-2

I'm trying to implement a change password function on a php website. The idea is that a registered member whose details are stored in a database can change their password by entering their old password followed by entering their new password twice. After they've done so they click change password. However when this is clicked it shows on the screen 'Query didn't work' which makes me think theres a problem with the '$query' under the database connection. Can anyone help me with this? 

 <?php

 session_start();


 $user = $_SESSION['dohare11'];

if ($user)
{
    if ($_POST['submit'])
{
 //check fields


    $oldpassword = md5($_POST['oldpassword']);
    $newpassword = md5($_POST['newpassword']);
    $repeatnewpassword = md5($_POST['repeatnewpassword']);
          //check password against db
    include("../connection/conn.php");

    $query = "SELECT password FROM cityfestusers WHERE username='$user'";
    mysqli_query($conn, $query) or die("Query didn't work");
    $row = mysqli_fetch_assoc($query);

    $oldpassworddb = $row['password'];


    //check passwords
    if ($oldpassword == $oldpassworddb) {
        //check new passwords
        if ($newpassword == $repeatnewpassword) {
            //success
            //change password in db
            $change = "UPDATE cityfestusers SET password='$newpassword' WHERE username='$user'";
            mysqli_query($conn, $change);
            session_destroy();
            die("Your password has been changed. <a href='index.php'>Return</a> to the main menu");

          } else {
            die("New passwords don't match");
           }
         } else {
              die("Old password doesnt match!");
           }
      }        
   else
    {


    }
    echo"

     <form action='changepassword.php' method='POST'>
     Old Password: <input type='text' name='oldpassword'><p>
     New Password: <input type='password' name='newpassword'><br>
     Repeat New Password: <input type='password' name='repeatnewpassword'><br>
     <input type='submit' name='submit' value='Change Password'>
     </form>
              ";
          }

EDIT/// I've updated the query statements to the following and receive an error: 'mysqli_fetch_assoc() expects parameter 1 to be mysqli_result, bool given in... line 23 ( $row = mysqli_fetch_assoc($result);) Old passwords don't match' This is my updated code referring to the query statements

    $query = "SELECT password FROM cityfestusers WHERE username='$user'";
    $result = mysqli_query($conn, $query);
    $row = mysqli_fetch_assoc($result);

    $oldpassworddb = $row['password'];

... 

    //check passwords
    if ($oldpassword == $oldpassworddb) {
        //check new passwords
        if ($newpassword == $repeatnewpassword) {
            //success
            //change password in db
            $update = "UPDATE cityfestusers SET password='$newpassword' WHERE username='$user'";
           $result = mysqli_query($conn, $update);
           $row = mysqli_fetch_assoc($result);
            session_destroy();
            die("Your password has been changed. <a href='index.php'>Return</a> to the main menu");

        } else {
            die("New passwords don't match");
        }
    } else {
        die("Old password doesnt match!");
    }
}

else {

Declan O'Hare
  • 1
  • 1
  • 2
    you can start by using **prepared statements** see https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php and maybe the problems resolves by that – nbk Mar 24 '20 at 22:18

1 Answers1

-1

According to documentation you need to store result after doing mysqli_query:

$result = mysqli_query($conn, $query);

Any further magic with resultant object should be done if it has data. Read this documentation and do each step regarding to it.

Also, yes, your query has been failed:

echo 'Start with true'.PHP_EOL;

(true) or die('message1');

echo 'Start with false'.PHP_EOL;

(false) or die('message2');

Gives:

Start with true
Start with false
message2
Aksen P
  • 4,564
  • 3
  • 14
  • 27