Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Changing password

Posted on 2007-04-11
10
Medium Priority
?
196 Views
Last Modified: 2013-12-13
With following script I want to change passwords of users. But it doesn't change it correctly. After I change a password, I can't login with that password.

<?php
     if($id)
     {
            $sql2 = "SELECT name, level FROM users WHERE id = " .$id;
            //echo $sql2;
            $res = mysql_query($sql2) or die('QUERY_SELECT ERROR: <hr />' . mysql_error());
            $results = mysql_fetch_assoc($res);
            // if($_SERVER['REQUEST_METHOD'] == 'POST')
            if (isset($_POST['test']))
                {
                    //echo "title str len:".strlen(trim($_POST['name']));
                              //echo "article str len:".strlen(trim($_POST['pass']));
                    if ((strlen(trim($_POST['name'])) < 2) || (strlen(trim($_POST['pass'])) < 2))
                    {
                         $error = "One or both fields are empty. This is not allowed. Please fill something in.";
                    }    
                    if (empty($error))
                              {
                               //error is niet leeg dus query uitvoeren
                               $pass = md5($_POST['pass']);
                               $sql3 = 'UPDATE users SET pass ="'. mysql_real_escape_string($_POST['name']).'" , pass = "'. mysql_real_escape_string($_POST['pass']).'"  WHERE id = '. $id;
                               //echo $sql3;
                               $update = mysql_query($sql3) or die('QUERY_UPDATE ERROR: <hr />'. mysql_error());
                               echo "Changes have been made!";
                               }
                    else
                               {
                               //error is niet leeg dus error weergeven
                               echo $error;
                               }
                }
                                               
// form without PHP
?>
<!-- HIER FORMULIER -->
<form method="post" action="http://localhost/eindwerk2/pages/changinguser.php?id=<?=$id?> " style="margin-left:1px;">
<table>
      <tr>
            <td>
                  <input type="hidden" name="id" value="<?php echo $id; ?> " />
            </td>
      </tr>
      <tr>
            <td valign="top">
                  Username&nbsp;
            </td>
            <td>
                  <input type="text" name="name" value="<?php echo $results['name']; ?>"style="width:535px;" />
            </td>
      </tr>
      <tr>
            <td valign="top">
                  Password
            </td>
            <td>
                  <input type="password" name="pass" value="" />
            </td>
      </tr>
      <tr>
            <td></td>
            <td>
                  <input type="hidden" name="test" value="posted" />
                  <input type="submit" value="Change" />
            </td>
      </tr>
</table>
</form>    
<?php
}
?>
0
Comment
Question by:jvuz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
10 Comments
 
LVL 29

Accepted Solution

by:
TeRReF earned 2000 total points
ID: 18887913
I assume your name column is called name :)

Change this line:
$sql3 = 'UPDATE users SET pass ="'. mysql_real_escape_string($_POST['name']).'" , pass = "'. mysql_real_escape_string($_POST['pass']).'"  WHERE id = '. $id;

into

$sql3 = 'UPDATE users SET name ="'. mysql_real_escape_string($_POST['name']).'" , pass = "'. mysql_real_escape_string($_POST['pass']).'"  WHERE id = '. $id;
0
 
LVL 21

Author Comment

by:jvuz
ID: 18887936
Thanx,

stupid mistake from me! But I still cannot login with the new password. Is it possible that I need to place the md5 somewhere else?
0
 
LVL 21

Author Comment

by:jvuz
ID: 18887958
That seems to work now
I changed this

$pass = md5($_POST['pass']);
                               $sql3 = 'UPDATE users SET name ="'. mysql_real_escape_string($_POST['name']).'" , pass = "'. mysql_real_escape_string($_POST['pass']).'"  WHERE id = '. $id;

into this

//$pass = md5($_POST['pass']);
                               $sql3 = 'UPDATE users SET name ="'. mysql_real_escape_string($_POST['name']).'" , pass = "'. mysql_real_escape_string(md5($_POST['pass'])).'"  WHERE id = '. $id;

But, it seems now that it changed the level into zero and it should keep the level in what it was before.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 29

Expert Comment

by:TeRReF
ID: 18887963
Are you  sure the original passwords are already md5 encrypted?
You will have to test the passwords when they are both md5 encrypted, so at login, you would do something like (simplified without any error checking of course):

$passwd = md5($_POST['pass']);

Then compare it with the DB stored password...
0
 
LVL 29

Expert Comment

by:TeRReF
ID: 18887971
Oh wait, you did the right thing! What do you mean by level?
0
 
LVL 21

Author Comment

by:jvuz
ID: 18887991
Every user has a certain level (between 1 and 3). I already changed it into this

