Stuck on PHP query - php

I've created a page that allows users to change their password and email. All of it works but for some reason when I just want to change my email I also get the field Current Password is incorrect. The email itself changes in the database but this shows up, I've obviously validated that it shwos up but I am unsure of how to get around to write a new query that will ignore the previous queries if only the email is changed.
My code:
<title>Honda |</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
<link href='http://fonts.googleapis.com/css?family=Julius+Sans+One' rel='stylesheet' type='text/css'>
<link href="../css/style.css" rel="stylesheet" type="text/css" media="all" />
<?php
session_start();
$username = $_SESSION['sess_user'];
echo '<div class="search1"><h2>'.$username.'</h2><div class="search12"><h2>Home</h2></p></div></div>';
if (isset($_SESSION['sess_user']))
{
//user is logged in
if (isset($_POST['submit']))
{
//start changing password
//check fields
$oldpassword = md5($_POST['oldpassword']);
$newpassword = md5($_POST['newpassword']);
$email = $_POST['email'];
$repeatnewpassword = md5($_POST['repeatnewpassword']);
//check password against db
include('../includes/config.php');
$queryget = mysql_query("SELECT password FROM login WHERE username='$username'") or die ("change password failed");
$row = mysql_fetch_assoc($queryget);
$oldpassworddb = $row['password'];
//check passwords
if ($oldpassword==$oldpassworddb)
{
if (isset($_POST['repeatnewpassword']) AND isset($_POST['newpassword']) AND $_POST['newpassword'] != '') {
if ($newpassword==$repeatnewpassword)
{
$querychange = mysql_query("UPDATE login SET password='$newpassword' WHERE username='$username'");
echo "<div class='successmate'><br><br><br><br><hr>Password has been changed!</hr></div><div class='successmate'><br><hr><br><h2><p><a href='index2.php'><br><br></a></p></h2></div>";
}
else {echo "<div class='results'>new password(s) dont match</div><div class='successmate'><br><br><h2><p><a href='changepassword.php'>try again?</a></p></h2></div>";}
}
}
else {echo "<div class='results'>current password doesnt match</div><div class='successmate'><h2><p><a href='changepassword.php'><br><br>Try again?</a></p></h2></div>";}
if (isset($_POST['email']) AND $_POST['email'] != '') {
$querychange = mysql_query("UPDATE login SET email='$email' WHERE username='$username'");
echo "<div class='successmate'><br><br><br><br><hr>Your email has been changed</hr></div><div class='successmate'><br><hr><br><h2><p><a href='index2.php'><br><br></a></p></h2></div>";
}}
else
{
echo"
<form class='search1' action='changepassword.php' method='POST'>
<label>Current Password:</label> <input type='password' id='password' name='oldpassword'><p>
<label>New Password:</label> <input type='password' id='password' name='newpassword'><p>
<label>Repeat New Password:</label> <input type='password' name='repeatnewpassword'><p>
<label>Email:</label> <input type='email' name='email'><p>
<input type='submit' name='submit' class='submit' value='submit'><br><br><br>
<h2><p><a href='index2.php'>Back</a></p></h2>
</form>
";
}}
else
die ("You must be logged in to change your password");
?>
<img src="../images/main.jpg">

You're checking that the post values are set for the password (which they always will be, because that form element will always be submitted). Instead of simplychecking if those vaues are set, make sure thay're not empty. use empty() Also, when making comparisons don't use the word "AND" use the and operator "&&".
if (!empty($_POST['repeatnewpassword']) && !empty($_POST['newpassword'])) {
if ($newpassword==$repeatnewpassword)
{
$querychange = mysql_query("UPDATE login SET password='$newpassword' WHERE username='$username'");
echo "<div class='successmate'><br><br><br><br><hr>Password has been changed!</hr></div><div class='successmate'><br><hr><br><h2><p><a href='index2.php'><br><br></a></p></h2></div>";
}
else {echo "<div class='results'>new password(s) dont match</div><div class='successmate'><br><br><h2><p><a href='changepassword.php'>try again?</a></p></h2></div>";}
}
I'm looking at the wrong chunk of code. The above advice is good advice, but your problem is here:
If the password fields are empty then these will never be the same, so if ($oldpassword==$oldpassworddb) will always evaluate false.
Try
if ($oldpassword==$oldpassworddb && !empty($_POST['oldpassword']))

Your query is probably spitting out an array. Try doing print_r($row) and examining the output. I have a feeling you're getting an associative array here and need to access the old password differently. Put the print_r after this line:
$row = mysql_fetch_assoc($queryget);
The answer is probably $row[0]['password'];
Also, don't use MD5 for hashing, use Scrypt or something like that with salt and maybe pepper.

