-3

This section of code is I am using to update password with token verification, I am getting useremail from url in encrypted format, that is why I have used md5 in query. The query is getting executed and affecting the table correctly, but it keep showing the else error message.

    $password= md5($_POST['password']);
    $sqlupdateaccount="UPDATE `mydatabasename`.`usertbl` 
                        SET `password`='$password' 
                        WHERE MD5(`useremail`)='$useremail' 
                        AND `token`='$token'";
    $result=mysqli_query($con,$sqlupdateaccount);
    if(mysqli_num_rows($result)>0)  // also used if(mysqli_affected_rows($con)) but still same problem
    {
        header("Location:userlogin.php?s=1");
    } else {
        echo "<h3 class='alert alert-danger'>Something Went Wrong</h3>".mysqli_error($con);
    }
Dharman
  • 30,962
  • 25
  • 85
  • 135
SAW Kk
  • 74
  • 9
  • 3
    Please dont __roll your own__ password hashing, specially not using `MD5()` or `SHA1()`. PHP provides [`password_hash()`](http://php.net/manual/en/function.password-hash.php) and [`password_verify()`](http://php.net/manual/en/function.password-verify.php) please use them for the safety of your users. – RiggsFolly Apr 15 '21 at 10:19
  • ok should i just replace md5() with password_hash() – SAW Kk Apr 15 '21 at 10:22
  • 2
    See a detailed explanation about hashing [here](https://stackoverflow.com/questions/30279321/how-to-use-phps-password-hash-to-hash-and-verify-passwords). – El_Vanja Apr 15 '21 at 10:23
  • 2
    I would of course suggest you read up on and use the `password_hash()` functions – RiggsFolly Apr 15 '21 at 10:23
  • yes i am sendign hashed email in url for password verification, – SAW Kk Apr 15 '21 at 10:24
  • 1
    Anyways, back on topic: `num_rows` is what you get when you *select* a result set. You're not fetching anything from an `UPDATE`, so this won't have the data you need. What you want instead is the number of affected rows. – El_Vanja Apr 15 '21 at 10:25
  • 2
    There is a difference between [mysqli_affected_rows](https://www.php.net/manual/en/mysqli.affected-rows.php) and [mysqli_num_rows](https://www.php.net/manual/en/mysqli-result.num-rows.php). Since your query **is not** an select query, you should use mysqli_affected_rows. – Definitely not Rafal Apr 15 '21 at 10:25
  • 2
    Why you all focused on hashing, this is not the question here at all. – Definitely not Rafal Apr 15 '21 at 10:27
  • @DefinitelynotRafal i have tried using mysqli_affected_rows($con) but same problem. still i will try one more time – SAW Kk Apr 15 '21 at 10:28
  • Thanks @DefinitelynotRafal if have used this condition and it worked if(mysqli_affected_rows($con)>0) – SAW Kk Apr 15 '21 at 10:33
  • @DefinitelynotRafal can you answer the question with new if condition so i can accept it as answer – SAW Kk Apr 15 '21 at 10:35
  • Thank you for hashing information, i will update my code with password_hash(), but no one told me what is wrong with MD5() and SHA1(), and down voted my question. – SAW Kk Apr 15 '21 at 10:37
  • 2
    _“but no one told me what is wrong with MD5() and SHA1()”_ - well who did you _expect_ to tell you, and when & where? Did you expect someone to come by your place in the evening, and read it to you as a bedtime story …? Doing a bit of _reading up_ on what the currently recommended best practices are for stuff like this, is your own responsibility . – CBroe Apr 15 '21 at 10:50
  • @CBroe thanks for reading all comments and commenting and guiding me to study and research over hashing concept which I was doing, and sorry if I have offended you. – SAW Kk Apr 15 '21 at 10:59
  • Does https://stackoverflow.com/questions/25555758/what-is-the-difference-between-mysqli-affected-rows-and-mysqli-num-rows answer your question? – Nico Haase Apr 15 '21 at 11:31
  • @NicoHaase yes that explains the solution to my problem, Thank you – SAW Kk Apr 15 '21 at 13:08

1 Answers1

1

mysqli_num_rows should be used when you have a select query.

mysqli_affected_rows is what you are searching for.

Change if(mysqli_num_rows($result)>0) {... to if(mysqli_affected_rows($con)>0) {...

Definitely not Rafal
  • 308
  • 3
  • 14