Php mysql UPDATE function only works on certain pages.

General PHP Help
#1

For the request of many I wanted to put in a change password page. I set up the form and made it go to the page where it should change the pass data and then encode it in md5 or whatever other encoding process I find better to use. Everything flows though nicely, there are no error 500 pages, except when you go to type in your new password, it hasn’t changed and you have to use your old one. Here is the code I used to update it.

mysqli_query($con,“UPDATE tz_members SET pass=md5($newpass) WHERE pass=md5($oldpass)”);

I should also mention I change things in the same table on other webpages just fine, what am I doing wrong, please help. :slight_smile:

#2

I see you are using mysqli then you might as well use prepared statements, plus using md5 is a big security issue. In my opinion using a password hashing library is the way to go. https://github.com/ircmaxell/password_compat/blob/master/lib/password.php

[php]<?php #mysqli Version 1.0 beta

// common.inc.php file contains required
// database connection initialization info:

require ‘includes/common.inc.php’;

// A nice password hashing library for PHP 5
// Find it here: https://github.com/ircmaxell/password_compat/blob/master/lib/password.php
// Read the Documentation for further help:

require ‘includes/password.inc.php’;

if (isset($_POST[‘action’]) && $_POST[‘action’] == ‘login’) {

$username = $_POST[‘username’]; // Bind parameter:

/* This is where you setup your query */

$query = ‘SELECT id,
username,
password,
DATE_FORMAT(date_added, “%e %M %Y”) as date_added
FROM users
WHERE username = ?’;
$stmt = $mysqli->prepare($query); // Prepare the query:

/* bind parameters for markers */
$stmt->bind_param("s", $username);

/* execute query */
$stmt->execute();

/* bind variables to prepared statement */
$stmt->bind_result($id, $name, $password, $date_added);
/* fetch values */
while ($stmt->fetch()) {

	  $row['id'] = $id;

	  $row['username'] = $name;
	  $row['password'] = $password;
          $row['date_added'] = $date_added;

}

// This variable tells us whether the user has successfully logged in or not.
// We initialize it to false, assuming they have not.
// If we determine that they have entered the right details, then we switch it to true.

$login_ok = false;		

// Retrieve the user data from the database.  If $row is false, then the username
// they entered is not registered.
if(isset($row) && $row['username'] == $username)

{

	// Verify Stored Hashed Password:
	$result = password_verify($_POST['password'], $row['password']);

	/* If password matches user's database then proceed. */

	if ($result) {

		$login_ok = true;	

	} else {

		$errMsg = 'Invalid Credientials!';

	}
}

// If login is OK:

if ($login_ok) { 

	// It's not wise to store the password in $_SESSION:
	unset($row['password']);	

        // This stores the user's data into the session at the index 'user'.
	// We will check this index on the private members-only page to determine whether
	// or not the user is logged in.  We can also use it to retrieve
	// the user's details.
	$_SESSION['user'] = $row;		
	// Redirect the user to the private members-only page.
	header("Location: login.php");
	exit();	
}

}
?>
[/php]

Sponsor our Newsletter | Privacy Policy | Terms of Service