I am trying to write the script for resetting password, i have got the putting the token into database, and checking if the token exist in the database, and to the part where i am going to reset the database. But for some reason,it is updating the database where there are no tokens. I am not sure why.... I am very new to coding, hope my code isnt too hard to read and have too much flaws.
<?php
ini_set('display_errors', 1); error_reporting(E_ALL);
session_start();
include 'connect.php';
$token = isset($_GET['token'])?$_GET['token']:"";
echo"$token";
$check=mysqli_query($con,"SELECT email FROM Test WHERE reset = '$token'")or die( mysqli_error($con));
while($row = mysqli_fetch_array($check)){
$email = $row['email'];
}
if (mysqli_num_rows($check)==0)
echo ("Token Doesnt exist");
elseif($_POST) {
//get form data
$password1 = mysqli_real_escape_string($con,$_POST['password1']);
$password = mysqli_real_escape_string($con,$_POST['password']);
if (!$password){
echo "Please fill out all fields";
}
else if ($password1 !== $password)
{
echo "Password don't match";
}
else
{
echo"$email";
echo"token";
//encrypt password
$password = md5($password);
//check if username already taken
mysqli_query($con,"UPDATE Test SET password = '$password'
where email = '$email';") or die(mysqli_error($con));
//register into database
echo "Added";
}
}
else
{
?>
<form action='ResetPassword.php' method='POST'>
Your new password:<br />
<input type='password' name='password1'><p />
Re-enter your new password:<br />
<input type='password' name='password'><p />
<input type='submit' name='Change Password' value='Change Password'>
</form>
<?php
}
?>
try
<?php
ini_set('display_errors', 1); error_reporting(E_ALL);
session_start();
include 'connect.php';
$token = isset($_GET['token']) ? $_GET['token'] : "";
if(!empty($token)) {
$check=mysqli_query($con,"SELECT email FROM Test WHERE reset = '$token'")or die( mysqli_error($con));
if (mysqli_num_rows($check)> 0) {
$row = mysqli_fetch_array($check)
$email = $row['email'];
}
else {
echo 'Email not found with this Token';
}
}
else {
echo 'Token does not exist';
}
if(!empty($email) && isset($_POST['changepass'])) {
$password1 = mysqli_real_escape_string($con,$_POST['password1']);
$password = mysqli_real_escape_string($con,$_POST['password']);
if (!$password){
echo "Please fill out all fields";
}
else if ($password1 !== $password) {
echo "Password don't match";
}
else {
//encrypt password
$password = md5($password);
//check if username already taken
mysqli_query($con,"UPDATE Test SET password = '$password' where email = '$email'") or die(mysqli_error($con));
echo "Added";
}
}
if(!isset($_POST['changepass'])){?>
<form action='ResetPassword.php' method='POST'>
Your new password:<br />
<input type='password' name='password1'><p />
Re-enter your new password:<br />
<input type='password' name='password'><p />
<input type='hidden' name='token' value='<?php if(isset($_GET['token'])) echo $_GET['token'];?>'>
<input type='submit' name='changepass' value='Change Password'>
</form>
<?php }
Related
I am new to PHP: I have searched over 20 answers and tried the various codings suggested without resolving the problem. My issue has obviously caused a problem in the past with other users because of the many times the question has been asked. The issue is that I get a return of "Not all fields were entered," when I submit a form. I am using PHP 7.
I know that I am connected to my MySQL database because I get a return of, "Connected to MySQL" when I submit the query - msqlconnect.php
Here is my code:
<?php
include_once 'functions.php';
$error = $user = $pass = "";
if ($_POST &&isset($_POST['user'], $_POST['pass'])) {
$user = sanitizeString($_POST['user']);
$pass = sanitizeString($_POST['pass']);
if ($user == "" || $pass == "") {
$error = "Not all fields were entered<br />";
} else {
$token = md5("$pass");
$query = 'SELECT user,pass FROM password
WHERE user='$user' AND pass=\'$token\'';
if (mysql_num_rows(queryMysql($query)) == 0) {
$error = "Username/Password invalid<br />";
} else {
$_SESSION['user'] = $user;
$_SESSION['pass'] = $token;
die("You are now logged in. Please
<a href='xxxx_member.php?view=$user'>click here</a>.");
}
}
}
echo <<<_END
<form method='post' action='xxxx.php'>$error<br />
E-Mail Address: <input type='text' maxlength='255' name='user'
value='$user' /><br /><br />
Password: <input type='password' maxlength='255' name='pass'
value='$pass' /><br />
<br /><br />
<input type='submit' value='Login' />
</form>
_END;
?>
It seems to me that the code is not getting beyond the first 'else' but I cannot work out why.
