Change Password Script...

Ask about a PHP problem here.
Post Reply
Smg
Posts: 30
Joined: Tue Feb 21, 2012 2:38 am

Change Password Script...

Post by Smg »

ok i know how you said not to use all if statements but this is easier for me to understand also i need help with my change password script... i do not know how to make it change the password also it keeps saying incorrect password when i try to change it.

changepass.php:
<?php

include('core/init.inc.php');

?>
<html>
	<head>
		<title>CHANGE PASSWORD</title>
	</head>
	<body>
		<form action="changepass.php?act=true" method="post">
			<table cellpadding="2" cellspacing="2" border="1">
			<tr>
				<td colspan="2"><label><b>Change Password</b></label></td>
			</tr>
			<tr>
				<td>Old Password:</td>
				<td><input type="password" value="" name="pass" /></td>
			</tr>
			<tr>
				<td>New Password:</td>
				<td><input type="password" value="" name="cpass" /></td>
			</tr>
			<tr>
				<td>Confirm New Password:</td>
				<td><input type="password" value="" name="crepass" /></td>
			</tr>
			<tr>
				<td colspan="2"><input type="submit" value="Change Password" name="submit" /></td>
			</tr>
		</form>
		
		<?php
		
		if ($_GET['act'] == true){
			if ($_POST['submit']){
				$user = $_SESSION['user_username'];
				$pass = htmlspecialchars($_POST['pass']);
				$cpass = htmlspecialchars($_POST['cpass']);
				$crepass = htmlspecialchars($_POST['crepass']);
				
				if ($pass && $cpass && $crepass){
					$query1 = sprintf("SELECT * FROM users WHERE user_username='$user'", mysql_real_escape_string($user_username));
					while ($row = mysql_fetch_assoc($query1)){
						$dbpass = $row['pass'];
					}
					if ($pass == $dbpass){
						if ($cpass == $crepass){
							mysql_query("UPDATE users SET user_password='$crepass' WHERE user_username='$user'");
							echo "<script>
									alert('Your password has been changed!');
								</script>
								<meta http-equiv='refresh' content='1;url=index.php'>";
						} else {
							echo "The passwords in both of the fields do not match!";
						}
					} else {
						echo "The password is incorrect.";
					}
				} else { 
					echo "Please fill in all of the fields.";
				}
			}
		}
		
		?>
		
	</body>
<html>
User avatar
jacek
Site Admin
Posts: 3262
Joined: Thu May 05, 2011 1:45 pm
Location: UK
Contact:

Re: Change Password Script...

Post by jacek »

                                        while ($row = mysql_fetch_assoc($query1)){
                                                $dbpass = $row['pass'];
                                        }
You don't need to use a loop here since there is only ever going to be one row, you can just do
                                        $row = mysql_fetch_assoc($query1);
                                        $dbpass = $row['pass'];
You also don't want to use htmlspecialchars on the password, since that will make the users password be something that they didn't enter. Since the password will never be displayed in the browser there is no need to worry about XSS attacks here.
Image
Post Reply