Change Password function

Hi there

I’m a newbie to all of this so please be gentle!

I am starting up my own online business and I am feeling my way through PHP. I have been doing ok so far but I’m having problems with the “change your password” function. I change the password, I receive a reactivation email, but when I try to log in with the new password it hasnt changed.

Code I’m using as follows:


<?php // process.php include 'config.php'; if(isset($_POST['changepassword'])) { $current = trim($_POST['current']); $new = trim($_POST['new']); $confirm = trim($_POST['confirm']); $pw = md5($current); $query = mysql_query("SELECT * FROM Users WHERE Password = '$pw' LIMIT 1") or die(mysql_error()); if(mysql_num_rows($query) > 0) { while($row = mysql_fetch_array($query)) { if ( $_POST['new'] == $_POST['confirm'] ) {}else{ echo ''; echo ''; exit; } $password = md5($new); $do = mysql_query("UPDATE Users SET Password = '$password' WHERE Password = '$pw' LIMIT 1") or die(mysql_error()); $dotwo = mysql_query("UPDATE Users SET Activated = 0 WHERE Password = '$password' LIMIT 1") or die(mysql_error()); $send = mail($row['Email'] , "Password changed" , "Your password has been changed to: ".trim($_POST['new'])."\n\nYou can change it again via the members only panel, but first you must re-activate your account:\n".$row['Actkey']."\n\nDo not reply to this email, it is automated. Thanks." , "From: [email protected]"); if((($do)&&($dotwo)&&($send))) { echo ''; echo ''; exit; } else { echo ''; echo ''; exit; } } } else { echo ''; echo ''; exit; [/php] Would really appreciate some help. Thanks! x

First off after reviewing your code, you can combine $do and $dotwo into one query:

[php]“UPDATE Users SET Password = ‘$password’, Activated = ‘0’ WHERE Password = ‘$pw’”[/php]

Also, basing you matches for the UPDATE off of the Password field might be fine now, but it will get you into trouble later when you have a lot of members and some members might use the same password and one member might actually change a password for another user. I would advise you to use the username field as the where clause. Also, even though it is legal in the syntax, I don’t think you need to use the LIMIT clause either. Try changing the query syntax to something like the following:

[php]$do = mysql_query(“UPDATE Users SET Password=’$password’, Activated=‘0’ WHERE Username=’$username’”);[/php]

Hope this helps =D.

Sponsor our Newsletter | Privacy Policy | Terms of Service