I've basically completed my change password form. I just have one issue. When a user wants to change their password it asks for 'Current Password', 'New Password' and 'New password again'. So here's my error: when I enter 'Current Password' and it's right in the database, and then I hit submit, nothing shows up in the 'errors' if you will. I want it to basically show: 'Please fill out the whole form'
Image 1:
Image 2:
On image 2 it should display under home 'Please fill out the whole form'
Here's my code:
<?php
session_start();
$username = $_SESSION['sess_user'];
echo '<div class="search1"><h2>'.$username.'</h2><div class="search12"><h2>Home</h2></p></div></div>';
if (isset($_SESSION['sess_user']))
{
//user is logged in
if (isset($_POST['submit']))
{
//start changing password
//check fields
$oldpassword = md5($_POST['oldpassword']);
$newpassword = md5($_POST['newpassword']);
$repeatnewpassword = md5($_POST['repeatnewpassword']);
//check password against db
include('../includes/config.php');
$queryget = mysql_query("SELECT password FROM login WHERE username='$username'") or die ("change password failed");
$row = mysql_fetch_assoc($queryget);
$oldpassworddb = $row['password'];
//check passwords
if ($oldpassword==$oldpassworddb && !empty($_POST['oldpassword']))
else {echo "<div class='results'>Please fill out the whole form</div><div class='successmate'><h2><p><a href='changepassword.php'><br><br></a></p></h2></div>";}
{
if (isset($_POST['repeatnewpassword']) AND isset($_POST['newpassword']) AND $_POST['newpassword'] != '') {
if ($newpassword==$repeatnewpassword)
{
$querychange = mysql_query("UPDATE login SET password='$newpassword' WHERE username='$username'");
echo "<div class='successmate'><br><br><br><br><hr>Password has been changed!</hr></div><div class='successmate'><br><hr><br><h2><p><a href='index2.php'><br><br></a></p></h2></div>";
}
else {echo "<div class='results'>new password(s) dont match</div><div class='successmate'><br><br><h2><p><a href='changepassword.php'>try again?</a></p></h2></div>";}
}
}
else {echo "<div class='results'>current password doesnt match</div><div class='successmate'><h2><p><a href='changepassword.php'><br><br>Try again?</a></p></h2></div>";}
if (isset($_POST['email']) AND $_POST['email'] != '') {
$querychange = mysql_query("UPDATE login SET email='$email' WHERE username='$username'");
echo "<div class='successmate'><br><br><br><br><hr>Your email has been changed</hr></div><div class='successmate'><br><hr><br><h2><p><a href='index2.php'><br><br></a></p></h2></div>";
}}
else
{
echo"
<form class='search1' action='changepassword.php' method='POST'>
<label>Current Password:*</label> <input type='password' id='password' name='oldpassword' required><p>
<label>New Password:*</label> <input type='password' id='password' name='newpassword'><p>
<label>Repeat New Password:*</label> <input type='password' name='repeatnewpassword'><p>
<input type='submit' name='submit' class='submit' value='submit'><br><br><br>
<h2><p><a href='index2.php'>Back</a></p></h2>
</form>
";
}}
else
die ("You must be logged in to change your password");
?>
I think the problem is in your code formatting.
As much as I understood from your code, this portion:
//check passwords
if ($oldpassword==$oldpassworddb && !empty($_POST['oldpassword']))
else {echo "<div class='results'>Please fill out the whole form</div><div class='successmate'><h2><p><a href='changepassword.php'><br><br></a></p></h2></div>";}
{
seems to be syntactically messed up.