Any suggestions would be greatly appreciated.
As requested, here are the 'sanitize' functions:
function sanitizeString($var)
{
$con = #mysqli_connect('localhost', 'root', '', 'test');
$user = mysqli_real_escape_string($con, $_POST['user']);
$psass = mysqli_real_escape_string($con, $_POST['pass']);
}
function sanitizemysqli($var)
{
$var = mysqli_real_escape_string($var);
$var = sanitizeString($var);
return $var;
}
I think that the problem appears because the function sanitizeString is not returning the correct string and is returning a empty string. That´s why you always see the same message.
I would debug those variables to see if they are filled or not. Something like this:
<?php
include_once 'functions.php';
$error = $user = $pass = "";
if ($_POST &&isset($_POST['user'], $_POST['pass']))
{
$user = sanitizeString($_POST['user']);
$pass = sanitizeString($_POST['pass']);
var_dump($_POST);
var_dump($user);
var_dump($pass);
die();
if ($user == "" || $pass == "")
{
$error = "Not all fields were entered<br />";
}
else
{
$token = md5("$pass");
$query = "SELECT user,pass FROM password
WHERE user='$user' AND pass='$token'";
if (mysql_num_rows(queryMysql($query)) == 0)
{
$error = "Username/Password invalid<br />";
}
else
{
$_SESSION['user'] = $user;
$_SESSION['pass'] = $token;
die("You are now logged in. Please
<a href='xxxx_member.php?view=$user'>click here</a>.");
}
}
}
echo <<<_END
<form method='post' action='xxxx.php'>$error<br />
E-Mail Address: <input type='text' maxlength='255' name='user'
value='$user' /><br /><br />
Password: <input type='password' maxlength='255' name='pass'
value='$pass' /><br />
<br /><br />
<input type='submit' value='Login' />
</form>
_END;
?>
With this you can check what is happening step by step.
A part of a website I am making gives the option to the user to change their password. I have configured this code and it works fine.
I now want to add a form to the same page, that gives the user an option to change their USERNAME instead. (Individually, so they change their username but don't change the password).
Do I need to repeat the exact same following code and paste it beneath it, obviously adapting particular words to be for the username not password, or is there a way I can ADD to the existing code so that its one single processing code? How do I do this? So for example the first line:
if ($submit == 'Change Password') {,
in my head in English language, I'd like the code to say IF 'change password' OR the 'change username' button is submitted... do the following code etc.
