$_GET value do not work in if loop

Question

If I echo $codeee outside of the if loop, the value shows, but the value does not exist inside the loop which causes the UPDATE query to fail. How can I use the variable inside the loop?

PHP Code

require('connect.php');
$codeee = htmlspecialchars($_GET["recov"]);
echo $codeee;

$paso        = $confpaso    = "";
$pasoErr     = $confpasoErr = "";

if ($_SERVER["REQUEST_METHOD"] == "POST") {
    if (empty($_POST["paso"])) {
        $pasoErr = "Password is required";
    } else {
        $paso = md5(test_inputing($_POST["paso"]));
    }

    $confpaso = md5(test_inputing($_POST["confpaso"]));
    if ($confpaso != $paso) {
        $confpasoErr = "Passwords do not match";
    }
    $emailing = test_inputing($_POST["emailing"]);


    if ($pasoErr == $confpasoErr && $confpasoErr == "") {

        $changepaso = "UPDATE users SET password='$paso' WHERE forgotcode = '$codeee'";
        if ($conn->query($changepaso) === TRUE) {
            $tellthem = "Your password was changed";
        } else {
            $tellthem = "Something Happened, the password was not changed";
        }
    }
}

HTML CODE

    <form action=<?php echo htmlspecialchars($_SERVER["PHP_SELF"]) ?> method="post"> 

    <div class="register-top-grid">
        <h3>FILL OUT YOUR INFORMATION TO CHANGE YOUR PASSWORD</h3>
        <div>
            <span>Email<label>*</label></span>
            <input type="text" name="emailing"  > 

        </div>
        <div>
            <span>Password<label>*</label><p style="color:red"><?php echo $pasoErr ?></p></span>
            <input type="password" name="paso"  > 

        </div>                                      
        <div>
            <span>Confirm Password<label>*</label><p style="color:red"><?php echo $confpasoErr ?></p></span>
            <input type="password" name="confpaso"  > 
        </div>

    </div></br></br>

    <input type="submit" value="submit">
    <p><?php echo $tellthem ?></p>
</form>

from where `$codeee` come from? i din't see it anywhere apart from your query, so it will not work. Also all thing in your code is `$_POST` and your question title have `$_GET` which is also confusing. — Alive to die - Anant, Apr 21 '17 at 21:17
So what happens when I call this URL with `&recov=%27%20OR%20%271%27%3D%271`? — miken32, Apr 21 '17 at 21:17
@AlivetoDie $codeee is shown on the second line, it is the value of $_GET["recov"] — malaria, Apr 21 '17 at 21:19
@miken32 just tried it, it just echoes OR 1 = 1, but does not affect the query since the variable is not read inside the loop — malaria, Apr 21 '17 at 21:20
***You really shouldn't use [MD5 password hashes](http://security.stackexchange.com/questions/19906/is-md5-considered-insecure)*** and you really should use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. Make sure you [don't escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. — Jay Blanchard, Apr 21 '17 at 21:20
[Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)***. Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! — Jay Blanchard, Apr 21 '17 at 21:20
What it does is reset the password of every account in your database. Read the links in the comment @JayBlanchard just posted. — miken32, Apr 21 '17 at 21:22
@JayBlanchard thanks for the concern but i am keeping the security handling for the end since i am still in the prototype phase of the website. But if you can help with the issue it would be great, thanks. — malaria, Apr 21 '17 at 21:23
If you don't have time to do it right the first time, when will you find the time to add it later? I hate when people say *"I'm not that far along..."* or *"This site will not be public..."* or *"It's only for school, so security doesn't matter..."*. If teachers and professors are not talking about security from day one, they're doing it wrong. Challenge them. They're teaching sloppy and dangerous coding practices which students will have to unlearn later. I also hate it when folks say, *"I'll add security later..."* or *"Security isn't important now..."* or *"Ignore the security risk..."*. — Jay Blanchard, Apr 21 '17 at 21:24
@miken32 this is what it is doing, but i just want it to change the ones where forgotcode = $codeee, but it is not working, how can i fix it? — malaria, Apr 21 '17 at 21:25
@JayBlanchard thank you, i will check out the links you posted and will try to secure my code as much as i can. but do you know what i could do to fix the issue i am asking about? — malaria, Apr 21 '17 at 21:29
BTW - there is no "loop" here. `$codee` is not set because there is no `$_GET` array. The form method is `post` — Jay Blanchard, Apr 21 '17 at 21:32
@JayBlanchard and how can i fix that to get the value from the url and use it in the if statement? — malaria, Apr 21 '17 at 21:34
What does the form action look like when you view the source? — Jay Blanchard, Apr 21 '17 at 21:34
@JayBlanchard when i view the page source this is how it looks like: — malaria, Apr 21 '17 at 21:36
You forgot the quotes for the form's action attribute. Change it to: `
"` — Purple Lady, Apr 21 '17 at 21:36
Notice how `recovery.php` doesn't have a query string attached? When you click submit that means there will be no `$codee` — Jay Blanchard, Apr 21 '17 at 21:38
@PurpleLady just tried it, still don't work and when i open the page source it shows this: — malaria, Apr 21 '17 at 21:39
To fix that you may want to set a hidden form field to the value of the query string when the page loads and send that value in the post array. — Jay Blanchard, Apr 21 '17 at 21:39

$_GET value do not work in if loop

0 Answers0