You need to re-arrange and clean up your code in the following way:
<?php
session_start();
//opening if and other stuff you'll do here
//check passwords and your code correction done here
if ($oldpassword==$oldpassworddb && !empty($_POST['oldpassword']))
{
if (isset($_POST['repeatnewpassword']) AND isset($_POST['newpassword']) AND $_POST['newpassword'] != '')
{
if ($newpassword==$repeatnewpassword)
{
$querychange = mysql_query("UPDATE login SET password='$newpassword' WHERE username='$username'");
echo "<div class='successmate'><br><br><br><br><hr>Password has been changed!</hr></div><div class='successmate'><br><hr><br><h2><p><a href='index2.php'><br><br></a></p></h2></div>";
}
else
{
echo "<div class='results'>new password(s) dont match</div><div class='successmate'><br><br><h2><p><a href='changepassword.php'>try again?</a></p></h2></div>";//I removed an extra curly brace here
}
}
else
{
echo "<div class='results'>Please fill out the whole form</div><div class='successmate'><h2><p><a href='changepassword.php'><br><br></a></p></h2></div>";
}
}
else
{
echo "<div class='results'>current password doesnt match</div><div class='successmate'><h2><p><a href='changepassword.php'><br><br>Try again?</a></p></h2></div>";
}
//do your rest of the work here and end your opening if
?>
Honestly, your code looks aweful. One of the signs of a good developer is that he/she makes the code readable, and one of the ways you make your code readable is to follow proper indentation in blocks of code. All your if-else blocks look terrible, you don't seem to care at all about indenting them. The result? You can see for yourself. You code's all messed up, and I had a hard time understanding your if-else blocks, where they started and where they ended. You should go through the following link very seriously: http://www.riedquat.de/prog/style
There's flows of logic that are wrong here...
You say...
if ($oldpassword==$oldpassworddb && !empty($_POST['oldpassword'])) else { ... } { ... }
... which doesn't make sense. If something is, then do this, else do that should be the statement.
Related
having a bit of trouble with my login / reg forms
Basically when i register (create new user) it takes me to the login.php script and not the register script.
The login form is in the "header.php" page so its at the top of every page including the register form. But dont think that would be an issue?
Register form
<?php
include("config.php");
include("header.php");
?>
<div id="contentwrap">
<form name="myuserform" method="POST" action="register.php" onsubmit="return validateForm();">
<tr class='alt'>
<td>email address: <td><input type="text" name="email">
<tr class='alt'>
<td>Password: <td><input type="password" name="password">
<tr class='alt'>
<td>Your name: <td><input type="text" name="username">
<tr class='alt'>
<td><input type="submit" name="adduser" value="Sign me up!">
</form>
</div>
Register.php
<?php
if (isset($_POST['adduser']))
{
$error = "";
$username = mysqli_real_escape_string($connection, $_POST['username']);
$password = mysqli_real_escape_string($connection, $_POST['password']);
$md5_pass = md5($password);
$email = mysqli_real_escape_string($connection, $_POST['email']);
if (!isset($username) || empty($username) ||
!isset($password) || empty($password) ||
!isset($email) || empty($email))
{
$error = "All fields must be filled out";
}
else if (user_exists($connection, $username))
{
$error = "Username already registered";
}
else if (strlen($password) < 6)
{
$error = "Password must be at least 6 characters";
}
else if (!filter_var($email, FILTER_VALIDATE_EMAIL)) // check if email looks valid
{
$error = "Please enter a valid email";
}
if ($error == "")
{
//$query = "INSERT INTO users (email, password, username) VALUES ('{$email}','{$md5_pass}','{$username}')";
$query = "INSERT INTO users (username, password, email) VALUES ('{$username}','{$md5_pass}','{$email}')";
$result = mysqli_query($connection, $query);
if ($result)
echo " <b>Registered successfully!</b><br/>Please return to the <a href='index.php'>index</a> to login.";
else
$error = "Unable to create new user";
}
if ($error != "") // redo error string check since the last block may have set it
{
echo "Error: {$error}. Please return to the previous page.";
}
exit();
}
?>
Login.php
<?php
include("config.php");
if (isset($_POST['username']) && !empty($_POST['username']) &&
isset($_POST['password']) && !empty($_POST['password']))
{
$username = mysqli_real_escape_string($connection, $_POST['username']);
$password = md5($_POST['password']);
$query = "SELECT * FROM users WHERE username='{$username}' AND password='{$password}'";
$res = mysqli_query($connection, $query);
if (mysqli_num_rows($res) >= 1)
{
$row = mysqli_fetch_array($res);
if($row['rank'] == "banned")
{
echo "You have been banned from the site.";
exit();
}
$_SESSION['uid'] = $row['userid'];
$_SESSION['username'] = $row['username'];
if($row['rank'] == "admin")
$_SESSION['is_admin'] = true;
header("Location: index.php");
exit();
}
else
{
echo "Username/password invalid. Return to the <a href='index.php'> home </a>page";
exit();
}
}
echo "Something went wrong, try again"; <--- this is the result im getting
?>
here is the login form (apart of header.php)
<?php
if (!isset($_SESSION['uid']) || empty($_SESSION['uid']))
{
echo "<form action='login.php' method='post'>
Username: <input type='text' name='username' Placeholder='Username' style='width:100px;'/>
Password: <input type='password' name='password' Placeholder='Password' style='width:100px;' />
<input type='submit' name='submit' value='Log In' />";
echo "<div id='freeman'>
<a href='signup.php'> <img src='images/register.jpg' width='60px' height='60px' /> </a>
</div>";
} else {
echo "You are logged is as {$_SESSION['username']} • <a href='logout.php'>Logout</a>";
}
?>
The problem that when you register your not opening a session to consider the user as logged and acquire a session for him.