//processing code
<?php
require_once('checklog.php');
require_once('functions.php');
// Grab the form data
$submit = trim($_POST['submit']);
$password = trim($_POST['password']);
$newpassword = trim($_POST['newpassword']);
$repeatpassword = trim($_POST['repeatpassword']);
// Create some variables to hold output data
$message = '';
// Start to use PHP session
session_start();
if ($submit == 'Change Password') {
include_once('connect.php');
mysqli_select_db($db_server, $db_database) or die("Couldn't find db");
//clean the input now that we have a db connection
$password = clean_string($db_server, $password);
$newpassword = clean_string($db_server, $newpassword);
$username = $_SESSION['username'];
$repeatpassword = clean_string($db_server, $repeatpassword);
if ($password && $newpassword) {
if ($repeatpassword == $newpassword) {
if (strlen($newpassword) > 25 || strlen($newpassword) < 6) {
$message = "Password must be 6-25 characters long";
} else {
// check whether username exists
$password = salt($password);
$query = "SELECT username FROM users WHERE username='$username' and password='$password'";
$result = mysqli_query($db_server, $query);
//if theres a result change password to new password
if ($row = mysqli_fetch_array($result)) {
$newpassword = salt($newpassword);
$repeatpassword = salt($repeatpassword);
//update password
$query = "UPDATE users SET password='$newpassword' WHERE username='$username'";
mysqli_query($db_server, $query) or die("Update failed. " . mysqli_error($db_server));
$message = "<strong>Password change successful!</strong>";
} else {
$message = "User account not found.";
}
mysqli_free_result($result);
}
} else {
$message = "Password must match";
}
} else {
$message = "Please enter all fields";
}
include_once('db_close.php');
}
include_once('header_logged.php');
?>
// the forms to change the password or username
!--change password form -->
To change your Password:
<form method="post" action="changepassword.php">
Current password: <input type='password' name='password'>
<br>
<br>
New Password: <input type='password' name='newpassword'>
<br>
<br>
Repeat New Password: <input type='password' name='repeatpassword'>
<input type='submit' name='submit' value='Change Password'>
<input type='reset' name='reset' value='Reset'>
</form>
<p><strong><?php
echo $message;
?></strong></p>
<!--change username form -->
To change your Username:
<form method="post" action="changepassword.php">
Current Username: <input type='username' name='username'>
<br>
<br>
New Username: <input type='username' name='newusername'>
<br>
<br>
Repeat New Username: <input type='username' name='repeatusername'>
<input type='submit' name='change' value='Change Username'>
<input type='reset' name='reset' value='Reset'>
</form>
Thanks for any help, very much appreciated.
use this:
if(isset($_POST['submit']) || isset($_POST['change'])){
//write your code here
}
I know this error is very common and plenty of solution are mentioned but for some reason I cant get it working.
This is my index.php file which is the log in page for users
<?php
session_start();
if (!(isset($_SESSION['username']) && $_SESSION['username'] != '')) {
header ("Location: index.php");
}
?>
...
...
<form name='log' action='loginproc.php' method='POST'>
<input type="text" placeholder="Username" name="username">
<input type="password" placeholder="Password" name="password">
<input type='submit' value='Login' onclick="return check()">
</form>
This is the loginproc.php file
<?php
require 'config.php';
require 'core.inc.php';
if(isset($_POST['username'])&&isset($_POST['password'])) {
$username = $_POST['username'];
$password = $_POST['password'];
if(!empty($username) && !empty($password)) {
// $md5pwd = md5($password);
$query = "SELECT username FROM `login` WHERE `username` = '$username' and `password` = '$password';";
//echo $query;
//$query_run = mysqli_query($query);
//echo $query_run;
if($query_run = mysqli_query($conn,$query)) {
//echo $query_run;
$query_num_rows = mysqli_num_rows($query_run);
if($query_num_rows==0) {
phpAlert( "Invalid USERNAME or PASSWORD combination" );
echo '<script type="text/javascript">window.location = "index.php"</script>';
exit();
//echo '<p> Invalid USERNAME or PASSWORD combination <br /><br /> Click here to Login ';
}
else if($query_num_rows==1) {
//echo 'Hello';
$_SESSION['username']=$username;
header('Location: main.php');
}
}
}
else {
echo 'You Must supply a username and password';
}
}
function phpAlert($msg) {
echo '<script type="text/javascript">alert("' . $msg . '")</script>';
}
?>
The core.inc.php file
<?php
ob_start();
session_start();
function loggedin() {
if(isset($_SESSION['username'])&& !empty($_SESSION['username'])) {
return true;
}
else {
return false;
}
}
?>
you need to add an extra parameter when redirecting to index.php.