Related

Display PHP error when submit

I'm trying to make an error message pop up when a user enters the current password and it's correct but enters nothing more. So e.g. User wants to change his/her password, enters current one and its correct he/she presses submit. It should display an error saying 'Please enter all fields!'. Right now it's just nothing and I'm really stuck:(
Any help would be great!
IMAGE 1: http://gyazo.com/e58f10783bf14c79de487f4eeb05f7e8
IMAGE 2: http://gyazo.com/ea789cc87166cea88453d6c1c59733b6
(here it should say, please fill out all the fields!)
My code:
<title>Hondac</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
<link href='http://fonts.googleapis.com/css?family=Julius+Sans+One' rel='stylesheet' type='text/css'>
<link href="../css/style.css" rel="stylesheet" type="text/css" media="all" />
<?php
session_start();
$username = $_SESSION['sess_user'];
echo '<div class="search1"><h2>'.$username.'</h2><div class="search12"><h2>Home</h2></p></div></div>';
if (isset($_SESSION['sess_user']))
{
//user is logged in
if (isset($_POST['submit']))
{
//start changing password
//check fields
$oldpassword = md5($_POST['oldpassword']);
$newpassword = md5($_POST['newpassword']);
$repeatnewpassword = md5($_POST['repeatnewpassword']);
//check password against db
include('../includes/config.php');
$queryget = mysql_query("SELECT password FROM login WHERE username='$username'") or die ("change password failed");
$row = mysql_fetch_assoc($queryget);
$oldpassworddb = $row['password'];
//check passwords
if ($oldpassword==$oldpassworddb && !empty($_POST['oldpassword']))
{
if (isset($_POST['repeatnewpassword']) AND isset($_POST['newpassword']) AND $_POST['newpassword'] != '') {
if ($newpassword==$repeatnewpassword)
{
$querychange = mysql_query("UPDATE login SET password='$newpassword' WHERE username='$username'");
echo "<div class='successmate'><br><br><br><br><hr>Password has been changed!</hr></div><div class='successmate'><br><hr><br><h2><p><a href='index.php'><br><br></a></p></h2></div>";
}
else {echo "<div class='results'>new password(s) dont match</div><div class='successmate'><br><br><h2><p><a href='changepassword.php'>try again?</a></p></h2></div>";}
}
}
else {echo "<div class='results'>current password doesnt match</div><div class='successmate'><h2><p><a href='changepassword.php'><br><br>Try again?</a></p></h2></div>";}
if (isset($_POST['email']) AND $_POST['email'] != '') {
$querychange = mysql_query("UPDATE login SET email='$email' WHERE username='$username'");
echo "<div class='successmate'><br><br><br><br><hr>Your email has been changed</hr></div><div class='successmate'><br><hr><br><h2><p><a href='index.php'><br><br></a></p></h2></div>";
}}
else
{
echo"
<form class='search1' action='changepassword.php' method='POST'>
<label>Current Password:*</label> <input type='password' id='password' name='oldpassword' required><p>
<label>New Password:*</label> <input type='password' id='password' name='newpassword'><p>
<label>Repeat New Password:*</label> <input type='password' name='repeatnewpassword'><p>
<input type='submit' name='submit' class='submit' value='submit'><br><br><br>
</form>
";
}}
else
die ("You must be logged in to change your password");
?>
<img src="../images/main.jpg">
Check to see if the fields are empty:
if(empty($newpassword) || empty($repeatnewpassword)){
echo 'All fields required.';
}else{
//continue with code
}
Make sure you start your session before any HTML output. You need to find out if the password fields contain any data or not, only then will you process them. You also need to make sure your queries are completing as expected, if not throw an error. I added some error reporting and hopefully this will work for you.
<?php
session_start();
?>
<title>Hondac</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
<link href='http://fonts.googleapis.com/css?family=Julius+Sans+One' rel='stylesheet' type='text/css'>
<link href="../css/style.css" rel="stylesheet" type="text/css" media="all" />
<?php
if (isset($_SESSION['sess_user'])) {
$username = $_SESSION['sess_user'];
echo '<div class="search1"><h2>'.$username.'</h2><div class="search12"><h2>Home</h2></p></div></div>';
} else {
echo "session not started!";
}
if (isset($_SESSION['sess_user'])) {
//user is logged in
if (isset($_POST['submit'])) {
//start changing password
//check fields
if (!empty($_POST['oldpassword'])) {
$oldpassword = md5($_POST['oldpassword']);
} else {
echo "Please enter your current password.";
exit;
}
if (!empty($_POST['newpassword'])) {
$newpassword = md5($_POST['newpassword']);
} else {
echo "Please enter a new password.";
exit;
}
if (!empty($_POST['oldpassword'] && $_POST['newpassword'] && $_POST['repeatnewpassword'])) {
$repeatnewpassword = md5($_POST['repeatnewpassword']);
} else {
echo "Please confirm new password.";
exit;
}
//check password against db
include('../includes/config.php');
$queryget = mysql_query("SELECT `password` FROM `login` WHERE `username`='$username'");
if (!$queryget) {
die('Query failed: ' . mysql_error());
}
$numrows = mysql_num_rows($queryget);
if ($numrows != 1) {
echo "<div class='results'>Password change failed.</div><div class='successmate'><br><br><h2><p><a href='changepassword.php'>try again?</a></p></h2></div>";
} else {
$row = mysql_fetch_assoc($queryget);
$oldpassworddb = $row['password'];
}
//check passwords
if ($oldpassword==$oldpassworddb) {
if ($newpassword==$repeatnewpassword) {
$querychange = mysql_query("UPDATE `login` SET `password`='$newpassword' WHERE `username`='$username'");
if (!$querychange) {
die('Query failed: ' . mysql_error());
}
echo "<div class='successmate'><br><br><br><br><hr>Password has been changed!</hr></div><div class='successmate'><br><hr><br><h2><p><a href='index.php'><br><br></a></p></h2></div>";
} else {
echo "<div class='results'>new password(s) don't match</div><div class='successmate'><br><br><h2><p><a href='changepassword.php'>try again?</a></p></h2></div>";
}
} else {
echo "<div class='results'>Current password doesn't match</div><div class='successmate'><h2><p><a href='changepassword.php'><br><br>Try again?</a></p></h2></div>";
}
if (isset($_POST['email']) && $_POST['email'] != '') {
$querychange = mysql_query("UPDATE `login` SET `email`='$email' WHERE `username`='$username'");
if (!$querychange) {
die('Query failed: ' . mysql_error());
}