The other issue your not checking in your login script if the user already have a session which implies that he is already logged in
This question already has answers here:
Stuck on PHP query
(2 answers)
Closed 8 years ago.
I'm just trying to allow a user to be able to change their email without having to enter anything above. At the moment it works but it also says 'Current Password is Incorrect/wrong'. Am I able to ignore 'Current Password is Incorrect/wrong' if I just want the email to be changed?
Thanks!
Image: http://puu.sh/cmcKM/aef56cdaf4.png
I've tried using this but had no success still gave me the same message
if (!empty($_POST['repeatnewpassword']) && !empty($_POST['newpassword'])) {
if ($newpassword==$repeatnewpassword)
{
$querychange = mysql_query("UPDATE login SET password='$newpassword' WHERE username='$username'");
echo "<div class='successmate'><br><br><br><br><hr>Password has been changed!</hr></div><div class='successmate'><br><hr><br><h2><p><a href='index2.php'><br><br></a></p></h2></div>";
}
else {echo "<div class='results'>new password(s) dont match</div><div class='successmate'><br><br><h2><p><a href='changepassword.php'>try again?</a></p></h2></div>";}
}
My code:
<title>Honda</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
<link href='http://fonts.googleapis.com/css?family=Julius+Sans+One' rel='stylesheet' type='text/css'>
<link href="../css/style.css" rel="stylesheet" type="text/css" media="all" />
<?php
session_start();
$username = $_SESSION['sess_user'];
echo '<div class="search1"><h2>'.$username.'</h2><div class="search12"><h2>Home</h2></p></div></div>';
if (isset($_SESSION['sess_user']))
{
//user is logged in
if (isset($_POST['submit']))
{
//start changing password
//check fields
$oldpassword = md5($_POST['oldpassword']);
$newpassword = md5($_POST['newpassword']);
$email = $_POST['email'];
$repeatnewpassword = md5($_POST['repeatnewpassword']);
//check password against db
include('../includes/config.php');
$queryget = mysql_query("SELECT password FROM login WHERE username='$username'") or die ("change password failed");
$row = mysql_fetch_assoc($queryget);
$oldpassworddb = $row['password'];
//check passwords
if ($oldpassword==$oldpassworddb && !empty($_POST['oldpassword']))
{
if (isset($_POST['repeatnewpassword']) AND isset($_POST['newpassword']) AND $_POST['newpassword'] != '') {
if ($newpassword==$repeatnewpassword)
{
$querychange = mysql_query("UPDATE login SET password='$newpassword' WHERE username='$username'");
echo "<div class='successmate'><br><br><br><br><hr>Password has been changed!</hr></div><div class='successmate'><br><hr><br><h2><p><a href='index2.php'><br><br></a></p></h2></div>";
}
else {echo "<div class='results'>new password(s) dont match</div><div class='successmate'><br><br><h2><p><a href='changepassword.php'>try again?</a></p></h2></div>";}
}
}
else {echo "<div class='results'>current password doesnt match</div><div class='successmate'><h2><p><a href='changepassword.php'><br><br>Try again?</a></p></h2></div>";}
if (isset($_POST['email']) AND $_POST['email'] != '') {
$querychange = mysql_query("UPDATE login SET email='$email' WHERE username='$username'");
echo "<div class='successmate'><br><br><br><br><hr>Your email has been changed</hr></div><div class='successmate'><br><hr><br><h2><p><a href='index2.php'><br><br></a></p></h2></div>";
}}
else
{
echo"
<form class='search1' action='changepassword.php' method='POST'>
<label>Current Password:*</label> <input type='password' id='password' name='oldpassword'><p>
<label>New Password:*</label> <input type='password' id='password' name='newpassword'><p>
<label>Repeat New Password:*</label> <input type='password' name='repeatnewpassword'><p>
<label>Email:</label> <input type='email' name='email'><p>
<input type='submit' name='submit' class='submit' value='submit'><br><br><br>
<h2><p><a href='index2.php'>Back</a></p></h2>
</form>
";
}}
else
die ("You must be logged in to change your password");
?>
<img src="../images/main.jpg">
EDIT - FRED:
<?php
session_start();
$username = $_SESSION['sess_user'];
