i have a change password page on my website and when i test the page with a logged in user from my database i keep getting the error message “Your password could not be changed due to a system error. We apologize for any inconvenience.” from my echo statement

here is the code for my php page
---------PHP CODE-------------
[php]<?php # changepwd.php. This page allows a logged-in user to change their password.
// Set the page title and include the HTML header.
$page_title = ‘Change Password’;
require_once(’./includes/header.php’);
//Logged in
if(isset($_SESSION[‘user_id’]) && isset($_COOKIE[‘moviereviews’])){
//Handle the form.
if(isset($_POST[‘change’])){
//Check for a new password and match against the confirmed password.
$p = trim($_POST[‘password1’]); $p2 = trim($_POST[‘password2’]);
if(strlen($p) >=4 && !empty($p2)){
if($p != $p2){
$p = FALSE;
echo “

”;
}
}else{
$p = FALSE;
echo “”;
}
//If every thing’s OK.
if($p){
//Escape any illegal MySql characters in the data
$p = mysqli_real_escape_string($dbc, $p);
$query = “UPDATE accounts SET password=SHA(’$p’) WHERE userID={$_SESSION[‘user_id’]}”;
$result = mysqli_query ($dbc, $query);
//If update was OK.
if($result){
//Load the logout page
$url = ‘./logout.php’;
//Delete the buffer.
ob_end_clean();
header(“Location: $url”);
//Quit the script.
exit();
//In case update was not OK.
}else{
echo “”;
}
//Failed the validation test.
}else{
echo “”;
}
//Close the database connection.
mysqli_close($dbc);
//End of the Submit conditional.
}
?>



<?php
}else{
echo “”;
}
require_once(’./includes/footer.php’);
?>[/php]
--------END OF PHP-----------

The error that your seeing means $result is failing - but you knew that already right?

You shouldn’t use mysqli_real_escape_string on passwords as it could quite easily change them.
IE: I enter my password as ak’tye
You function changes it to ak’tye - meaning i’ll never type the correct password.

Also, ‘password’ is a keyword so you shouldn’t really name your column this, try pass_word or something similar.
Finally, check the column type, it should be VARCHAR and minimum of 40 chars in length.

Hope that helps,
Red

Like stated I would never trim the password or do anything to it until it is verified, even then I would just do a password hash to the password. Though sanitizing the password in my opinion is OK. If a person is putting in special characters into his or her password then in my opinion that person is up to no good or really doesn’t know how to make a secure password.

Maybe something like
[php] $p1 = filter_input(INPUT_POST, ‘password1’, FILTER_SANITIZE_SPECIAL_CHARS);
$p2 = filter_input(INPUT_POST, ‘password2’, FILTER_SANITIZE_SPECIAL_CHARS);
//Check for a new password and match against the confirmed password.

	if ( isset($p1) && isset($p2) && ( $p1 == $p2 ) ) {
		$result = true;
	} else {
		$result = false;
	}[/php]

If you’re really paranoid, I would also check the old password against the database table assuming the person is logged in, but I don’t know why a person would be allowed to change his/her password if not logged in?

This is not quite true?
Take a look at the image i attached, this is a screenshot from my WHM control panel where i setup new domains, their password generator is quite happy to throw out non alphanumeric strings…

Perhaps they’ve forgotten it and are going through a reset password process?

The rest however, i agree with.
Red

---