echo "<div class='successmate'><br><br><br><br><hr>Your email has been changed</hr></div><div class='successmate'><br><hr><br><h2><p><a href='index.php'><br><br></a></p></h2></div>";
}
} else {
echo"
<form class='search1' action='changepassword.php' method='POST'>
<label>Current Password:*</label> <input type='password' id='password' name='oldpassword' required><p>
<label>New Password:*</label> <input type='password' id='password' name='newpassword'><p>
<label>Repeat New Password:*</label> <input type='password' name='repeatnewpassword'><p>
<input type='submit' name='submit' class='submit' value='submit'><br><br><br>
</form>
";
}
} else {
echo "You must be logged in to change your password";
exit;
}
?>
I have made a user validate class to check empty and matching for new and new confirmed. I didn't fully read your code (I assumed too much) but now I think this may work a bit better. I can't check your sql stuff but the rest should work pretty good.
<?php session_start();
error_reporting(E_ALL);
class UserValidate
{
protected $config;
public $errorCode;
// This sets the default directory for your config file
public function __construct($config = '../includes/config.php')
{
$this->config = $config;
}
// This gathers errors
public function errors($value = '',$code = 'general')
{
$this->errorCode[$code] = $value;
}
// This checks if your new passwords are 1) empty 2) match
public function CheckEqualNew($newpass1 = '',$newpass2 = '')
{
// If new password is empty
$valid[] = (!empty($newpass1))? 0:1;
// If new password confirm is empty
$valid[] = (!empty($newpass2))? 0:1;
// If all is good
if(array_sum($valid) == 0) {
// Check that the new and new confirmed equal each other
if(md5($newpass1) == md5($newpass2))
$_isValid = 1;
else {
$_isValid = 0;
$this->errors('New Passwords Must Match','match');
}
}
// one of the new passwords are empty
else
// assign an error
$this->errors('Cannot have empty passwords','match');
// Return the validity
return (!isset($_isValid) || $_isValid == 0)? false:true;
}
// This will check your database to see if username and password match
public function Validate($username = '',$password = '')
{
if(!empty($username) && !empty($password)) {
include($this->config);
$username = mysql_real_escape_string($username);
$password = md5($password);
$sql = "SELECT password FROM login WHERE username='$username' and password = '$password'";
$query = mysql_query($sql) or die ("change password failed");
$row = mysql_fetch_assoc($query);
}
else
$this->errors('Username / Password Can Not Be Empty','err');
return ((isset($row['password']) && !empty($row['password'])) || !isset($row))? true:false;
}
// This will update the password
public function UpdatePassword($info = array())
{
if(!empty($info)) {
include($this->config);
$username = md5($info['username']);
$password = md5($info['password']);
$sql = "UPDATE login SET password='$password' WHERE username='$username'";
mysql_query($sql);
}
else
$this->errors('Values can not be empty.','update');
}
// This will update the email address for the account
public function UpdateEmail($info = array())
{
include($this->config);
$email = $info['email'];
$username = $info['username'];
$sql = "UPDATE login SET email='$email' WHERE username='$username'";
mysql_query($sql);
}
// This will display your errors and success
public function Display($err = '',$result = 'success')
{ ?>
<div class='successmate' style="margin-bottom: 20px;">
<h2><?php echo $err; ?></h2>
</div>
<div class='successmate' style="margin-bottom: 20px;">
<hr>
<h2><a href='<?php echo ($result == 'success')? "index.php":"changepassword.php"; ?>'><?php echo ($result == 'success')? "Thank You!":"Try again?"; ?></a></h2>
</div>
<?php
}
} ?>
<title>Hondac</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
<link href='http://fonts.googleapis.com/css?family=Julius+Sans+One' rel='stylesheet' type='text/css'>
<link href="../css/style.css" rel="stylesheet" type="text/css" media="all" />
<?php
$_SESSION['sess_user'] = 'me';
// Assign username from session
if(isset($_SESSION['sess_user']))
$username = $_SESSION['sess_user']; ?>
<div class="search1">
<h2><?php echo $username; ?></h2>
<div class="search12">
<h2>Home</h2></p>
</div>
</div>
<?php
// If the session is set, continue
if (isset($_SESSION['sess_user'])) {
// Create instance of your user app
$vEngine = new UserValidate();
// If user submits change, validate
if(isset($_POST['submit'])) {
// This only checks the validity of your new passwords
// If empty or equal
$valiate_new = $vEngine->CheckEqualNew($_POST['newpassword'],$_POST['repeatnewpassword']);
if($valiate_new == true)
// This will check db if old password is valid
$valiate_old = $vEngine->Validate($username,$_POST['oldpassword']);
}
// If you want to see raw errors uncomment
// print_r($vEngine->errorCode);
// If both new and old passwords are set
// I would block here if one of these comes back as false
// but that is up to you
if(isset($valiate_new) && isset($valiate_old)) {
// Valid Old
if ($valiate_old == true) {
// Valid new
if ($valiate_new == true) {
// Successful update
$vEngine->UpdatePassword(array("username"=>$username, "password"=>$_POST['newpassword']));
// Display success message
$vEngine->Display("You have successfully changed your password.");
}
else
// Display failure message -> a match error
$vEngine->Display($vEngine->errorCode['match'],'err');
}
else
// Display failure message -> a match error
$vEngine->Display($vEngine->errorCode['match'],'err');
// filter_var for email validation
if (isset($_POST['email']) && filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)) {
// Update
$vEngine->UpdateEmail(array("email"=>$_POST['email'],"username"=>$username));
// Display success message
$vEngine->Display("You have successfully changed your email.");
}
}
else { ?>
<form class='search1' action='changepassword.php' method='POST'>
<label>Current Password:*</label> <input type='password' id='password' name='oldpassword' required><p>
<?php if(isset($vEngine->errorCode['invalid'])) echo $vEngine->errorCode['invalid']; ?>
<label>New Password:*</label> <input type='password' id='password' name='newpassword'><p>
<label>Repeat New Password:*</label> <input type='password' name='repeatnewpassword'><p>
<?php if(isset($vEngine->errorCode['match'])) echo $vEngine->errorCode['match']; ?>
<input type='submit' name='submit' class='submit' value='submit'><br><br><br>
</form>
<?php
}
}
else
die ("You must be logged in to change your password"); ?>
<img src="../images/main.jpg">

