Page 1 of 1

Change Password Script...

Posted: Sun Apr 29, 2012 11:30 pm
by Smg
ok i know how you said not to use all if statements but this is easier for me to understand also i need help with my change password script... i do not know how to make it change the password also it keeps saying incorrect password when i try to change it.

changepass.php:
<?php

include('core/init.inc.php');

?>
<html>
	<head>
		<title>CHANGE PASSWORD</title>
	</head>
	<body>
		<form action="changepass.php?act=true" method="post">
			<table cellpadding="2" cellspacing="2" border="1">
			<tr>
				<td colspan="2"><label><b>Change Password</b></label></td>
			</tr>
			<tr>
				<td>Old Password:</td>
				<td><input type="password" value="" name="pass" /></td>
			</tr>
			<tr>
				<td>New Password:</td>
				<td><input type="password" value="" name="cpass" /></td>
			</tr>
			<tr>
				<td>Confirm New Password:</td>
				<td><input type="password" value="" name="crepass" /></td>
			</tr>
			<tr>
				<td colspan="2"><input type="submit" value="Change Password" name="submit" /></td>
			</tr>
		</form>
		
		<?php
		
		if ($_GET['act'] == true){
			if ($_POST['submit']){
				$user = $_SESSION['user_username'];
				$pass = htmlspecialchars($_POST['pass']);
				$cpass = htmlspecialchars($_POST['cpass']);
				$crepass = htmlspecialchars($_POST['crepass']);
				
				if ($pass && $cpass && $crepass){
					$query1 = sprintf("SELECT * FROM users WHERE user_username='$user'", mysql_real_escape_string($user_username));
					while ($row = mysql_fetch_assoc($query1)){
						$dbpass = $row['pass'];
					}
					if ($pass == $dbpass){
						if ($cpass == $crepass){
							mysql_query("UPDATE users SET user_password='$crepass' WHERE user_username='$user'");
							echo "<script>
									alert('Your password has been changed!');
								</script>
								<meta http-equiv='refresh' content='1;url=index.php'>";
						} else {
							echo "The passwords in both of the fields do not match!";
						}
					} else {
						echo "The password is incorrect.";
					}
				} else { 
					echo "Please fill in all of the fields.";
				}
			}
		}
		
		?>
		
	</body>
<html>

Re: Change Password Script...

Posted: Mon Apr 30, 2012 4:40 pm
by jacek
                                        while ($row = mysql_fetch_assoc($query1)){
                                                $dbpass = $row['pass'];
                                        }
You don't need to use a loop here since there is only ever going to be one row, you can just do
                                        $row = mysql_fetch_assoc($query1);
                                        $dbpass = $row['pass'];
You also don't want to use htmlspecialchars on the password, since that will make the users password be something that they didn't enter. Since the password will never be displayed in the browser there is no need to worry about XSS attacks here.