Solved

Changing password

Posted on 2007-04-11
10
186 Views
Last Modified: 2013-12-13
With following script I want to change passwords of users. But it doesn't change it correctly. After I change a password, I can't login with that password.

<?php
     if($id)
     {
            $sql2 = "SELECT name, level FROM users WHERE id = " .$id;
            //echo $sql2;
            $res = mysql_query($sql2) or die('QUERY_SELECT ERROR: <hr />' . mysql_error());
            $results = mysql_fetch_assoc($res);
            // if($_SERVER['REQUEST_METHOD'] == 'POST')
            if (isset($_POST['test']))
                {
                    //echo "title str len:".strlen(trim($_POST['name']));
                              //echo "article str len:".strlen(trim($_POST['pass']));
                    if ((strlen(trim($_POST['name'])) < 2) || (strlen(trim($_POST['pass'])) < 2))
                    {
                         $error = "One or both fields are empty. This is not allowed. Please fill something in.";
                    }    
                    if (empty($error))
                              {
                               //error is niet leeg dus query uitvoeren
                               $pass = md5($_POST['pass']);
                               $sql3 = 'UPDATE users SET pass ="'. mysql_real_escape_string($_POST['name']).'" , pass = "'. mysql_real_escape_string($_POST['pass']).'"  WHERE id = '. $id;
                               //echo $sql3;
                               $update = mysql_query($sql3) or die('QUERY_UPDATE ERROR: <hr />'. mysql_error());
                               echo "Changes have been made!";
                               }
                    else
                               {
                               //error is niet leeg dus error weergeven
                               echo $error;
                               }
                }
                                               
// form without PHP
?>
<!-- HIER FORMULIER -->
<form method="post" action="http://localhost/eindwerk2/pages/changinguser.php?id=<?=$id?> " style="margin-left:1px;">
<table>
      <tr>
            <td>
                  <input type="hidden" name="id" value="<?php echo $id; ?> " />
            </td>
      </tr>
      <tr>
            <td valign="top">
                  Username&nbsp;
            </td>
            <td>
                  <input type="text" name="name" value="<?php echo $results['name']; ?>"style="width:535px;" />
            </td>
      </tr>
      <tr>
            <td valign="top">
                  Password
            </td>
            <td>
                  <input type="password" name="pass" value="" />
            </td>
      </tr>
      <tr>
            <td></td>
            <td>
                  <input type="hidden" name="test" value="posted" />
                  <input type="submit" value="Change" />
            </td>
      </tr>
</table>
</form>    
<?php
}
?>
0
Comment
Question by:jvuz
  • 5
  • 4
10 Comments
 
LVL 29

Accepted Solution

by:
TeRReF earned 500 total points
ID: 18887913
I assume your name column is called name :)

Change this line:
$sql3 = 'UPDATE users SET pass ="'. mysql_real_escape_string($_POST['name']).'" , pass = "'. mysql_real_escape_string($_POST['pass']).'"  WHERE id = '. $id;

into

$sql3 = 'UPDATE users SET name ="'. mysql_real_escape_string($_POST['name']).'" , pass = "'. mysql_real_escape_string($_POST['pass']).'"  WHERE id = '. $id;
0
 
LVL 21

Author Comment

by:jvuz
ID: 18887936
Thanx,

stupid mistake from me! But I still cannot login with the new password. Is it possible that I need to place the md5 somewhere else?
0
 
LVL 21

Author Comment

by:jvuz
ID: 18887958
That seems to work now
I changed this

$pass = md5($_POST['pass']);
                               $sql3 = 'UPDATE users SET name ="'. mysql_real_escape_string($_POST['name']).'" , pass = "'. mysql_real_escape_string($_POST['pass']).'"  WHERE id = '. $id;

into this

//$pass = md5($_POST['pass']);
                               $sql3 = 'UPDATE users SET name ="'. mysql_real_escape_string($_POST['name']).'" , pass = "'. mysql_real_escape_string(md5($_POST['pass'])).'"  WHERE id = '. $id;

But, it seems now that it changed the level into zero and it should keep the level in what it was before.
0
 
LVL 29

Expert Comment

by:TeRReF
ID: 18887963
Are you  sure the original passwords are already md5 encrypted?
You will have to test the passwords when they are both md5 encrypted, so at login, you would do something like (simplified without any error checking of course):

$passwd = md5($_POST['pass']);

Then compare it with the DB stored password...
0
 
LVL 29

Expert Comment

by:TeRReF
ID: 18887971
Oh wait, you did the right thing! What do you mean by level?
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 21

Author Comment

by:jvuz
ID: 18887991
Every user has a certain level (between 1 and 3). I already changed it into this