echo '<div class="search1"><h2>'.$username.'</h2><div class="search12"><h2>Home</h2></p></div></div>';
if (isset($_SESSION['sess_user']))
{
//user is logged in
if (isset($_POST['submit']))
{
//start changing password
//check fields
$oldpassword = md5($_POST['oldpassword']);
$newpassword = md5($_POST['newpassword']);
$email = $_POST['email'];
$repeatnewpassword = md5($_POST['repeatnewpassword']);
//check password against db
include('../includes/config.php');
$queryget = mysql_query("SELECT password FROM login WHERE username='$username'") or die ("change password failed");
$row = mysql_fetch_assoc($queryget);
$oldpassworddb = $row['password'];
//check passwords
if($_POST['newpassword']){
if ($oldpassword==$oldpassworddb)
{
if (isset($_POST['repeatnewpassword']) AND isset($_POST['newpassword']) AND $_POST['newpassword'] != '') {
if ($newpassword==$repeatnewpassword)
{
$querychange = mysql_query("UPDATE login SET password='$newpassword' WHERE username='$username'");
echo "<div class='successmate'><br><br><br><br><hr>Password has been changed!</hr></div><div class='successmate'><br><hr><br><h2><p><a href='index2.php'><br><br></a></p></h2></div>";
}
else {echo "<div class='results'>new password(s) dont match</div><div class='successmate'><br><br><h2><p><a href='changepassword.php'>try again?</a></p></h2></div>";}
}
} else {echo "<div class='results'>current password doesnt match</div><div class='successmate'><h2><p><a href='changepassword.php'><br><br>Try again?</a></p></h2></div>";}
}
if (isset($_POST['email']) AND $_POST['email'] != '') {
$querychange = mysql_query("UPDATE login SET email='$email' WHERE username='$username'");
echo "<div class='successmate'><br><br><br><br><hr>Your email has been changed</hr></div><div class='successmate'><br><hr><br><h2><p><a href='index2.php'><br><br></a></p></h2></div>";
}
}
}
else {echo "<div class='results'>current password doesnt match</div><div class='successmate'><h2><p><a href='changepassword.php'><br><br>Try again?</a></p></h2></div>";}
if (isset($_POST['email']) AND $_POST['email'] != '') {
$querychange = mysql_query("UPDATE login SET email='$email' WHERE username='$username'");
echo "<div class='successmate'><br><br><br><br><hr>Your email has been changed</hr></div><div class='successmate'><br><hr><br><h2><p><a href='index2.php'><br><br></a></p></h2></div>";
}
else
{
echo"
<form class='search1' action='changepassword.php' method='POST'>
<label>Current Password:*</label> <input type='password' id='password' name='oldpassword' ><p>
<label>New Password:*</label> <input type='password' id='password' name='newpassword'><p>
<label>Repeat New Password:*</label> <input type='password' name='repeatnewpassword'><p>
<label>Email:</label> <input type='email' name='email'><p>
<input type='submit' name='submit' class='submit' value='submit'><br><br><br>
<h2><p><a href='index2.php'>Back</a></p></h2>
</form>
";
}
else
die ("You must be logged in to change your password");
?>
Make sure you check if someone even has typed a password, if so you change the password and otherwise you only change the email
Like this:
if (isset($_POST['submit']))
{
//start changing password
//check fields
$oldpassword = md5($_POST['oldpassword']);
$newpassword = md5($_POST['newpassword']);
$email = $_POST['email'];
$repeatnewpassword = md5($_POST['repeatnewpassword']);
//check password against db
include('../includes/config.php');
$queryget = mysql_query("SELECT password FROM login WHERE username='$username'") or die ("change password failed");
$row = mysql_fetch_assoc($queryget);
$oldpassworddb = $row['password'];
//check passwords
if($_POST['newpassword']){
if ($oldpassword==$oldpassworddb)
{
if (isset($_POST['repeatnewpassword']) AND isset($_POST['newpassword']) AND $_POST['newpassword'] != '') {
if ($newpassword==$repeatnewpassword)
{
$querychange = mysql_query("UPDATE login SET password='$newpassword' WHERE username='$username'");
echo "<div class='successmate'><br><br><br><br><hr>Password has been changed!</hr></div><div class='successmate'><br><hr><br><h2><p><a href='index2.php'><br><br></a></p></h2></div>";