<?php
session_start();
if (!(isset($_SESSION['username']) && $_SESSION['username'] != '')) {
if($_REQUEST['ftime']!=1)
{
header ("Location: index.php?ftime=1");
}
}
?>
You need to have the redirect go elsewhere for logged in users and bypass when not logged in:
<?php
session_start();
// if session username is set and valid, go to somewhere else
if(isset($_SESSION['username']) && !empty($_SESSION['username'])) {
// elswhere could be a profile page, or similar
header("Location: elsewhere.php");
// It is more accepted to exit after a header
exit;
}
?>
<!-- All other instances beside valid login will allow this to form to show-->
<form name='log' action='loginproc.php' method='POST'>
<input type="text" placeholder="Username" name="username">
<input type="password" placeholder="Password" name="password">
<input type='submit' value='Login' onclick="return check()">
</form>
having a bit of trouble with my login / reg forms
Basically when i register (create new user) it takes me to the login.php script and not the register script.
The login form is in the "header.php" page so its at the top of every page including the register form. But dont think that would be an issue?
Register form
<?php
include("config.php");
include("header.php");
?>
<div id="contentwrap">
<form name="myuserform" method="POST" action="register.php" onsubmit="return validateForm();">
<tr class='alt'>
<td>email address: <td><input type="text" name="email">
<tr class='alt'>
<td>Password: <td><input type="password" name="password">
<tr class='alt'>
<td>Your name: <td><input type="text" name="username">
<tr class='alt'>
<td><input type="submit" name="adduser" value="Sign me up!">
</form>
</div>
Register.php
<?php
if (isset($_POST['adduser']))
{
$error = "";
$username = mysqli_real_escape_string($connection, $_POST['username']);
$password = mysqli_real_escape_string($connection, $_POST['password']);
$md5_pass = md5($password);
$email = mysqli_real_escape_string($connection, $_POST['email']);
if (!isset($username) || empty($username) ||
!isset($password) || empty($password) ||
!isset($email) || empty($email))
{
$error = "All fields must be filled out";
}
else if (user_exists($connection, $username))
{
$error = "Username already registered";
}
else if (strlen($password) < 6)
{
$error = "Password must be at least 6 characters";
}
else if (!filter_var($email, FILTER_VALIDATE_EMAIL)) // check if email looks valid
{
$error = "Please enter a valid email";
}
if ($error == "")
{
//$query = "INSERT INTO users (email, password, username) VALUES ('{$email}','{$md5_pass}','{$username}')";
$query = "INSERT INTO users (username, password, email) VALUES ('{$username}','{$md5_pass}','{$email}')";
$result = mysqli_query($connection, $query);
if ($result)
echo " <b>Registered successfully!</b><br/>Please return to the <a href='index.php'>index</a> to login.";
else
$error = "Unable to create new user";
}
if ($error != "") // redo error string check since the last block may have set it
{
echo "Error: {$error}. Please return to the previous page.";
}
exit();
}
?>
Login.php
<?php
include("config.php");
if (isset($_POST['username']) && !empty($_POST['username']) &&
isset($_POST['password']) && !empty($_POST['password']))
{
$username = mysqli_real_escape_string($connection, $_POST['username']);
$password = md5($_POST['password']);
$query = "SELECT * FROM users WHERE username='{$username}' AND password='{$password}'";
$res = mysqli_query($connection, $query);
if (mysqli_num_rows($res) >= 1)
{
$row = mysqli_fetch_array($res);
if($row['rank'] == "banned")
{
echo "You have been banned from the site.";
exit();
}
$_SESSION['uid'] = $row['userid'];
$_SESSION['username'] = $row['username'];
if($row['rank'] == "admin")
$_SESSION['is_admin'] = true;
header("Location: index.php");
exit();
}
else
{
echo "Username/password invalid. Return to the <a href='index.php'> home </a>page";
exit();
}
}
echo "Something went wrong, try again"; <--- this is the result im getting
?>
here is the login form (apart of header.php)
<?php
if (!isset($_SESSION['uid']) || empty($_SESSION['uid']))
{
echo "<form action='login.php' method='post'>
Username: <input type='text' name='username' Placeholder='Username' style='width:100px;'/>
Password: <input type='password' name='password' Placeholder='Password' style='width:100px;' />
<input type='submit' name='submit' value='Log In' />";
echo "<div id='freeman'>
<a href='signup.php'> <img src='images/register.jpg' width='60px' height='60px' /> </a>
</div>";
} else {
echo "You are logged is as {$_SESSION['username']} • <a href='logout.php'>Logout</a>";
}
?>
The problem that when you register your not opening a session to consider the user as logged and acquire a session for him.
