ok i know how you said not to use all if statements but this is easier for me to understand also i need help with my change password script... i do not know how to make it change the password also it keeps saying incorrect password when i try to change it.
changepass.php:
[syntax=php]<?php
include('core/init.inc.php');
?>
<html>
<head>
<title>CHANGE PASSWORD</title>
</head>
<body>
<form action="changepass.php?act=true" method="post">
<table cellpadding="2" cellspacing="2" border="1">
<tr>
<td colspan="2"><label><b>Change Password</b></label></td>
</tr>
<tr>
<td>Old Password:</td>
<td><input type="password" value="" name="pass" /></td>
</tr>
<tr>
<td>New Password:</td>
<td><input type="password" value="" name="cpass" /></td>
</tr>
<tr>
<td>Confirm New Password:</td>
<td><input type="password" value="" name="crepass" /></td>
</tr>
<tr>
<td colspan="2"><input type="submit" value="Change Password" name="submit" /></td>
</tr>
</form>
<?php
if ($_GET['act'] == true){
if ($_POST['submit']){
$user = $_SESSION['user_username'];
$pass = htmlspecialchars($_POST['pass']);
$cpass = htmlspecialchars($_POST['cpass']);
$crepass = htmlspecialchars($_POST['crepass']);
if ($pass && $cpass && $crepass){
$query1 = sprintf("SELECT * FROM users WHERE user_username='$user'", mysql_real_escape_string($user_username));
while ($row = mysql_fetch_assoc($query1)){
$dbpass = $row['pass'];
}
if ($pass == $dbpass){
if ($cpass == $crepass){
mysql_query("UPDATE users SET user_password='$crepass' WHERE user_username='$user'");
echo "<script>
alert('Your password has been changed!');
</script>
<meta http-equiv='refresh' content='1;url=index.php'>";
} else {
echo "The passwords in both of the fields do not match!";
}
} else {
echo "The password is incorrect.";
}
} else {
echo "Please fill in all of the fields.";
}
}
}
?>
</body>
<html>[/syntax]
Change Password Script...
Re: Change Password Script...
[syntax=php] while ($row = mysql_fetch_assoc($query1)){
$dbpass = $row['pass'];
}[/syntax]
You don't need to use a loop here since there is only ever going to be one row, you can just do
[syntax=php] $row = mysql_fetch_assoc($query1);
$dbpass = $row['pass'];[/syntax]
You also don't want to use htmlspecialchars on the password, since that will make the users password be something that they didn't enter. Since the password will never be displayed in the browser there is no need to worry about XSS attacks here.
$dbpass = $row['pass'];
}[/syntax]
You don't need to use a loop here since there is only ever going to be one row, you can just do
[syntax=php] $row = mysql_fetch_assoc($query1);
$dbpass = $row['pass'];[/syntax]
You also don't want to use htmlspecialchars on the password, since that will make the users password be something that they didn't enter. Since the password will never be displayed in the browser there is no need to worry about XSS attacks here.
