-1

I have a task for registration form where I want to change the password. There are no errors, it is changing when I am doing variable dump (var_dump). Also, it is showing changed password on front-end but not updating in database. I have tried a lot to update in database but what am I doing wrong? I think query problem. Can anybody point in the right direction to solve my query problem? Thanks in advance... 

<?php
require_once ( "./connect.php" );
if ( !empty ( $_POST ['submit'] ) ) {  
    $current_password = md5 ( $_POST [ 'current_password' ] );
    $new_password = md5 ( $_POST [ 'new_password' ] );
    $confirm_password = md5 ( $_POST [ 'confirm_password' ] );
    $sql = ( "SELECT `password` FROM `user` WHERE `username` = '$confirm_password' " ) or die ( "Query didn't work" );
    $result = $db->query($sql);
    $current_password = $result [ 'password' ];
    if ( $current_password == $current_password ) {
        if ( $new_password == $confirm_password ) {             
            $sql = ( "update `user` SET `password`='{$confirm_password}' WHERE user_id = $_COOKIE[id]" );
            echo 'success!'; 
        } else {
            echo 'New passwords doesn t match!';
        }
    }
} else {
    echo 'Current password doesn t match';
}
?>
<form action = "" method = "POST">
Current-Password: <input type = "password" name = "current_password" value = ""/><br><br>
New-Password: <input type = "password" name = "new_password" value = ""/><br><br>
Confirm-Password: <input type = "password" name = "confirm_password" value = ""/><br><br>
<input type="submit" name="submit" value="change password"/>
</form>

// connect.php file
<?php
$db = new mysqli("localhost", "root", "", "registration");
if($db->connect_error){
exit("cannot connect to database");
}
?>
Abhishek
  • 539
  • 5
  • 25
Arshiya Khanam
  • 613
  • 6
  • 12
  • 1
    `password` = '$confirm_password' ? instead of `username` = '$confirm_password' in `WHERE` clause because your username will and should not be equal to your password – guradio Oct 23 '18 at 06:53
  • 1
    A tip. don't use md5 [https://security.stackexchange.com/questions/19906/is-md5-considered-insecure](https://security.stackexchange.com/questions/19906/is-md5-considered-insecure) – Sfili_81 Oct 23 '18 at 06:55
  • 2
    Have a read of [How to use password_hash](https://stackoverflow.com/questions/30279321/how-to-use-password-hash) – Nigel Ren Oct 23 '18 at 06:56
  • 1
    `if ( $current_password == $current_password ) {` this doesnt check anything And you dont execute your update statement add `$result = $db->query($sql);` before `echo 'success!';` line – Jacek Rosłan Oct 23 '18 at 06:57
  • 1
    my advice is that you delete this "code", read up on php security practices and re-write based on that – Rotimi Oct 23 '18 at 07:10
  • I agree with @Akintunde-Rotimi there are so many error each user can spot them. I suggest the same thing – guradio Oct 23 '18 at 07:14
  • Please use Prepared Statements – Lithilion Oct 23 '18 at 07:16

2 Answers2

0

Run the query after $sql

$sql = ( "update `user` SET `password`='{$confirm_password}' WHERE user_id = $_COOKIE[id]" );
$db->query($sql); //this is missing that why no data update
Bhargav Chudasama
  • 6,928
  • 5
  • 21
  • 39
0

Hi please check this

<?php
require_once ( "./connect.php" );
if ( !empty ( $_POST ['submit'] ) ) {
    $current_password = md5 ( $_POST [ 'current_password' ] );
    $new_password = md5 ( $_POST [ 'new_password' ] );
    $confirm_password = md5 ( $_POST [ 'confirm_password' ] );
    $sql = ( "SELECT `password` FROM `user` WHERE `username` = 'shan' " ) or die ( "Query didn't work" );
    $result = $db->query($sql);

    if ($result->num_rows > 0) {
    // output data of each row
     while($row = $result->fetch_assoc()) {
        $current_password1 = $row["password"];
     }
    }
    if ( $current_password == $current_password1 ) {
        if ( $new_password == $confirm_password ) {
            $sql = ( "update `user` SET `password`='{$confirm_password}' WHERE user_id = 1" );
            $result = $db->query($sql);
            echo 'success!';
        } else {
            echo 'New passwords doesn t match!';
        }
    }
} else {
    echo 'Current password doesn t match';
}
?>
<form action = "" method = "POST">
Current-Password: <input type = "password" name = "current_password" value = ""/><br><br>
New-Password: <input type = "password" name = "new_password" value = ""/><br><br>
Confirm-Password: <input type = "password" name = "confirm_password" value = ""/><br><br>
<input type="submit" name="submit" value="change password"/>
</form>

Some correction are made in your code are following:

  1. make correction in username (currently your using password as username).
  2. use while loop to fetch password form query result.
  3. compare entered current password with db password (use different variables for both).
  4. set cookie before use else accept user id from user (you're using $_COOKIE['user_id'].
  5. execute update query on db.