<?php
     if($id)
     {
            $sql2 = "SELECT name, level FROM users WHERE id = " .$id;
            //echo $sql2;
            $res = mysql_query($sql2) or die('QUERY_SELECT ERROR: <hr />' . mysql_error());
            $results = mysql_fetch_assoc($res);
            // if($_SERVER['REQUEST_METHOD'] == 'POST')
            if (isset($_POST['test']))
                {
                    //echo "title str len:".strlen(trim($_POST['name']));
                              //echo "article str len:".strlen(trim($_POST['pass']));
                    if ((strlen(trim($_POST['name'])) < 2) || (strlen(trim($_POST['pass'])) < 2))
                    {
                         $error = "One or both fields are empty. This is not allowed. Please fill something in.";
                    }    
                    if (empty($error))
                              {
                               //error is niet leeg dus query uitvoeren
                               $sql3 = 'UPDATE users SET name ="'. mysql_real_escape_string($_POST['name']).'" , pass = "'. mysql_real_escape_string(md5($_POST['pass'])).'", level="'.($_POST['level']).'"  WHERE id = '. $id;
                               //echo $sql3;
                               $update = mysql_query($sql3) or die('QUERY_UPDATE ERROR: <hr />'. mysql_error());
                               echo "Changes have been made!";
                               }
                    else
                               {
                               //error is niet leeg dus error weergeven
                               echo $error;
                               }
                }
                                               
// form without PHP
?>
<!-- HIER FORMULIER -->
<form method="post" action="http://localhost/eindwerk2/pages/changinguser.php?id=<?=$id?> " style="margin-left:1px;">
<table>
      <tr>
            <td>
                  <input type="hidden" name="id" value="<?php echo $id; ?> " />
            </td>
      </tr>
      <tr>
            <td valign="top">
                  Username&nbsp;
            </td>
            <td>
                  <input type="text" name="name" value="<?php echo $results['name']; ?>"style="width:535px;" />
            </td>
      </tr>
      <tr>
            <td valign="top">
                  Password
            </td>
            <td>
                  <input type="password" name="pass" value="" />
            </td>
      </tr>
      <tr>
            <td valign="top">
                  Level
            </td>
            <td>
                  <input type="text" name="level" value="<?php echo $results['level']; ?>"style="width:535px;" />
            </td>
      </tr>
      <tr>
            <td></td>
            <td>
                  <input type="hidden" name="test" value="posted" />
                  <input type="submit" value="Change" />
            </td>
      </tr>
</table>
</form>    
<?php
}
?>

it does the update. Now I was thinking about the password. Wouldn't it be better that it takes the password and put it in its inputbox, so that when I don't change a password it would not change it into a blank password?
0
 
LVL 29

Expert Comment

by:TeRReF
ID: 18888027
THat's a possibility, or you could test on it (like you do in a way, but more like this)
if (!empty($_POST['pass']))
  // password not empty, update it in query
else
  // password empty, skip the update in the query
0
 
LVL 21

Author Comment

by:jvuz
ID: 18888043
OK, thanx, another question. I get the level from the db. Is it possible to put it in a selection list (or dropdownlist)? That way, it can never be anythin else then 1, 2 or 3 because that will be the only options?
0
 
LVL 29

Expert Comment

by:TeRReF
ID: 18888058
Yes, that is possible indeed, just generate some HTML from the result (something like this (not tested, but you'll get the idea)):

$html = '<select name="whatever">';
$res = mysql_query('SELECT level etc...');
while ($row = mysql_fetch_array($res)) {
  $html .= '<option value="'.$row['level'].'">'.$row['level'].'</option>';
}
$html .= '</select>';
0
 
LVL 5

Expert Comment

by:PatrickAdrichem
ID: 18893113
Dunno if its been said yet

but ehm

$pass = md5($_POST['pass']);  // <--- doesnt do anything since your using the post value in the DB again!!!
                               $sql3 = 'UPDATE users SET name ="'. mysql_real_escape_string($_POST['name']).'" , pass = "'. mysql_real_escape_string($_POST['pass']).'"  WHERE id = '. $id;

-----

$pass = md5($_POST['pass']);
                               $sql3 = 'UPDATE users SET name ="'. mysql_real_escape_string($_POST['name']).'" , pass = "'. mysql_real_escape_string($pass).'"  WHERE id = '. $id; // now its used..
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

JavaScript has plenty of pieces of code people often just copy/paste from somewhere but never quite fully understand. Self-Executing functions are just one good example that I'll try to demystify here.
Originally, this post was published on Monitis Blog, you can check it here . In business circles, we sometimes hear that today is the “age of the customer.” And so it is. Thanks to the enormous advances over the past few years in consumer techno…
Viewers will learn about the regular for loop in Java and how to use it. Definition: Break the for loop down into 3 parts: Syntax when using for loops: Example using a for loop:
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

660 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question