Trying to allow PHP if empty [duplicate]

This question already has answers here:
Stuck on PHP query
(2 answers)
Closed 8 years ago.
I'm just trying to allow a user to be able to change their email without having to enter anything above. At the moment it works but it also says 'Current Password is Incorrect/wrong'. Am I able to ignore 'Current Password is Incorrect/wrong' if I just want the email to be changed?
Thanks!
Image: http://puu.sh/cmcKM/aef56cdaf4.png
I've tried using this but had no success still gave me the same message
if (!empty($_POST['repeatnewpassword']) && !empty($_POST['newpassword'])) {
if ($newpassword==$repeatnewpassword)
{
$querychange = mysql_query("UPDATE login SET password='$newpassword' WHERE username='$username'");
echo "<div class='successmate'><br><br><br><br><hr>Password has been changed!</hr></div><div class='successmate'><br><hr><br><h2><p><a href='index2.php'><br><br></a></p></h2></div>";
}
else {echo "<div class='results'>new password(s) dont match</div><div class='successmate'><br><br><h2><p><a href='changepassword.php'>try again?</a></p></h2></div>";}
}
My code:
<title>Honda</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
<link href='http://fonts.googleapis.com/css?family=Julius+Sans+One' rel='stylesheet' type='text/css'>
<link href="../css/style.css" rel="stylesheet" type="text/css" media="all" />
<?php
session_start();
$username = $_SESSION['sess_user'];
echo '<div class="search1"><h2>'.$username.'</h2><div class="search12"><h2>Home</h2></p></div></div>';
if (isset($_SESSION['sess_user']))
{
//user is logged in
if (isset($_POST['submit']))
{
//start changing password
//check fields
$oldpassword = md5($_POST['oldpassword']);
$newpassword = md5($_POST['newpassword']);
$email = $_POST['email'];
$repeatnewpassword = md5($_POST['repeatnewpassword']);
//check password against db
include('../includes/config.php');
$queryget = mysql_query("SELECT password FROM login WHERE username='$username'") or die ("change password failed");
$row = mysql_fetch_assoc($queryget);
$oldpassworddb = $row['password'];
//check passwords
if ($oldpassword==$oldpassworddb && !empty($_POST['oldpassword']))
{
if (isset($_POST['repeatnewpassword']) AND isset($_POST['newpassword']) AND $_POST['newpassword'] != '') {
if ($newpassword==$repeatnewpassword)
{
$querychange = mysql_query("UPDATE login SET password='$newpassword' WHERE username='$username'");
echo "<div class='successmate'><br><br><br><br><hr>Password has been changed!</hr></div><div class='successmate'><br><hr><br><h2><p><a href='index2.php'><br><br></a></p></h2></div>";
}
else {echo "<div class='results'>new password(s) dont match</div><div class='successmate'><br><br><h2><p><a href='changepassword.php'>try again?</a></p></h2></div>";}
}
}
else {echo "<div class='results'>current password doesnt match</div><div class='successmate'><h2><p><a href='changepassword.php'><br><br>Try again?</a></p></h2></div>";}
if (isset($_POST['email']) AND $_POST['email'] != '') {
$querychange = mysql_query("UPDATE login SET email='$email' WHERE username='$username'");
echo "<div class='successmate'><br><br><br><br><hr>Your email has been changed</hr></div><div class='successmate'><br><hr><br><h2><p><a href='index2.php'><br><br></a></p></h2></div>";
}}
else
{
echo"
<form class='search1' action='changepassword.php' method='POST'>
<label>Current Password:*</label> <input type='password' id='password' name='oldpassword'><p>
<label>New Password:*</label> <input type='password' id='password' name='newpassword'><p>
<label>Repeat New Password:*</label> <input type='password' name='repeatnewpassword'><p>
<label>Email:</label> <input type='email' name='email'><p>
<input type='submit' name='submit' class='submit' value='submit'><br><br><br>
<h2><p><a href='index2.php'>Back</a></p></h2>
</form>
";
}}
else
die ("You must be logged in to change your password");
?>
<img src="../images/main.jpg">
EDIT - FRED:
<?php
session_start();
$username = $_SESSION['sess_user'];
echo '<div class="search1"><h2>'.$username.'</h2><div class="search12"><h2>Home</h2></p></div></div>';
if (isset($_SESSION['sess_user']))
{
//user is logged in
if (isset($_POST['submit']))
{
//start changing password
//check fields
$oldpassword = md5($_POST['oldpassword']);
$newpassword = md5($_POST['newpassword']);
$email = $_POST['email'];
$repeatnewpassword = md5($_POST['repeatnewpassword']);
//check password against db
include('../includes/config.php');
$queryget = mysql_query("SELECT password FROM login WHERE username='$username'") or die ("change password failed");
$row = mysql_fetch_assoc($queryget);
$oldpassworddb = $row['password'];
//check passwords
if($_POST['newpassword']){
if ($oldpassword==$oldpassworddb)
{
if (isset($_POST['repeatnewpassword']) AND isset($_POST['newpassword']) AND $_POST['newpassword'] != '') {
if ($newpassword==$repeatnewpassword)
{
$querychange = mysql_query("UPDATE login SET password='$newpassword' WHERE username='$username'");
echo "<div class='successmate'><br><br><br><br><hr>Password has been changed!</hr></div><div class='successmate'><br><hr><br><h2><p><a href='index2.php'><br><br></a></p></h2></div>";
}
else {echo "<div class='results'>new password(s) dont match</div><div class='successmate'><br><br><h2><p><a href='changepassword.php'>try again?</a></p></h2></div>";}
}
} else {echo "<div class='results'>current password doesnt match</div><div class='successmate'><h2><p><a href='changepassword.php'><br><br>Try again?</a></p></h2></div>";}
}
if (isset($_POST['email']) AND $_POST['email'] != '') {
$querychange = mysql_query("UPDATE login SET email='$email' WHERE username='$username'");
echo "<div class='successmate'><br><br><br><br><hr>Your email has been changed</hr></div><div class='successmate'><br><hr><br><h2><p><a href='index2.php'><br><br></a></p></h2></div>";
}
}
}
