change password mysql and php

djclewes · February 13, 2016, 7:05pm

why is this script not working

changepw.php

[php]<?php
$dbhost = “myhost”;
$dbname = “my database name”;
$dbuser = “my database user”;
$dbpass = “my database pw”;

//Connect to database
$link= mysql_connect ("$dbhost","$dbuser","$dbpass")or die(“Could not connect: “.mysql_error());
mysql_select_db(”$dbname”) or die(mysql_error());
$username = $_POST[‘username’];
$password = $_POST[‘password’];
$newpassword = $_POST[‘newpassword’];
$confirmnewpassword = $_POST[‘confirmnewpassword’];
$result = mysql_query(“SELECT password FROM users WHERE username=’$username’”);
if(!$result)
{
echo “The username you entered does not exist”;
}
else if($password!= mysql_result($result, 0))
{
echo “You entered an incorrect password”;
}
if($newpassword=$confirmnewpassword)

    $sql=mysql_query("UPDATE users SET password='$newpassword' where username='$username'");
    if($sql)
    {
    echo "Congratulations You have successfully changed your password";
    }
   else
    {
   echo "The new password and confirm new password fields must be the same";
   }
  ?>[/php]

djclewes · February 13, 2016, 7:06pm

the html

[php]

Change Password for

Enter your UserName		Enter your existing password:
Enter your new password:
Re-enter your new password:

[/php]

ErnieAlex · February 13, 2016, 8:13pm

First, DJ, you need to update your code to either MySQLi (MySQL Improved version) or PDO. Most hosting sites
no longer allow MySQL code. It is not even in the latest version of PHP. Here is a tutorial that walks you thru all
of the possible things you will need. Just click the green Next-Chapter to walk thru all of the functions needed for
either MySQLi or PDO. It goes thru creating a table, accessing it, pulling data from it, updating it, etc…
http://www.w3schools.com/php/php_mysql_connect.asp

Now, onto your immediate puzzle… You run a query on the database, but, do not use the data in it. A query is
executed against your database. Then, to check if it returns any rows of data you should use mysqli_num_rows()
function. If that function returns a zero count, there is no info in the database for that user. If found, then you
must retrieve the data in that row using the mysqli_fetch_assoc() function before you can use the data for the
password. Your code:

$result = mysql_query(“SELECT password FROM users WHERE username=’$username’”);
if(!$result)

would need to be changed to something loosely like:
[php]
$result = mysql_query(“SELECT password FROM users WHERE username=’$username’”);
if(mysql_num_rows($result)==0) {
echo “User account not found!”;
} else {
$row = mysql_fetch_assoc($result);
if($row[“password”]!=$password) {
echo “Password does not match our records!”;
} else {
Do login code here…
Etc…
[/php]
Just off the top of my head and it is NOT the improved version of MySQL which you have to upgrade to first!

JimL · February 13, 2016, 10:05pm

^- What he said, and please do not store passwords in the database… You should use PHPs password_hash lib to generate a hash you can store instead. And then use password_verify to compare a submitted password (ie for login) to the stored hash

benanamen · February 14, 2016, 2:54am

What he said and he said…plus… you need to use prepared statements. Your code is vulnerable to SQL Injection. You NEVER EVER send user supplied data directly to the database.