-1

I couldn't update password to a new one in the change password page and there is no error at all so couldn't found which is the incorrect part. I've checked in MySQL table, and it is not updated. Can someone assist to find it out? Thank you.

PHP code 

 include "../setting/config.php";

 session_start();

$btnchange = filter_input(INPUT_POST, "btnchange");

if(isset($btnchange))
{
    $username = filter_input(INPUT_POST, "username");
    $password = filter_input(INPUT_POST, "password");

    $query2 = "SELECT username from registered_accounts where username='$username'AND password='$password'";
    $query_run=mysqli_query($conn, $query2);
    $level = mysqli_fetch_array($query_run);
    if(count(fetchAll($query2)) > 0){ //this is to catch unknown error.
                  foreach(fetchAll($query2) as $row){
                    if ($row['username'] == $username && $row['password'] == $password) 
                    {
                        $update_query2= "UPDATE registered_accounts set password='$password' where username='$username'";
                        $update_query_run=mysqli_query($conn, $update_query2);
                        if ($update_query2)
                        {
                            echo "<script>alert('Password has been changed successfully.')</script>";
                        }
                        else{
                            echo "<script>alert('Password has been failed to change.')</script>";
                        }
}
}
}
}
?>

Body

<form action="<?= $_SERVER['PHP_SELF'] ?>" method="post">
    <input type="text" class="text" name="username" placeholder="Username" value="" required autofocus>
    <input type="password" placeholder="Password" name="password" value="" required autofocus>
    <div class="submit"><input type="submit" value="Submit" name="btnchange"></div>
</form>

registered_accounts table Table Structure

ravin c
  • 7
  • 6
  • 4
    You shouldn't store passwords in plaintext, you should be using `password_hash()` and `password_verify()`. Also, use prepared statements instead of substituting variables to prevent SQL injection. – Barmar Jun 12 '20 at 16:42
  • 1
    Why do you need to do the `UPDATE` in a loop? There's no need for `if ($row['username'] == $username && $row['password'] == $password)`, since the `WHERE` criteria in the `SELECT` query ensures that they'll be the same. – Barmar Jun 12 '20 at 16:44
  • Hi @Barmar - Noted well, thank you for the reply. I've remove the IF statement, but still couldn't update. Could you assist me? – ravin c Jun 12 '20 at 16:48
  • I can't see any reason why it doesn't work. – Barmar Jun 12 '20 at 16:50
  • 1
    Since you need to convert it to prepared statements anyway, try doing that and see if the problem goes away. – Barmar Jun 12 '20 at 16:50
  • Might be unrelated, but what does your `fetchAll` function do, and why is it using the raw query string `$query2` instead of the result of the executed query `$query_run`? – rickdenhaan Jun 12 '20 at 17:31
  • Thank you so much @Barmar. I will take note on what u've said. – ravin c Jun 12 '20 at 17:32
  • Hi @rickdenhaan - It works perfectly now. Thank you – ravin c Jun 12 '20 at 17:33
  • **Never store passwords in clear text or using MD5/SHA1!** Only store password hashes created using PHP's [`password_hash()`](https://php.net/manual/en/function.password-hash.php), which you can then verify using [`password_verify()`](https://php.net/manual/en/function.password-verify.php). Take a look at this post: [How to use password_hash](https://stackoverflow.com/q/30279321/1839439) and learn more about [bcrypt & password hashing in PHP](https://stackoverflow.com/a/6337021/1839439) – Dharman Jun 12 '20 at 19:02

1 Answers1

0

You need to update this new password. And this new password is not current password of the queried user. So the select query is failing to retrieve any result. Remove AND password='$password' from $query2, like this:

    $query2 = "SELECT username from registered_accounts where username='$username'";

and also remove the if statement, as there is no need to check again.

    if ($row['username'] == $username && $row['password'] == $password)

Hope this will help, But I also suggest you to use prepared statement to prevent from SQL Injections.

Md Shahbaz Ahmad
  • 345
  • 4
  • 12
  • 1
    I was editing it for more than a hour, thank you so much @Shahbaz Ahmad. It works perfectly. I will take note on what u've said. – ravin c Jun 12 '20 at 17:32
  • Will this change not allow a user to change the password for *any other user*? – rickdenhaan Jun 12 '20 at 17:33
  • @rickdenhaan The question is "Couldn't update Password", so I just explained him the error, due to which he is not able to update the password. Rest logic is upon him, how could he manage to prevent user from changing password of other user. – Md Shahbaz Ahmad Jun 12 '20 at 17:42