<?php
     if($id)
     {
            $sql2 = "SELECT name, level FROM users WHERE id = " .$id;
            //echo $sql2;
            $res = mysql_query($sql2) or die('QUERY_SELECT ERROR: <hr />' . mysql_error());
            $results = mysql_fetch_assoc($res);
            // if($_SERVER['REQUEST_METHOD'] == 'POST')
            if (isset($_POST['test']))
                {
                    //echo "title str len:".strlen(trim($_POST['name']));
                              //echo "article str len:".strlen(trim($_POST['pass']));
                    if ((strlen(trim($_POST['name'])) < 2) || (strlen(trim($_POST['pass'])) < 2))
                    {
                         $error = "One or both fields are empty. This is not allowed. Please fill something in.";
                    }    
                    if (empty($error))
                              {
                               //error is niet leeg dus query uitvoeren
                               $sql3 = 'UPDATE users SET name ="'. mysql_real_escape_string($_POST['name']).'" , pass = "'. mysql_real_escape_string(md5($_POST['pass'])).'", level="'.($_POST['level']).'"  WHERE id = '. $id;
                               //echo $sql3;
                               $update = mysql_query($sql3) or die('QUERY_UPDATE ERROR: <hr />'. mysql_error());
                               echo "Changes have been made!";
                               }
                    else
                               {
                               //error is niet leeg dus error weergeven
                               echo $error;
                               }
                }
                                               
// form without PHP
?>
<!-- HIER FORMULIER -->
<form method="post" action="http://localhost/eindwerk2/pages/changinguser.php?id=<?=$id?> " style="margin-left:1px;">
<table>
      <tr>
            <td>
                  <input type="hidden" name="id" value="<?php echo $id; ?> " />
            </td>
      </tr>
      <tr>
            <td valign="top">
                  Username&nbsp;
            </td>
            <td>
                  <input type="text" name="name" value="<?php echo $results['name']; ?>"style="width:535px;" />
            </td>
      </tr>
      <tr>
            <td valign="top">
                  Password
            </td>
            <td>
                  <input type="password" name="pass" value="" />
            </td>
      </tr>
      <tr>
            <td valign="top">
                  Level
            </td>
            <td>
                  <input type="text" name="level" value="<?php echo $results['level']; ?>"style="width:535px;" />
            </td>
      </tr>
      <tr>
            <td></td>
            <td>
                  <input type="hidden" name="test" value="posted" />
                  <input type="submit" value="Change" />
            </td>
      </tr>
</table>
</form>    
<?php
}
?>

it does the update. Now I was thinking about the password. Wouldn't it be better that it takes the password and put it in its inputbox, so that when I don't change a password it would not change it into a blank password?
0
 
LVL 29

Expert Comment

by:TeRReF
ID: 18888027
THat's a possibility, or you could test on it (like you do in a way, but more like this)
if (!empty($_POST['pass']))
  // password not empty, update it in query
else
  // password empty, skip the update in the query
0
 
LVL 21

Author Comment

by:jvuz
ID: 18888043
OK, thanx, another question. I get the level from the db. Is it possible to put it in a selection list (or dropdownlist)? That way, it can never be anythin else then 1, 2 or 3 because that will be the only options?
0
 
LVL 29

Expert Comment

by:TeRReF
ID: 18888058
Yes, that is possible indeed, just generate some HTML from the result (something like this (not tested, but you'll get the idea)):

$html = '<select name="whatever">';
$res = mysql_query('SELECT level etc...');
while ($row = mysql_fetch_array($res)) {
  $html .= '<option value="'.$row['level'].'">'.$row['level'].'</option>';
}
$html .= '</select>';
0
 
LVL 5

Expert Comment

by:PatrickAdrichem
ID: 18893113
Dunno if its been said yet

but ehm

$pass = md5($_POST['pass']);  // <--- doesnt do anything since your using the post value in the DB again!!!
                               $sql3 = 'UPDATE users SET name ="'. mysql_real_escape_string($_POST['name']).'" , pass = "'. mysql_real_escape_string($_POST['pass']).'"  WHERE id = '. $id;

-----

$pass = md5($_POST['pass']);
                               $sql3 = 'UPDATE users SET name ="'. mysql_real_escape_string($_POST['name']).'" , pass = "'. mysql_real_escape_string($pass).'"  WHERE id = '. $id; // now its used..
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Suggested Solutions

What is Node.js? Node.js is a server side scripting language much like PHP or ASP but is used to implement the complete package of HTTP webserver and application framework. The difference is that Node.js’s execution engine is asynchronous and event…
These days socially coordinated efforts have turned into a critical requirement for enterprises.
Viewers will learn about the different types of variables in Java and how to declare them. Decide the type of variable desired: Put the keyword corresponding to the type of variable in front of the variable name: Use the equal sign to assign a v…
The viewer will learn the basics of jQuery including how to code hide show and toggles. Reference your jQuery libraries: (CODE) Include your new external js/jQuery file: (CODE) Write your first lines of code to setup your site for jQuery…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now