Changing password

With following script I want to change passwords of users. But it doesn't change it correctly. After I change a password, I can't login with that password.

<?php
     if($id)
     {
            $sql2 = "SELECT name, level FROM users WHERE id = " .$id;
            //echo $sql2;
            $res = mysql_query($sql2) or die('QUERY_SELECT ERROR: <hr />' . mysql_error());
            $results = mysql_fetch_assoc($res);
            // if($_SERVER['REQUEST_METHOD'] == 'POST')
            if (isset($_POST['test']))
                {
                    //echo "title str len:".strlen(trim($_POST['name']));
                              //echo "article str len:".strlen(trim($_POST['pass']));
                    if ((strlen(trim($_POST['name'])) < 2) || (strlen(trim($_POST['pass'])) < 2))
                    {
                         $error = "One or both fields are empty. This is not allowed. Please fill something in.";
                    }    
                    if (empty($error))
                              {
                               //error is niet leeg dus query uitvoeren
                               $pass = md5($_POST['pass']);
                               $sql3 = 'UPDATE users SET pass ="'. mysql_real_escape_string($_POST['name']).'" , pass = "'. mysql_real_escape_string($_POST['pass']).'"  WHERE id = '. $id;
                               //echo $sql3;
                               $update = mysql_query($sql3) or die('QUERY_UPDATE ERROR: <hr />'. mysql_error());
                               echo "Changes have been made!";
                               }
                    else
                               {
                               //error is niet leeg dus error weergeven
                               echo $error;
                               }
                }
                                               
// form without PHP
?>
<!-- HIER FORMULIER -->
<form method="post" action="http://localhost/eindwerk2/pages/changinguser.php?id=<?=$id?> " style="margin-left:1px;">
<table>
      <tr>
            <td>
                  <input type="hidden" name="id" value="<?php echo $id; ?> " />
            </td>
      </tr>
      <tr>
            <td valign="top">
                  Username&nbsp;
            </td>
            <td>
                  <input type="text" name="name" value="<?php echo $results['name']; ?>"style="width:535px;" />
            </td>
      </tr>
      <tr>
            <td valign="top">
                  Password
            </td>
            <td>
                  <input type="password" name="pass" value="" />
            </td>
      </tr>
      <tr>
            <td></td>
            <td>
                  <input type="hidden" name="test" value="posted" />
                  <input type="submit" value="Change" />
            </td>
      </tr>
</table>
</form>    
<?php
}
?>
LVL 21
jvuzAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

TeRReFCommented:
I assume your name column is called name :)

Change this line:
$sql3 = 'UPDATE users SET pass ="'. mysql_real_escape_string($_POST['name']).'" , pass = "'. mysql_real_escape_string($_POST['pass']).'"  WHERE id = '. $id;

into

$sql3 = 'UPDATE users SET name ="'. mysql_real_escape_string($_POST['name']).'" , pass = "'. mysql_real_escape_string($_POST['pass']).'"  WHERE id = '. $id;
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jvuzAuthor Commented:
Thanx,

stupid mistake from me! But I still cannot login with the new password. Is it possible that I need to place the md5 somewhere else?
0
jvuzAuthor Commented:
That seems to work now
I changed this

$pass = md5($_POST['pass']);
                               $sql3 = 'UPDATE users SET name ="'. mysql_real_escape_string($_POST['name']).'" , pass = "'. mysql_real_escape_string($_POST['pass']).'"  WHERE id = '. $id;

into this

//$pass = md5($_POST['pass']);
                               $sql3 = 'UPDATE users SET name ="'. mysql_real_escape_string($_POST['name']).'" , pass = "'. mysql_real_escape_string(md5($_POST['pass'])).'"  WHERE id = '. $id;

But, it seems now that it changed the level into zero and it should keep the level in what it was before.
0
Become a CompTIA Certified Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

TeRReFCommented:
Are you  sure the original passwords are already md5 encrypted?
You will have to test the passwords when they are both md5 encrypted, so at login, you would do something like (simplified without any error checking of course):

$passwd = md5($_POST['pass']);

Then compare it with the DB stored password...
0
TeRReFCommented:
Oh wait, you did the right thing! What do you mean by level?
0
jvuzAuthor Commented:
Every user has a certain level (between 1 and 3). I already changed it into this

