1

I'm kinda new to PHP, so I'm still in the learning phase. I hope that I can get some good answers here and maybe someone has some tips on improvements.

I know things can be wrong, but again I'm still learning.

The thing I now try to make is a SIMPLE "Change password" form for my site.

<?php
include '../config.php';
$connection = mysqli_connect($servername, $username, $password, $dbname);
if ($connection->connect_error){
    die("Connection failed: " . $conn->connect_error);
} else {
    echo "Connected successfully";
}
if(isset($_POST['submit']) && $_POST['submit'] = "submit"){
    $username = mysql_real_escape_string($connection, $_POST['username']); 
    $password = md5($connection, $_POST['password']);
    $newpassword = md5($connection, $_POST['newpassword']);
    $confirmnewpassword = md5($connection, $_POST['confirmnewpassword']);
    $result = mysql_query("SELECT password FROM users WHERE username='$username'");
    if(!$result) {
         echo "The username does not exist!";
     }
     else if($password != mysql_result($result, 0)){
          echo "The password is not correct!";
     }
     if($newpassword === $confirmnewpassword) {
          $sql = mysql_query("UPDATE users SET password = '$newpassword' WHERE username = '$username'");      
      }
      if(!$sql) {
          echo "Password has been changed!";
      }else{
        echo "Passwords do not match!";
     }
}     
?>
<form name="newprwd" action="" method="post">
    username :<input type="text" name="username" value=""><br>
    Passord :<input type="password" name="password" value=""><br>
    Nytt passord :<input type="password" name="newpassword" value=""><br>
    Bekreft Passord :<input type="password" name="confirmnewpassword" value=""><br>
    <input type="submit" name="submit" value="Endre passord"><br>
</form>

This is the code I have in my change-pw.php file.

$servername = "*****";
$username = "****";
$password = "***";
$dbname = "***";

This is how I connect to the database with the config.php file. I don't show the server name here, but you get the picture of how I connect to it.

The thing I want is the form to get the password and username from the database and change it.

Yes, I know it is some norwegian words in here, but that's only for the echo's.

My problem:

When I write in a username, password, new password and confirm password I get the messages from if(!$result) and from if(!$sql) but it's won't changes the password. It says that the username does not exist and password has been changed.

Anyone see the problem that I can't see?

I am hoping for positive and negative comments on this script so that I can improve.

Thanks!

Bhumi Shah
  • 9,323
  • 7
  • 63
  • 104
nikon01
  • 39
  • 4
  • 1
    Which PHP version are you using? `mysql_query` has been deprecated since 5.5.0 and has been removed in PHP 7. You should consider using `mysqli_query` at least or even switch to PDO (recommended). – Paul May 02 '16 at 07:47
  • Also, did you debug your `$result`? What kind of error messages have been logged? – Paul May 02 '16 at 07:48
  • If i'm not mistaken i am using the newest PHP. mysqli is normaly what we are using. I have not been trying to debug the $result. How do i do that? – nikon01 May 02 '16 at 07:55
  • The newest PHP is 7.x, so it will not have a `mysql_query` function. Regarding debugging, just `var_dump($result)` could help. – Paul May 02 '16 at 08:19
  • I have changed everything to mysqli now, and i added var_dump($result); to the code and the error i get is: NULL The username does not exist! – nikon01 May 02 '16 at 08:27
  • Make sure to use an username that does exist. If the problem persists, check your `$username` var, is it correctly set in `$_POST`? – Paul May 02 '16 at 08:36
  • I do use a username that exists. There are 3 usernames in the DB and i have tried everyone. Username does work on all our other script, but mostly we use INSERT and this is the first script we use UPDATE. – nikon01 May 02 '16 at 08:40
  • print this query `"SELECT password FROM users WHERE username='$username'"` in browser & run the sql.It will give you the real picture. – Dipanwita Kundu May 02 '16 at 09:46
  • 1
    You really shouldn't use [MD5 password hashes](http://security.stackexchange.com/questions/19906/is-md5-considered-insecure) and you really should use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. Make sure that you [don't escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard May 02 '16 at 13:05
  • [Little Bobby](http://bobby-tables.com/) says [your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard May 02 '16 at 13:05
  • Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard May 02 '16 at 13:05

1 Answers1

0
<?php
    $result = mysql_query("SELECT password FROM users WHERE username='$username'");
    if($row = mysql_fetch_row($result)) {
        if($password != $row[0]) {
            echo "The password is not correct!";
        }
        elseif($newpassword === $confirmnewpassword) {
            $sql = mysql_query("UPDATE users SET password = '$newpassword' WHERE username = '$username'");      
        }else{
            echo "Passwords do not match!";
        }
    }else{
        echo "The username does not exist!";
    }

?>

This is valid for PHP 5.x only. For PHP 7 you need to change to mysqli or PDO.

Klaus F.
  • 135
  • 14