0

I need help with update my column in database. I use InnoDB, probably problem is here 

$sql_update_heslo = "UPDATE users SET u_password = $_noveHeslo WHERE u_name = '$_SESSION[username]'";

first I am checking if Button was clicke. If yes, then I am checking if there is only 1 user with this name who is logged in, then I am checking if MD5 password from the database is same as user input, if yes then update password based on the user entry. 

 if (isset($_POST['pass_aktualizovat'])) {
$_old_password = md5($_POST['o_pass']);
$sql_search_for_all_userss = "SELECT * FROM users WHERE u_name = '$_SESSION[username]' ";
$result = mysqli_query($connect_to_db, $sql_search_for_all_userss);


// ak sa najde jedna zhoda v databazy
if ($db_data = mysqli_num_rows($result) == 1) {
    while (mysqli_fetch_assoc($result)) {
        $_aktualneHeslo = $db_data['u_password'];
    }
    if (md5($_POST['o_pass'])==$_aktualneHeslo) {
        $_noveHeslo = md5($_POST['n_pass']);
        $sql_update_heslo = "UPDATE users SET u_password = '$_noveHeslo' WHERE u_name = '".$_SESSION['username']."'";
        mysqli_query($connect_to_db, $sql_update_heslo);

        echo "treti";
    }
    echo "druhy";
}
echo "prvy";

} ?>

Patrik Horváth
  • 177
  • 1
  • 1
  • 15
  • 1
    `$_noveHeslo` is a string so it needs to be quoted in SQL. BUT..... you have security issues here. 1) Use parameterized queries 2) Dont use md5. – chris85 Jul 01 '17 at 15:45
  • Additionally you are always assuming `mysqli_query` return is successful, you should check that . Checking for errors would have shown you the string error, http://php.net/manual/en/mysqli.error.php. – chris85 Jul 01 '17 at 15:46
  • 1. you need to crpyt pass 2) use parameterized 3) use id instead of username. and try this -> `"UPDATE users SET u_password = $_noveHeslo WHERE u_name = '".$_SESSION['username']."'"` – Slim Shady Jul 01 '17 at 15:49
  • @chris85 tryed '$_noveHeslo' but no effect =\ , why no md5 ? a lot of md5 are still not known – Patrik Horváth Jul 01 '17 at 15:49
  • Can you update the code with your new version? I'll find a thread on md5; in short, it processes to fast, has collisions, and large dictionaries of it already exist – chris85 Jul 01 '17 at 15:52
  • Here are some MD5 threads https://stackoverflow.com/questions/30496061/why-not-use-md5-for-password-hashing https://security.stackexchange.com/questions/19906/is-md5-considered-insecure https://security.stackexchange.com/questions/15790/why-do-people-still-use-recommend-md5-if-it-is-cracked-since-1996 – chris85 Jul 01 '17 at 15:54
  • @chris85 done :) – Patrik Horváth Jul 01 '17 at 15:55
  • See my second comment as well, you need to check the response. If there is an error please provide that. – chris85 Jul 01 '17 at 15:55
  • @chris85 Errormessage: Unknown system variable 'a' – Patrik Horváth Jul 01 '17 at 15:59
  • `var_dump($sql_update_heslo);` gives what? – chris85 Jul 01 '17 at 16:00
  • @chris85 looks like it never give TRUE here : mysqli_num_rows($result) == 1 it wont read $_SESSION['username'] prvystring(38) "SELECT * FROM users WHERE u_name = '' " – Patrik Horváth Jul 01 '17 at 16:06
  • Did you start your session? – chris85 Jul 01 '17 at 16:09
  • @chris85 right now yes :) but anyways it no fixed it now i getting u_name probably because i testing Admin username but in my database i have Admin and admin so it can be problem or ? – Patrik Horváth Jul 01 '17 at 16:11
  • I don't know what you mean there, now you are entering the `update` and the update fails? – chris85 Jul 01 '17 at 16:13
  • @chris85 no it fails cuse in SQL i have Search for Admin but SQL have found Admin and admin 2 account so then i need somehow recognize big and small letter – Patrik Horváth Jul 01 '17 at 16:15
  • Oh, you'd need to change the collation and character set for that. You should really just make `u_name` unique. Allowing `chris85` and `Chris85` doesn't seem like a good idea. – chris85 Jul 01 '17 at 16:17
  • @chris85 yup :) but it never pass md5 user input and md5 stored in database md5($_POST['o_pass'])==$_aktualneHeslo – Patrik Horváth Jul 01 '17 at 16:25
  • Did you salt on the storage? – chris85 Jul 01 '17 at 16:42
  • @chris85 idk whot u mean i convert user input into MD5 then check it with database – Patrik Horváth Jul 01 '17 at 16:50
  • How do you first store the password? Or manually update it to `098f6bcd4621d373cade4e832627b4f6` and send `test`, what is the result in that case? – chris85 Jul 01 '17 at 16:53
  • @chris85 i have stored it as md5($_POST['password_form']) – Patrik Horváth Jul 01 '17 at 16:59
  • `var_dump(md5($_POST['o_pass']))` and `var_dump($_aktualneHeslo)` give you what? – chris85 Jul 01 '17 at 17:01
  • @chris85 2nd is NUKK si ut dibt get MD5 from database – Patrik Horváth Jul 01 '17 at 17:28
  • @chris85 fixed iff ($db_data = mysqli_num_rows($result) == 1 xD :) – Patrik Horváth Jul 01 '17 at 17:30

0 Answers0