Solved

Changing password

Posted on 2007-04-11
10
189 Views
Last Modified: 2013-12-13
With following script I want to change passwords of users. But it doesn't change it correctly. After I change a password, I can't login with that password.

<?php
     if($id)
     {
            $sql2 = "SELECT name, level FROM users WHERE id = " .$id;
            //echo $sql2;
            $res = mysql_query($sql2) or die('QUERY_SELECT ERROR: <hr />' . mysql_error());
            $results = mysql_fetch_assoc($res);
            // if($_SERVER['REQUEST_METHOD'] == 'POST')
            if (isset($_POST['test']))
                {
                    //echo "title str len:".strlen(trim($_POST['name']));
                              //echo "article str len:".strlen(trim($_POST['pass']));
                    if ((strlen(trim($_POST['name'])) < 2) || (strlen(trim($_POST['pass'])) < 2))
                    {
                         $error = "One or both fields are empty. This is not allowed. Please fill something in.";
                    }    
                    if (empty($error))
                              {
                               //error is niet leeg dus query uitvoeren
                               $pass = md5($_POST['pass']);
                               $sql3 = 'UPDATE users SET pass ="'. mysql_real_escape_string($_POST['name']).'" , pass = "'. mysql_real_escape_string($_POST['pass']).'"  WHERE id = '. $id;
                               //echo $sql3;
                               $update = mysql_query($sql3) or die('QUERY_UPDATE ERROR: <hr />'. mysql_error());
                               echo "Changes have been made!";
                               }
                    else
                               {
                               //error is niet leeg dus error weergeven
                               echo $error;
                               }
                }
                                               
// form without PHP
?>
<!-- HIER FORMULIER -->
<form method="post" action="http://localhost/eindwerk2/pages/changinguser.php?id=<?=$id?> " style="margin-left:1px;">
<table>
      <tr>
            <td>
                  <input type="hidden" name="id" value="<?php echo $id; ?> " />
            </td>
      </tr>
      <tr>
            <td valign="top">
                  Username&nbsp;
            </td>
            <td>
                  <input type="text" name="name" value="<?php echo $results['name']; ?>"style="width:535px;" />
            </td>
      </tr>
      <tr>
            <td valign="top">
                  Password
            </td>
            <td>
                  <input type="password" name="pass" value="" />
            </td>
      </tr>
      <tr>
            <td></td>
            <td>
                  <input type="hidden" name="test" value="posted" />
                  <input type="submit" value="Change" />
            </td>
      </tr>
</table>
</form>    
<?php
}
?>
0
Comment
Question by:jvuz
  • 5
  • 4
10 Comments
 
LVL 29

Accepted Solution

by:
TeRReF earned 500 total points
ID: 18887913
I assume your name column is called name :)

Change this line:
$sql3 = 'UPDATE users SET pass ="'. mysql_real_escape_string($_POST['name']).'" , pass = "'. mysql_real_escape_string($_POST['pass']).'"  WHERE id = '. $id;

into

$sql3 = 'UPDATE users SET name ="'. mysql_real_escape_string($_POST['name']).'" , pass = "'. mysql_real_escape_string($_POST['pass']).'"  WHERE id = '. $id;
0
 
LVL 21

Author Comment

by:jvuz
ID: 18887936
Thanx,

stupid mistake from me! But I still cannot login with the new password. Is it possible that I need to place the md5 somewhere else?
0
 
LVL 21

Author Comment

by:jvuz
ID: 18887958
That seems to work now
I changed this

$pass = md5($_POST['pass']);
                               $sql3 = 'UPDATE users SET name ="'. mysql_real_escape_string($_POST['name']).'" , pass = "'. mysql_real_escape_string($_POST['pass']).'"  WHERE id = '. $id;

into this

//$pass = md5($_POST['pass']);
                               $sql3 = 'UPDATE users SET name ="'. mysql_real_escape_string($_POST['name']).'" , pass = "'. mysql_real_escape_string(md5($_POST['pass'])).'"  WHERE id = '. $id;

But, it seems now that it changed the level into zero and it should keep the level in what it was before.
0
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
LVL 29

Expert Comment

by:TeRReF
ID: 18887963
Are you  sure the original passwords are already md5 encrypted?
You will have to test the passwords when they are both md5 encrypted, so at login, you would do something like (simplified without any error checking of course):

$passwd = md5($_POST['pass']);

Then compare it with the DB stored password...
0
 
LVL 29

Expert Comment

by:TeRReF
ID: 18887971
Oh wait, you did the right thing! What do you mean by level?
0
 
LVL 21

Author Comment

by:jvuz
ID: 18887991
Every user has a certain level (between 1 and 3). I already changed it into this