else {echo "<div class='results'>current password doesnt match</div><div class='successmate'><h2><p><a href='changepassword.php'><br><br>Try again?</a></p></h2></div>";}
if (isset($_POST['email']) AND $_POST['email'] != '') {
$querychange = mysql_query("UPDATE login SET email='$email' WHERE username='$username'");
echo "<div class='successmate'><br><br><br><br><hr>Your email has been changed</hr></div><div class='successmate'><br><hr><br><h2><p><a href='index2.php'><br><br></a></p></h2></div>";
}
else
{
echo"
<form class='search1' action='changepassword.php' method='POST'>
<label>Current Password:*</label> <input type='password' id='password' name='oldpassword' ><p>
<label>New Password:*</label> <input type='password' id='password' name='newpassword'><p>
<label>Repeat New Password:*</label> <input type='password' name='repeatnewpassword'><p>
<label>Email:</label> <input type='email' name='email'><p>
<input type='submit' name='submit' class='submit' value='submit'><br><br><br>
<h2><p><a href='index2.php'>Back</a></p></h2>
</form>
";
}
else
die ("You must be logged in to change your password");
?>
Make sure you check if someone even has typed a password, if so you change the password and otherwise you only change the email
Like this:
if (isset($_POST['submit']))
{
//start changing password
//check fields
$oldpassword = md5($_POST['oldpassword']);
$newpassword = md5($_POST['newpassword']);
$email = $_POST['email'];
$repeatnewpassword = md5($_POST['repeatnewpassword']);
//check password against db
include('../includes/config.php');
$queryget = mysql_query("SELECT password FROM login WHERE username='$username'") or die ("change password failed");
$row = mysql_fetch_assoc($queryget);
$oldpassworddb = $row['password'];
//check passwords
if($_POST['newpassword']){
if ($oldpassword==$oldpassworddb)
{
if (isset($_POST['repeatnewpassword']) AND isset($_POST['newpassword']) AND $_POST['newpassword'] != '') {
if ($newpassword==$repeatnewpassword)
{
$querychange = mysql_query("UPDATE login SET password='$newpassword' WHERE username='$username'");
echo "<div class='successmate'><br><br><br><br><hr>Password has been changed!</hr></div><div class='successmate'><br><hr><br><h2><p><a href='index2.php'><br><br></a></p></h2></div>";
}
else {echo "<div class='results'>new password(s) dont match</div><div class='successmate'><br><br><h2><p><a href='changepassword.php'>try again?</a></p></h2></div>";}
}
} else {echo "<div class='results'>current password doesnt match</div><div class='successmate'><h2><p><a href='changepassword.php'><br><br>Try again?</a></p></h2></div>";}
}
if (isset($_POST['email']) AND $_POST['email'] != '') {
$querychange = mysql_query("UPDATE login SET email='$email' WHERE username='$username'");
echo "<div class='successmate'><br><br><br><br><hr>Your email has been changed</hr></div><div class='successmate'><br><hr><br><h2><p><a href='index2.php'><br><br></a></p></h2></div>";
}
}
Ariana your code is a little confusing, I think you got a little lost in your code with your else conditions. I rewrote it, try it if it works.
** Updated ***
You really should not use this as it's not safe - try to use mysqli_ instead of mysql_ and learn about mysql_real_escape_string. Anyway, i've updated the code with my comments and it should work.
<?php
session_start();
$username = $_SESSION['sess_user'];
echo '<div class="search1"><h2>'.$username.'</h2><div class="search12"><h2>Home</h2></p></div></div>';
if (isset($username)){
//user is logged in
if (isset($_POST['submit'])){
#1 Check if fields are not empty
if( !isset($_POST['oldpassword']) || !isset($_POST['newpassword']) ){
echo "Fields empty";
exit();
}
$oldpassword = md5($_POST['oldpassword']);
$newpassword = md5($_POST['newpassword']);
$repeatnewpassword = md5($_POST['repeatnewpassword']);
$email = $_POST['email'];
//check password against db
include('../includes/config.php');
$queryget = mysql_query("SELECT password FROM login WHERE username='$username'") or die ("change password failed");
$row = mysql_fetch_assoc($queryget);
$oldpassworddb = $row['password'];
#2 Check the old password
if($oldpassword==$oldpassworddb){
# they match - check if nwe and repeat pass match
if($newpassword == $repeatnewpassword){
mysql_query("UPDATE login SET password='$newpassword' WHERE username='$username' ");
echo "<div class='successmate'><br><br><br><br><hr>Password has been changed!</hr></div><div class='successmate'><br><hr><br><h2><p><a href='index2.php'><br><br></a></p></h2></div>";
# check if email isn't empty so you can update
if( !empty($_POST['email']) ){
mysql_query("UPDATE login SET email='$email' WHERE username='$username'");
echo "<div class='successmate'><br><br><br><br><hr>Your email has been changed</hr></div><div class='successmate'><br><hr><br><h2><p><a href='index2.php'><br><br></a></p></h2></div>";
}
}else{
echo "<div class='results'>Passwords don't match !</div><div class='successmate'><br><br><h2><p><a href='changepassword.php'>try again?</a></p></h2></div>";
}
}else{
# they don't match
echo "<div class='results'>Old password wrong !</div><div class='successmate'><br><br><h2><p><a href='changepassword.php'>try again?</a></p></h2></div>";
}
} // end if form submitted
echo "
<form class='search1' action='changepassword.php' method='POST'>
<label>Current Password:*</label> <input type='password' id='password' name='oldpassword'><p>
<label>New Password:*</label> <input type='password' id='password' name='newpassword'><p>
<label>Repeat New Password:*</label> <input type='password' name='repeatnewpassword'><p>
<label>Email:</label> <input type='email' name='email'><p>
<input type='submit' name='submit' class='submit' value='submit'><br><br><br>
<h2><p><a href='index2.php'>Back</a></p></h2>
</form>
";
}else{
die ("You must be logged in to change your password");
}
?>
<img src="../images/main.jpg">