<?php
     if($id)
     {
            $sql2 = "SELECT name, level FROM users WHERE id = " .$id;
            //echo $sql2;
            $res = mysql_query($sql2) or die('QUERY_SELECT ERROR: <hr />' . mysql_error());
            $results = mysql_fetch_assoc($res);
            // if($_SERVER['REQUEST_METHOD'] == 'POST')
            if (isset($_POST['test']))
                {
                    //echo "title str len:".strlen(trim($_POST['name']));
                              //echo "article str len:".strlen(trim($_POST['pass']));
                    if ((strlen(trim($_POST['name'])) < 2) || (strlen(trim($_POST['pass'])) < 2))
                    {
                         $error = "One or both fields are empty. This is not allowed. Please fill something in.";
                    }    
                    if (empty($error))
                              {
                               //error is niet leeg dus query uitvoeren
                               $sql3 = 'UPDATE users SET name ="'. mysql_real_escape_string($_POST['name']).'" , pass = "'. mysql_real_escape_string(md5($_POST['pass'])).'", level="'.($_POST['level']).'"  WHERE id = '. $id;
                               //echo $sql3;
                               $update = mysql_query($sql3) or die('QUERY_UPDATE ERROR: <hr />'. mysql_error());
                               echo "Changes have been made!";
                               }
                    else
                               {
                               //error is niet leeg dus error weergeven
                               echo $error;
                               }
                }
                                               
// form without PHP
?>
<!-- HIER FORMULIER -->
<form method="post" action="http://localhost/eindwerk2/pages/changinguser.php?id=<?=$id?> " style="margin-left:1px;">
<table>
      <tr>
            <td>
                  <input type="hidden" name="id" value="<?php echo $id; ?> " />
            </td>
      </tr>
      <tr>
            <td valign="top">
                  Username&nbsp;
            </td>
            <td>
                  <input type="text" name="name" value="<?php echo $results['name']; ?>"style="width:535px;" />
            </td>
      </tr>
      <tr>
            <td valign="top">
                  Password
            </td>
            <td>
                  <input type="password" name="pass" value="" />
            </td>
      </tr>
      <tr>
            <td valign="top">
                  Level
            </td>
            <td>
                  <input type="text" name="level" value="<?php echo $results['level']; ?>"style="width:535px;" />
            </td>
      </tr>
      <tr>
            <td></td>
            <td>
                  <input type="hidden" name="test" value="posted" />
                  <input type="submit" value="Change" />
            </td>
      </tr>
</table>
</form>    
<?php
}
?>

it does the update. Now I was thinking about the password. Wouldn't it be better that it takes the password and put it in its inputbox, so that when I don't change a password it would not change it into a blank password?
0
TeRReFCommented:
THat's a possibility, or you could test on it (like you do in a way, but more like this)
if (!empty($_POST['pass']))
  // password not empty, update it in query
else
  // password empty, skip the update in the query
0
jvuzAuthor Commented:
OK, thanx, another question. I get the level from the db. Is it possible to put it in a selection list (or dropdownlist)? That way, it can never be anythin else then 1, 2 or 3 because that will be the only options?
0
TeRReFCommented:
Yes, that is possible indeed, just generate some HTML from the result (something like this (not tested, but you'll get the idea)):

$html = '<select name="whatever">';
$res = mysql_query('SELECT level etc...');
while ($row = mysql_fetch_array($res)) {
  $html .= '<option value="'.$row['level'].'">'.$row['level'].'</option>';
}
$html .= '</select>';
0
PatrickAdrichemCommented:
Dunno if its been said yet

but ehm

$pass = md5($_POST['pass']);  // <--- doesnt do anything since your using the post value in the DB again!!!
                               $sql3 = 'UPDATE users SET name ="'. mysql_real_escape_string($_POST['name']).'" , pass = "'. mysql_real_escape_string($_POST['pass']).'"  WHERE id = '. $id;

-----

$pass = md5($_POST['pass']);
                               $sql3 = 'UPDATE users SET name ="'. mysql_real_escape_string($_POST['name']).'" , pass = "'. mysql_real_escape_string($pass).'"  WHERE id = '. $id; // now its used..
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP

From novice to tech pro — start learning today.