The other issue your not checking in your login script if the user already have a session which implies that he is already logged in
I am very new to PHP and I cannot get this if statement to echo when you click submit. My editor isn't showing any errors with the code and it seems to work fine, except for it not echoing the errors.
<html>
<LINK rel='stylesheet' href='style.css' type='text/css'>
<?php
$submit = $_POST['submit'];
$username = strip_tags($_POST['username']);
$password = strip_tags($_POST['password']);
$repeatpassword = md5(strip_tags($_POST['repeatpassword']));
$date = date('Y-m-d');
echo $date;
if ($sumbit)
{
if ($username&&$password&&$repeatpassword)
{
$password = md5($password);
$repeatpassword = md5($repeatpassword);
if ($password==$repeatpassword)
{
if(strlen($username)>25)
{
echo 'Length of username must be less than 25 charcters';
}
else
{
if (strlen($password)>25||strlen($password)<6)
{
echo 'Your password must be 6 to 25 characters long';
}
else
{
echo 'Success!';
}
}
}
else
{
echo 'Passwords do not match';
}
}
else
echo 'Fill in all the fields';
}
?>
<form action='register.php' method='POST'>
<table>
<tr>
<td>Username</td><br />
</tr>
<tr>
<td><input type='text' name='username'></td><br />
</tr>
<tr>
<td>Password</td><br />
</tr>
<tr>
<td><input type='password' name='password'></td><br />
</tr>
<tr>
<td>Repeat Password</td><br />
</tr>
<tr>
<td><input type='password' name='repeatpassword'></td><br />
</tr>
</table>
<p>
<input type='submit' name='submit' value='Register'>
</form>
</html>
There is a typo
its
if ($sumbit)
should be
if ($submit)
Add this at the beginning of your code:
ini_set("display_errors", true);
error_reporting(E_ALL);
You have to enable error reporting, its turned off by default afaik. Anyways:
if ($sumbit)
I suppose you want to check if its set. The function in php for that is called isset(), so your code would be:
if(isset($submit)) {}
Try this one, it may help you.
if (isset($_POST['submit']))
{
$submit = $_POST['submit'];
$username = strip_tags($_POST['username']);
$password = strip_tags($_POST['password']);
$repeatpassword = md5(strip_tags($_POST['repeatpassword']));
$date = date('Y-m-d');
echo $date;
if ((isset($username))&&(isset($password))&&(isset($repeatpassword)))
{
$password = md5($password);
$repeatpassword = md5($repeatpassword);
if ($password==$repeatpassword)
{
if(strlen($username)>25)
{
echo 'Length of username must be less than 25 charcters';
}
else
{
if (strlen($password)>25||strlen($password)<6)
{
echo 'Your password must be 6 to 25 characters long';
}
else
{
echo 'Success!';
}
}
}
else
{
echo 'Passwords do not match';
}
}
else
echo 'Fill in all the fields';
}
AND For Form use :
<form action='' method='POST'>
<input type='submit' name='submit' value='Register'>
</form>
try this
if(isset($_POST['submit']))
{
if (isset($_POST['username'], $_POST['password'], $_POST['repeatpassword']))
{
$username = strip_tags($_POST['username']);
$password = strip_tags($_POST['password']);
$repeatpassword = md5(strip_tags($_POST['repeatpassword']));
instead of
if ($sumbit)
{
if ($username&&$password&&$repeatpassword)
{
your are using sumbit and use submit
if ( !empty($submit) ){
{
there is a md5 of repeatpassword being done twice and md5 of password being done once. so the if condition fails
if ($password==$repeatpassword)
Before if submit condition
$password = strip_tags($_POST['password']);
$repeatpassword = md5(strip_tags($_POST['repeatpassword']));
Inside if submit condition
$password = md5($password);
$repeatpassword = md5($repeatpassword);