PHP update users settings

I've made a page on PHP to allow a user to change his details so far, all of it works and so did email(
So what I'm basically trying to do is, allow a user to be able to change his details (password) (email) etc.. Right now a user has to change all his details to change 1 specific thing. I want the user to be able to change his email without having to change his password
My code:
<title>Honda |</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
<link href='http://fonts.googleapis.com/css?family=Julius+Sans+One' rel='stylesheet' type='text/css'>
<link href="../css/style.css" rel="stylesheet" type="text/css" media="all" />
<?php
session_start();
$username = $_SESSION['sess_user'];
echo '<div class="search1"><h2>'.$username.'</h2></div>';
if (isset($_SESSION['sess_user']))
{
//user is logged in
if (isset($_POST['submit']))
{
//start changing password
//check fields
$oldpassword = md5($_POST['oldpassword']);
$newpassword = md5($_POST['newpassword']);
$email = $_POST['email'];
$repeatnewpassword = md5($_POST['repeatnewpassword']);
//check password against db
include('../includes/config.php');
$queryget = mysql_query("SELECT password FROM login WHERE username='$username'") or die ("change password failed");
$row = mysql_fetch_assoc($queryget);
$oldpassworddb = $row['password'];
//check passwords
if ($oldpassword==$oldpassworddb)
{
//check two new passwords
if ($newpassword==$repeatnewpassword)
{
//successs
//change password in db
$querychange = mysql_query("UPDATE login SET password='$newpassword' WHERE username='$username'");
$querychange = mysql_query("UPDATE login SET email='$email' WHERE username='$username'");
die("<div class='successmate'>Your password has been changed. <a href='index2.php'><br><br> Return</a></div>");
}
else
die("<div class='results'>New password doesn't match!</div>");
}else
die("<div class='results'>Old password doesn't match!</div>");
}
else
{
echo"
<form class='search1' action='changepassword.php' method='POST'>
<label>Current Password:</label> <input type='password' id='password' name='oldpassword'><p>
<label>New Password:</label> <input type='password' id='password' name='newpassword'><p>
<label>Repeat New Password:</label> <input type='password' name='repeatnewpassword'><p>
<label>Email:</label> <input type='email' name='email'><p>
<input type='submit' name='submit' class='submit' value='submit'><br><br><br>
<h2><p><a href='index2.php'>Back</a></p></h2>
</form>
";
}
}else
die ("You must be logged in to change your password");
?>
<img src="../images/main.jpg">
Usually to change password, you first create empty fields for them. Than check if they are filled in, if so, check if valid and update password, else, just update any other details.
[html]
<input type="password" name="password" value=""/>
<input type="password" name="password_repeat" value=""/>
[php]
$updates = [];
if (!empty($_POST['password']) && !empty($_POST['password_repeat'])) {
/* do validation */
$pswd = sha1($saltString . $_POST['password']);
$updates['password'] = "password = `{$pswd}`";
}
unset($_POST['password']);
unset($_POST['password_repeat']);
$sql = "UPDATE `tbl_table` SET ";
foreach ($_POST as $columnName => $value) {
/* mind SQL Injection! */
$updates[$columnName] = "{$updates} = `{$values}`";
}
if (!empty($updates)) {
$sql .= implode(', ', $updates);
mysql_query($sql);
}
Show the pre-filled form first
When form is posted, check for the updates in each field
Update the record in DB sending just the updated fields
P.S. For password, you may have to check the hashed version against the one stored in DB ( mostly MD5)