<?php
     if($id)
     {
            $sql2 = "SELECT name, level FROM users WHERE id = " .$id;
            //echo $sql2;
            $res = mysql_query($sql2) or die('QUERY_SELECT ERROR: <hr />' . mysql_error());
            $results = mysql_fetch_assoc($res);
            // if($_SERVER['REQUEST_METHOD'] == 'POST')
            if (isset($_POST['test']))
                {
                    //echo "title str len:".strlen(trim($_POST['name']));
                              //echo "article str len:".strlen(trim($_POST['pass']));
                    if ((strlen(trim($_POST['name'])) < 2) || (strlen(trim($_POST['pass'])) < 2))
                    {
                         $error = "One or both fields are empty. This is not allowed. Please fill something in.";
                    }    
                    if (empty($error))
                              {
                               //error is niet leeg dus query uitvoeren
                               $sql3 = 'UPDATE users SET name ="'. mysql_real_escape_string($_POST['name']).'" , pass = "'. mysql_real_escape_string(md5($_POST['pass'])).'", level="'.($_POST['level']).'"  WHERE id = '. $id;
                               //echo $sql3;
                               $update = mysql_query($sql3) or die('QUERY_UPDATE ERROR: <hr />'. mysql_error());
                               echo "Changes have been made!";
                               }
                    else
                               {
                               //error is niet leeg dus error weergeven
                               echo $error;
                               }
                }
                                               
// form without PHP
?>
<!-- HIER FORMULIER -->
<form method="post" action="http://localhost/eindwerk2/pages/changinguser.php?id=<?=$id?> " style="margin-left:1px;">
<table>
      <tr>
            <td>
                  <input type="hidden" name="id" value="<?php echo $id; ?> " />
            </td>
      </tr>
      <tr>
            <td valign="top">
                  Username&nbsp;
            </td>
            <td>
                  <input type="text" name="name" value="<?php echo $results['name']; ?>"style="width:535px;" />
            </td>
      </tr>
      <tr>
            <td valign="top">
                  Password
            </td>
            <td>
                  <input type="password" name="pass" value="" />
            </td>
      </tr>
      <tr>
            <td valign="top">
                  Level
            </td>
            <td>
                  <input type="text" name="level" value="<?php echo $results['level']; ?>"style="width:535px;" />
            </td>
      </tr>
      <tr>
            <td></td>
            <td>
                  <input type="hidden" name="test" value="posted" />
                  <input type="submit" value="Change" />
            </td>
      </tr>
</table>
</form>    
<?php
}
?>

it does the update. Now I was thinking about the password. Wouldn't it be better that it takes the password and put it in its inputbox, so that when I don't change a password it would not change it into a blank password?
0
 
LVL 29

Expert Comment

by:TeRReF
ID: 18888027
THat's a possibility, or you could test on it (like you do in a way, but more like this)
if (!empty($_POST['pass']))
  // password not empty, update it in query
else
  // password empty, skip the update in the query
0
 
LVL 21

Author Comment

by:jvuz
ID: 18888043
OK, thanx, another question. I get the level from the db. Is it possible to put it in a selection list (or dropdownlist)? That way, it can never be anythin else then 1, 2 or 3 because that will be the only options?
0
 
LVL 29

Expert Comment

by:TeRReF
ID: 18888058
Yes, that is possible indeed, just generate some HTML from the result (something like this (not tested, but you'll get the idea)):

$html = '<select name="whatever">';
$res = mysql_query('SELECT level etc...');
while ($row = mysql_fetch_array($res)) {
  $html .= '<option value="'.$row['level'].'">'.$row['level'].'</option>';
}
$html .= '</select>';
0
 
LVL 5

Expert Comment

by:PatrickAdrichem
ID: 18893113
Dunno if its been said yet

but ehm

$pass = md5($_POST['pass']);  // <--- doesnt do anything since your using the post value in the DB again!!!
                               $sql3 = 'UPDATE users SET name ="'. mysql_real_escape_string($_POST['name']).'" , pass = "'. mysql_real_escape_string($_POST['pass']).'"  WHERE id = '. $id;

-----

$pass = md5($_POST['pass']);
                               $sql3 = 'UPDATE users SET name ="'. mysql_real_escape_string($_POST['name']).'" , pass = "'. mysql_real_escape_string($pass).'"  WHERE id = '. $id; // now its used..
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What is Node.js? Node.js is a server side scripting language much like PHP or ASP but is used to implement the complete package of HTTP webserver and application framework. The difference is that Node.js’s execution engine is asynchronous and event…
Introduction Knockoutjs (Knockout) is a JavaScript framework (Model View ViewModel or MVVM framework).   The main ideology behind Knockout is to control from JavaScript how a page looks whilst creating an engaging user experience in the least …
The viewer will receive an overview of the basics of CSS showing inline styles. In the head tags set up your style tags: (CODE) Reference the nav tag and set your properties.: (CODE) Set the reference for the UL element and styles for it to ensu…
Learn how to create flexible layouts using relative units in CSS.  New relative units added in CSS3 include vw(viewports width), vh(viewports height), vmin(minimum of viewports height and width), and vmax (maximum of viewports height and width).

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question