}
else {echo "<div class='results'>new password(s) dont match</div><div class='successmate'><br><br><h2><p><a href='changepassword.php'>try again?</a></p></h2></div>";}
}
} else {echo "<div class='results'>current password doesnt match</div><div class='successmate'><h2><p><a href='changepassword.php'><br><br>Try again?</a></p></h2></div>";}
}
if (isset($_POST['email']) AND $_POST['email'] != '') {
$querychange = mysql_query("UPDATE login SET email='$email' WHERE username='$username'");
echo "<div class='successmate'><br><br><br><br><hr>Your email has been changed</hr></div><div class='successmate'><br><hr><br><h2><p><a href='index2.php'><br><br></a></p></h2></div>";
}
}
Ariana your code is a little confusing, I think you got a little lost in your code with your else conditions. I rewrote it, try it if it works.
** Updated ***
You really should not use this as it's not safe - try to use mysqli_ instead of mysql_ and learn about mysql_real_escape_string. Anyway, i've updated the code with my comments and it should work.
<?php
session_start();
$username = $_SESSION['sess_user'];
echo '<div class="search1"><h2>'.$username.'</h2><div class="search12"><h2>Home</h2></p></div></div>';
if (isset($username)){
//user is logged in
if (isset($_POST['submit'])){
#1 Check if fields are not empty
if( !isset($_POST['oldpassword']) || !isset($_POST['newpassword']) ){
echo "Fields empty";
exit();
}
$oldpassword = md5($_POST['oldpassword']);
$newpassword = md5($_POST['newpassword']);
$repeatnewpassword = md5($_POST['repeatnewpassword']);
$email = $_POST['email'];
//check password against db
include('../includes/config.php');
$queryget = mysql_query("SELECT password FROM login WHERE username='$username'") or die ("change password failed");
$row = mysql_fetch_assoc($queryget);
$oldpassworddb = $row['password'];
#2 Check the old password
if($oldpassword==$oldpassworddb){
# they match - check if nwe and repeat pass match
if($newpassword == $repeatnewpassword){
mysql_query("UPDATE login SET password='$newpassword' WHERE username='$username' ");
echo "<div class='successmate'><br><br><br><br><hr>Password has been changed!</hr></div><div class='successmate'><br><hr><br><h2><p><a href='index2.php'><br><br></a></p></h2></div>";
# check if email isn't empty so you can update
if( !empty($_POST['email']) ){
mysql_query("UPDATE login SET email='$email' WHERE username='$username'");
echo "<div class='successmate'><br><br><br><br><hr>Your email has been changed</hr></div><div class='successmate'><br><hr><br><h2><p><a href='index2.php'><br><br></a></p></h2></div>";
}
}else{
echo "<div class='results'>Passwords don't match !</div><div class='successmate'><br><br><h2><p><a href='changepassword.php'>try again?</a></p></h2></div>";
}
}else{
# they don't match
echo "<div class='results'>Old password wrong !</div><div class='successmate'><br><br><h2><p><a href='changepassword.php'>try again?</a></p></h2></div>";
}
} // end if form submitted
echo "
<form class='search1' action='changepassword.php' method='POST'>
<label>Current Password:*</label> <input type='password' id='password' name='oldpassword'><p>
<label>New Password:*</label> <input type='password' id='password' name='newpassword'><p>
<label>Repeat New Password:*</label> <input type='password' name='repeatnewpassword'><p>
<label>Email:</label> <input type='email' name='email'><p>
<input type='submit' name='submit' class='submit' value='submit'><br><br><br>
<h2><p><a href='index2.php'>Back</a></p></h2>
</form>
";
}else{
die ("You must be logged in to change your password");
}
?>
<img src="../images/main.jpg">
I've created a page that allows users to change their password and email. All of it works but for some reason when I just want to change my email I also get the field Current Password is incorrect. The email itself changes in the database but this shows up, I've obviously validated that it shwos up but I am unsure of how to get around to write a new query that will ignore the previous queries if only the email is changed.