Struggling with PHP update users

I've just created a page where users are able to change details such as their password and email address. It works, but now I want to allow a user to change their email without having to change their password as well.
So basically, if a user only wanted to change their email it will update in the database without having to change their password as well.
How would I do this?
Code:
<title>Honda |</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
<link href='http://fonts.googleapis.com/css?family=Julius+Sans+One' rel='stylesheet' type='text/css'>
<link href="../css/style.css" rel="stylesheet" type="text/css" media="all"/>
<?php
session_start();
$username = $_SESSION['sess_user'];
echo '<div class="search1"><h2>' . $username . '</h2></div>';
if (isset($_SESSION['sess_user'])) {
//user is logged in
if (isset($_POST['submit'])) {
//start changing password
//check fields
$oldpassword = md5($_POST['oldpassword']);
$newpassword = md5($_POST['newpassword']);
$email = $_POST['email'];
$repeatnewpassword = md5($_POST['repeatnewpassword']);
//check password against db
include('../includes/config.php');
$queryget = mysql_query("SELECT password FROM login WHERE username='$username'") or die ("change password failed");
$row = mysql_fetch_assoc($queryget);
$oldpassworddb = $row['password'];
//check passwords
if ($oldpassword == $oldpassworddb) {
//check two new passwords
if ($newpassword == $repeatnewpassword) {
//successs
//change password in db
$querychange = mysql_query("UPDATE login SET password='$newpassword' WHERE username='$username'");
$querychange = mysql_query("UPDATE login SET email='$email' WHERE username='$username'");
die("<div class='successmate'>Your password has been changed. <a href='index2.php'><br><br> Return</a></div>");
} else
die("<div class='results'>New password doesn't match!</div>");
} else
die("<div class='results'>Old password doesn't match!</div>");
} else {
echo "
<form class='search1' action='changepassword.php' method='POST'>
<label>Current Password:</label> <input type='password' id='password' name='oldpassword'><p>
<label>New Password:</label> <input type='password' id='password' name='newpassword'><p>
<label>Repeat New Password:</label> <input type='password' name='repeatnewpassword'><p>
<label>Email:</label> <input type='email' name='email'><p>
<input type='submit' name='submit' class='submit' value='submit'><br><br><br>
<h2><p><a href='index2.php'>Back</a></p></h2>
</form>
";
}
} else
die ("You must be logged in to change your password");
?>
<img src="../images/main.jpg">
Any help would be appreciated!
EDIT-Michael:
<title>Honda |</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
<link href='http://fonts.googleapis.com/css?family=Julius+Sans+One' rel='stylesheet' type='text/css'>
<link href="../css/style.css" rel="stylesheet" type="text/css" media="all" />
<?php
session_start();
$username = $_SESSION['sess_user'];
echo '<div class="search1"><h2>'.$username.'</h2></div>';
if (isset($_SESSION['sess_user']))
{
//user is logged in
if (isset($_POST['submit']))
{
//start changing password
//check fields
$oldpassword = md5($_POST['oldpassword']);
$newpassword = md5($_POST['newpassword']);
$email = $_POST['email'];
$repeatnewpassword = md5($_POST['repeatnewpassword']);
//check password against db
include('../includes/config.php');
$queryget = mysql_query("SELECT password FROM login WHERE username='$username'") or die ("change password failed");
$row = mysql_fetch_assoc($queryget);
$oldpassworddb = $row['password'];
//check passwords
if ($oldpassword==$oldpassworddb)
{
//check two new passwords
if ($newpassword==$repeatnewpassword)
{
//successs
//change password in db
if (isset($_POST['repeatnewpassword']) AND isset($_POST['newpassword']) AND $_POST['newpassword'] != '') {
if ($newpassword==$repeatnewpassword)
{
$querychange = mysql_query("UPDATE login SET password='$newpassword' WHERE username='$username'");
}}
if (isset($_POST['email']) AND $_POST['email'] != '') {
$querychange = mysql_query("UPDATE login SET email='$email' WHERE username='$username'");
die("<div class='successmate'>Your password has been changed. <a href='index2.php'><br><br> Return</a></div>");
}
else
die("<div class='results'>New password doesn't match!</div>");
}else
die("<div class='results'>Old password doesn't match!</div>");
}
else
{
echo"
<form class='search1' action='changepassword.php' method='POST'>
<label>Current Password:</label> <input type='password' id='password' name='oldpassword'><p>
<label>New Password:</label> <input type='password' id='password' name='newpassword'><p>
<label>Repeat New Password:</label> <input type='password' name='repeatnewpassword'><p>
<label>Email:</label> <input type='email' name='email'><p>
<input type='submit' name='submit' class='submit' value='submit'><br><br><br>
<h2><p><a href='index2.php'>Back</a></p></h2>
</form>
";
}
}else
die ("You must be logged in to change your password");
?>
<img src="../images/main.jpg">
You can change your code as follows:
//successs
//change password in db
if (isset($_POST['repeatnewpassword']) AND isset($_POST['newpassword']) AND $_POST['newpassword'] != '') {
if ($newpassword==$repeatnewpassword)
{
$querychange = mysql_query("UPDATE login SET password='$newpassword' WHERE username='$username'");
}}
if (isset($_POST['email']) AND $_POST['email'] != '') {
$querychange = mysql_query("UPDATE login SET email='$email' WHERE username='$username'");
die("<div class='successmate'>Your password has been changed. <a href='index2.php'><br><br> Return</a></div>");
}
EDIT
Complete Page:
$username = $_SESSION['sess_user'];
echo '<div class="search1"><h2>'.$username.'</h2></div>';
if (isset($_SESSION['sess_user']))
{
//user is logged in
if (isset($_POST['submit']))
{
//start changing password
//check fields
$oldpassword = md5($_POST['oldpassword']);
$newpassword = md5($_POST['newpassword']);
$email = $_POST['email'];
$repeatnewpassword = md5($_POST['repeatnewpassword']);
//check password against db
include('../includes/config.php');
$queryget = mysql_query("SELECT password FROM login WHERE username='$username'") or die ("change password failed");
$row = mysql_fetch_assoc($queryget);
$oldpassworddb = $row['password'];
//check passwords
if ($oldpassword==$oldpassworddb)
{
if (isset($_POST['repeatnewpassword']) AND isset($_POST['newpassword']) AND $_POST['newpassword'] != '') {
if ($newpassword==$repeatnewpassword)
{
$querychange = mysql_query("UPDATE login SET password='$newpassword' WHERE username='$username'");
echo "Password changed";
}
else {echo "New PASSWORDs doesn't match";}
}
}
else {echo "New PASSWORDs doesn't match";}
if (isset($_POST['email']) AND $_POST['email'] != '') {
$querychange = mysql_query("UPDATE login SET email='$email' WHERE username='$username'");
echo "EMAIL changed";
}}
else
{
echo"
<form class='search1' action='changepassword.php' method='POST'>
<label>Current Password:</label> <input type='password' id='password' name='oldpassword'><p>
<label>New Password:</label> <input type='password' id='password' name='newpassword'><p>
<label>Repeat New Password:</label> <input type='password' name='repeatnewpassword'><p>
<label>Email:</label> <input type='email' name='email'><p>
<input type='submit' name='submit' class='submit' value='submit'><br><br><br>
<h2><p><a href='index2.php'>Back</a></p></h2>
</form>
";
}}
else
die ("You must be logged in to change your password");
?>
<img src="../images/main.jpg">
Do a check to see if they are interested in resetting anything else other than email:
if (isset($_POST['submit'])) {
//start changing password
//check fields
if(isset($_POST['oldpassword']) && (! empty($_POST['oldpassword']))){
//password was posted, they may want to change it
$oldpassword = md5($_POST['oldpassword']);
$newpassword = md5($_POST['newpassword']);
}
...

