepared statements. – chris85 Feb 13 '16 at 17:16
  • So How the right code should look like? – TheLietuvis Feb 13 '16 at 17:25
  • **WARNING**: Writing your own access control layer is not easy and there are many opportunities to get it severely wrong. In this short example you have a number of dangerous [SQL injection vulnerabilities](http://bobby-tables.com/) coming from a reckless lack of [proper escaping](http://bobby-tables.com/php). Please, do not write your own authentication system when any modern [development framework](http://codegeekz.com/best-php-frameworks-for-developers/) like [Laravel](http://laravel.com/) comes with a robust [authentication system](https://laravel.com/docs/5.2/authentication) built-in. – tadman Feb 13 '16 at 17:34
  • `$new_password` and `$username` would be in quotes. This is open to SQL injections though, user data shouldn't go into a SQL query. – chris85 Feb 13 '16 at 17:59
  • I putted $new_password and $username in quotes and still no luck – TheLietuvis Feb 13 '16 at 18:09

0 Answers0