My code:
<title>Honda |</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
<link href='http://fonts.googleapis.com/css?family=Julius+Sans+One' rel='stylesheet' type='text/css'>
<link href="../css/style.css" rel="stylesheet" type="text/css" media="all" />
<?php
session_start();
$username = $_SESSION['sess_user'];
echo '<div class="search1"><h2>'.$username.'</h2><div class="search12"><h2>Home</h2></p></div></div>';
if (isset($_SESSION['sess_user']))
{
//user is logged in
if (isset($_POST['submit']))
{
//start changing password
//check fields
$oldpassword = md5($_POST['oldpassword']);
$newpassword = md5($_POST['newpassword']);
$email = $_POST['email'];
$repeatnewpassword = md5($_POST['repeatnewpassword']);
//check password against db
include('../includes/config.php');
$queryget = mysql_query("SELECT password FROM login WHERE username='$username'") or die ("change password failed");
$row = mysql_fetch_assoc($queryget);
$oldpassworddb = $row['password'];
//check passwords
if ($oldpassword==$oldpassworddb)
{
if (isset($_POST['repeatnewpassword']) AND isset($_POST['newpassword']) AND $_POST['newpassword'] != '') {
if ($newpassword==$repeatnewpassword)
{
$querychange = mysql_query("UPDATE login SET password='$newpassword' WHERE username='$username'");
echo "<div class='successmate'><br><br><br><br><hr>Password has been changed!</hr></div><div class='successmate'><br><hr><br><h2><p><a href='index2.php'><br><br></a></p></h2></div>";
}
else {echo "<div class='results'>new password(s) dont match</div><div class='successmate'><br><br><h2><p><a href='changepassword.php'>try again?</a></p></h2></div>";}
}
}
else {echo "<div class='results'>current password doesnt match</div><div class='successmate'><h2><p><a href='changepassword.php'><br><br>Try again?</a></p></h2></div>";}
if (isset($_POST['email']) AND $_POST['email'] != '') {
$querychange = mysql_query("UPDATE login SET email='$email' WHERE username='$username'");
echo "<div class='successmate'><br><br><br><br><hr>Your email has been changed</hr></div><div class='successmate'><br><hr><br><h2><p><a href='index2.php'><br><br></a></p></h2></div>";
}}
else
{
echo"
<form class='search1' action='changepassword.php' method='POST'>
<label>Current Password:</label> <input type='password' id='password' name='oldpassword'><p>
<label>New Password:</label> <input type='password' id='password' name='newpassword'><p>
<label>Repeat New Password:</label> <input type='password' name='repeatnewpassword'><p>
<label>Email:</label> <input type='email' name='email'><p>
<input type='submit' name='submit' class='submit' value='submit'><br><br><br>
<h2><p><a href='index2.php'>Back</a></p></h2>
</form>
";
}}
else
die ("You must be logged in to change your password");
?>
<img src="../images/main.jpg">
You're checking that the post values are set for the password (which they always will be, because that form element will always be submitted). Instead of simplychecking if those vaues are set, make sure thay're not empty. use empty() Also, when making comparisons don't use the word "AND" use the and operator "&&".
if (!empty($_POST['repeatnewpassword']) && !empty($_POST['newpassword'])) {
if ($newpassword==$repeatnewpassword)
{
$querychange = mysql_query("UPDATE login SET password='$newpassword' WHERE username='$username'");
echo "<div class='successmate'><br><br><br><br><hr>Password has been changed!</hr></div><div class='successmate'><br><hr><br><h2><p><a href='index2.php'><br><br></a></p></h2></div>";
}
else {echo "<div class='results'>new password(s) dont match</div><div class='successmate'><br><br><h2><p><a href='changepassword.php'>try again?</a></p></h2></div>";}
}
I'm looking at the wrong chunk of code. The above advice is good advice, but your problem is here:
If the password fields are empty then these will never be the same, so if ($oldpassword==$oldpassworddb) will always evaluate false.