Same form but have input do something else

just created a 'changedetails.php' page where users are able to change their details such as 'password' and 'email'. They all work successful but I am trying to allow a user to change their email without having to change their password as well.
So basically, if a user only wanted to change their email it will update in the DB without having to change their passwords.
Code:
<title>Honda |</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
<link href='http://fonts.googleapis.com/css?family=Julius+Sans+One' rel='stylesheet' type='text/css'>
<link href="../css/style.css" rel="stylesheet" type="text/css" media="all" />
<?php
session_start();
$username = $_SESSION['sess_user'];
echo '<div class="search1"><h2>'.$username.'</h2></div>';
if (isset($_SESSION['sess_user'])) {
//user is logged in
if (isset($_POST['submit'])) {
//start changing password
//check fields
$oldpassword = md5($_POST['oldpassword']);
$newpassword = md5($_POST['newpassword']);
$email = $_POST['email'];
$repeatnewpassword = md5($_POST['repeatnewpassword']);
//check password against db
include('../includes/config.php');
$queryget = mysql_query("SELECT password
FROM login
WHERE username='$username'")
or die ("change password failed");
$row = mysql_fetch_assoc($queryget);
$oldpassworddb = $row['password'];
//check passwords
if ($oldpassword==$oldpassworddb) {
//check two new passwords
if ($newpassword==$repeatnewpassword) {
//successs
//change password in db
$querychange = mysql_query("UPDATE login
SET password='$newpassword'
WHERE username='$username'");
$querychange = mysql_query("UPDATE login
SET email='$email'
WHERE username='$username'");
die("<div class='successmate'>
Your password has been changed. <a href='index2.php'>
<br><br> Return</a></div>");
} else {
die("<div class='results'>New password doesn't match!</div>");
}
} else {
die("<div class='results'>Old password doesn't match!</div>");
}
} else {
echo "<form class='search1' action='changepassword.php' method='POST'>";
echo "<label>Old Password:</label> <input type='password' id='password' name='oldpassword'>";
echo "<p><label>New Password:</label> ";
echo "<input type='password' id='password' name='newpassword'>";
echo "<p><label>Repeat New Password:</label> ";
echo "<input type='password' name='repeatnewpassword'><p>";
echo "<label>Email:</label> <input type='email' name='email'>";
echo "<p><input type='submit' name='submit' class='submit' value='submit'>";
echo "<br><br><br><h2><p><a href='index2.php'>Back</a></p></h2></form>";
}
} else {
die ("You must be logged in to change your password");
}
?>
<img src="../images/main.jpg">
Thanks!
UPDATE 2:
if ($newpassword != "") {
//check passwords
if ($oldpassword==$oldpassworddb)
{
//check two new passwords
if ($newpassword==$repeatnewpassword)
{
//successs
//change password in db
$querychange = mysql_query("UPDATE login SET password='$newpassword' WHERE username='$username'");
}
else
die("<div class='results'>New password doesn't match!</div>");
}else
die("<div class='results'>Old password doesn't match!</div>");
}
}
if ($email != "") {
$querychange = mysql_query("UPDATE login SET email='$email' WHERE username='$username'");
die("<div class='successmate'>Your password has been changed. <a href='index2.php'><br><br> Return</a></div>");
}
}
else
{
echo"
<form class='search1' action='changepassword.php' method='POST'>
<label>Current Password:</label> <input type='password' id='password' name='oldpassword'><p>
<label>New Password:</label> <input type='password' id='password' name='newpassword'><p>
<label>Repeat New Password:</label> <input type='password' name='repeatnewpassword'><p>
<label>Email:</label> <input type='email' name='email'><p>
<input type='submit' name='submit' class='submit' value='submit'><br><br><br>
<h2><p><a href='index2.php'>Back</a></p></h2>
</form>
";
}
{else
die ("You must be logged in to change your password");
?>
The problem is you are running the 2 queries right after each other, you need to add a check to see if password is blank, then skip password query, if email is blank then skip email query
EDIT:
if ($newpassword != "") {
//check passwords
if ($oldpassword==$oldpassworddb)
{
//check two new passwords
if ($newpassword==$repeatnewpassword)
{
//successs
//change password in db
$querychange = mysql_query("UPDATE login SET password='$newpassword' WHERE username='$username'");
else
die("<div class='results'>New password doesn't match!</div>");
}else
die("<div class='results'>Old password doesn't match!</div>");
}
}
if ($email != "") {
$querychange = mysql_query("UPDATE login SET email='$email' WHERE username='$username'");
die("<div class='successmate'>Your password has been changed. <a href='index2.php'><br><br> Return</a></div>");
}
FULL CODE SET(Requested by OP)
<title>Honda |</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
<link href='http://fonts.googleapis.com/css?family=Julius+Sans+One' rel='stylesheet' type='text/css'>
<link href="../css/style.css" rel="stylesheet" type="text/css" media="all" />
<?php
session_start();
$username = $_SESSION['sess_user'];
echo '<div class="search1"><h2>'.$username.'</h2></div>';
if (isset($_SESSION['sess_user'])) {
//user is logged in
if (isset($_POST['submit'])) {
//start changing password
//check fields
$oldpassword = md5($_POST['oldpassword']);
$newpassword = md5($_POST['newpassword']);
$email = $_POST['email'];
$repeatnewpassword = md5($_POST['repeatnewpassword']);
//check password against db
include('../includes/config.php');
$queryget = mysql_query("SELECT password FROM login WHERE username='$username'")
or die ("change password failed");
$row = mysql_fetch_assoc($queryget);
$oldpassworddb = $row['password'];
if ($newpassword != "") {
//check passwords
if ($oldpassword==$oldpassworddb) {
//check two new passwords
if ($newpassword==$repeatnewpassword) {
//successs
//change password in db
$querychange = mysql_query("UPDATE login SET password='$newpassword' WHERE username='$username'");
die("<div class='successmate'>
Your password has been changed. <a href='index2.php'>
<br><br> Return</a></div>");
} else {
die("<div class='results'>New password doesn't match!</div>");
}
} else {
die("<div class='results'>Old password doesn't match!</div>");
}
}
if ($email != "") {
$querychange = mysql_query("UPDATE login SET email='$email' WHERE username='$username'");
die("<div class='successmate'>
Your email been changed. <a href='index2.php'>
<br><br> Return</a></div>");
}
} else {
echo "<form class='search1' action='changepassword.php' method='POST'>";
echo "<label>Old Password:</label> <input type='password' id='password' name='oldpassword'>";
echo "<p><label>New Password:</label> ";
echo "<input type='password' id='password' name='newpassword'>";
echo "<p><label>Repeat New Password:</label> ";
echo "<input type='password' name='repeatnewpassword'><p>";
echo "<label>Email:</label> <input type='email' name='email'>";
echo "<p><input type='submit' name='submit' class='submit' value='submit'>";
echo "<br><br><br><h2><p><a href='index2.php'>Back</a></p></h2></form>";
}
} else {
die ("You must be logged in to change your password");
}
?>
<img src="../images/main.jpg">

Categories