Try
if ($oldpassword==$oldpassworddb && !empty($_POST['oldpassword']))
Your query is probably spitting out an array. Try doing print_r($row) and examining the output. I have a feeling you're getting an associative array here and need to access the old password differently. Put the print_r after this line:
$row = mysql_fetch_assoc($queryget);
The answer is probably $row[0]['password'];
Also, don't use MD5 for hashing, use Scrypt or something like that with salt and maybe pepper.
The following script works fine, it allows a user to log in.
After they log in, this line of code requests them to click on a link to go to the members.php page.
die("You are now logged in. Please <a href='members.php'>" ."click here</a> to continue.<br /><br />");
Is there a way that I can get the page to automatically redirect to members.php after they log in?
<?php // login.php
include_once 'header.php';
echo "<div class='main'><h3>Please enter your details to log in</h3>";
$error = $user = $pass = "";
if (isset($_POST['user']))
{
$user = sanitizeString($_POST['user']);
$pass = sanitizeString($_POST['pass']);
$pass_hash = md5($pass);
if ($user == "" || $pass == "")
{
$error = "Not all fields were entered<br />";
}
else
{
$query = "SELECT user,pass FROM members
WHERE user='$user' AND pass='$pass_hash'";
if (mysql_num_rows(queryMysql($query)) == 0)
{
$error = "<span class='error'>Username/Password
invalid</span><br /><br />";
}
else
{
$_SESSION['user'] = $user;
$_SESSION['pass'] = $pass;
die("You are now logged in. Please <a href='members.php'>" . "click here</a> to continue.<br /><br />");
}
}
}
echo <<<_END
<form method='post' action='login.php'>$error
<span class='fieldname'>Username</span><input type='text'
maxlength='16' name='user' value='$user' /><br />
<span class='fieldname'>Password</span><input type='password'
maxlength='16' name='pass' value='$pass' />
_END;
?>
<br />
<span class='fieldname'> </span>
<input type='submit' value='Login' />
</form><br /></div></body></html>
Yes, there is:
header('Location: members.php');
exit;
Remember to include the exit so that your code stops running even if there is a problem processing the header.
Also note, this needs doing before any output is made whatsoever.
http://php.net/manual/en/function.header.php
<?php
if(isset($_POST['user'])){
$user = sanitizeString($_POST['user']);
$pass = sanitizeString($_POST['pass']);
$pass_hash = md5($pass);
if ($user == "" || $pass == ""){
$error = "Not all fields were entered<br />";
}else{
$query = "SELECT user,pass FROM members WHERE user='$user' AND pass='$pass_hash'";
if (mysql_num_rows(queryMysql($query)) == 0){
$error = "<span class='error'>Username/Password invalid</span><br /><br />";
}else{
$_SESSION['user'] = $user;
$_SESSION['pass'] = $pass;
header('Location: members.php');
exit;
}
}
}
include_once 'header.php'; //Any output must be after your header code
echo <<<_END
<form method='post' action='login.php'>$error
<span class='fieldname'>Username</span><input type='text' maxlength='16' name='user' value='$user' /><br />
<span class='fieldname'>Password</span><input type='password' maxlength='16' name='pass' value='$pass' />
_END;
?>
<br />
<span class='fieldname'> </span>
<input type='submit' value='Login' />
</form><br /></div></body></html>
BTW - I have not checked any of your code except that which I mention above
At the point where you have the die() line, you can do this
ob_clean();
header('Location: http://www.example.com');
exit;
If headers are giving you a hard time, you can use this alternate (meta) method:
Where you presently have die("You are now logged in... do:
echo "You are not logged in. You will be redirected in 5 seconds...";
echo "<meta http-equiv=Refresh content=5;url=http://www.yoursite.com/members.php>";
Sidenote: Replace the 5 in content=5 with the amount of seconds you wish to take for the redirection. Using 0 will redirect right away.
It's not the best method but it works in many instances.
Another method is to add ob_start(); under your opening <?php tag which works at times.
Example:
<?php
ob_start();
// login.php
include_once 'header.php';
echo "<div class='main'><h3>Please enter your details to log in</h3>";
$error = $user = $pass = "";
...
$_SESSION['user'] = $user;
$_SESSION['pass'] = $pass;
// die("You are now logged in....
// keep the http:// and replace with your website address
header('Location: http://www.example.com/members.php');
exit;
...
I created a PHP script that allows a user on my website to change their password once registered, but am getting an error when I try to open it on the site. I believe it is due to a syntax error on my part but I can't seem to spot it. Can someone take a look and see what you can find? Here is the script:
<?php
session_start();
$user = $_SESSION['username'];
if ($user)
{
//user is logged in
if ($_POST['submit'])
{
//start changing password
//check fields
$oldpassword = md5($_POST['oldpassword']);
$newpassword = md5($_POST['newpassword']);
$repeatnewpassword = md5($_POST['repeatnewpassword']);
//check password against db
include('connection.php');
$queryget = mysql_query("SELECT password FROM Users WHERE username='$user'") or die ("change password failed");
$row = mysql_fetch_assoc($queryget);
$oldpassworddb = $row['password'];
//check passwords
if ($oldpassword==$oldpassworddb)
{
//check two new passwords
if ($newpassword==$repeatnewpassword)
{
//successs
//change password in db
$querychange = mysql_query("UPDATE Users SET password='$newpassword' WHERE username='$user'");
session_destroy();
die("Your password has been changed. <a href='homepage.php'> Return</a>");
}
else
die("Old password doesn't match!");
}
else
echo"
<form action='changepassword.php' method='POST'>
Old Password: <input type='text' name='oldpassword'><p>
New Password: <input type='password' name='newpassword'><p>
Repeat New Password: <input type='password' name='repeatnewpassword'><p>
<input type='submit' name ='submit' value='submit'>
</form>
";
}
else
die ("You must be logged in to change your password");
}
?>
The error I am getting is as follows:
Notice: Undefined index: submit in /var/www/localhost/htdocs/changepassword.php on line 11
You must be logged in to change your password.
Thanks in advance for your help.
Well first you should notice that mysql is deprecated, use mysqli or PDO instead More info or like NullPointer has pointed More Good Info :)
change the end of your code like this to get the right results that you want for fail:
}else
die ("Nothing came from the $_POST variable");
}else
die ("You must be logged in to change your password");
The error that your getting is maybe because your $_POST variable isn't set, use isset() to check if $_POST was set.example:
if (isset($_POST['submit']))
{
//submit post was set
}else
{
//submit post wasn´t set
}
If you still not getting any value, check your form.
UPDATE:
to see the actual form you must end the isset before the form your code stays like this:
<?php
session_start();
$user = $_SESSION['username'];
if (isset($_SESSION['username']))
{
//user is logged in
if (isset($_POST['submit']))
{
//start changing password
//check fields
$oldpassword = md5($_POST['oldpassword']);
$newpassword = md5($_POST['newpassword']);
$repeatnewpassword = md5($_POST['repeatnewpassword']);
//check password against db
include('connection.php');
$queryget = mysql_query("SELECT password FROM Users WHERE username='$user'") or die ("change password failed");
$row = mysql_fetch_assoc($queryget);
$oldpassworddb = $row['password'];
//check passwords
if ($oldpassword==$oldpassworddb)
{
//check two new passwords
if ($newpassword==$repeatnewpassword)
{
//successs
//change password in db
$querychange = mysql_query("UPDATE Users SET password='$newpassword' WHERE username='$user'");
session_destroy();
die("Your password has been changed. <a href='homepage.php'> Return</a>");
}
else
die("New password doesn't match!");
}else
die("Old password doesn't match!");
}
else
{
echo"
<form action='changepassword.php' method='POST'>
Old Password: <input type='text' name='oldpassword'><p>
New Password: <input type='password' name='newpassword'><p>
Repeat New Password: <input type='password' name='repeatnewpassword'><p>
<input type='submit' name ='submit' value='submit'>
</form>
";
}
}else
die ("You must be logged in to change your password");
?>
But you wont see it until your logged in. Your second problem is that your $user variable seems to dont have any value. after trying the above code if it wont work.
put this line after
$user = $_SESSION['username'];
echo 'Here it shold show the user: '.$user.'';
if it wont show up your not passing the session value right.
One more thing, if your form is pointing to same page, thats what it looks like change your line to this line:
<form action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"], ENT_QUOTES, "utf-8");?>" method='POST'>
Your input html form has an extra space in it
<input type='submit' name ='submit' value='submit'>
Change it to
<input type='submit' name='submit' value='submit'>
You should also make sure
if (isset($_POST['submit']))