I created a PHP script that allows a user on my website to change their password once registered, but am getting an error when I try to open it on the site. I believe it is due to a syntax error on my part but I can't seem to spot it. Can someone take a look and see what you can find? Here is the script:
<?php
session_start();
$user = $_SESSION['username'];
if ($user)
{
//user is logged in
if ($_POST['submit'])
{
//start changing password
//check fields
$oldpassword = md5($_POST['oldpassword']);
$newpassword = md5($_POST['newpassword']);
$repeatnewpassword = md5($_POST['repeatnewpassword']);
//check password against db
include('connection.php');
$queryget = mysql_query("SELECT password FROM Users WHERE username='$user'") or die ("change password failed");
$row = mysql_fetch_assoc($queryget);
$oldpassworddb = $row['password'];
//check passwords
if ($oldpassword==$oldpassworddb)
{
//check two new passwords
if ($newpassword==$repeatnewpassword)
{
//successs
//change password in db
$querychange = mysql_query("UPDATE Users SET password='$newpassword' WHERE username='$user'");
session_destroy();
die("Your password has been changed. <a href='homepage.php'> Return</a>");
}
else
die("Old password doesn't match!");
}
else
echo"
<form action='changepassword.php' method='POST'>
Old Password: <input type='text' name='oldpassword'><p>
New Password: <input type='password' name='newpassword'><p>
Repeat New Password: <input type='password' name='repeatnewpassword'><p>
<input type='submit' name ='submit' value='submit'>
</form>
";
}
else
die ("You must be logged in to change your password");
}
?>
The error I am getting is as follows:
Notice: Undefined index: submit in /var/www/localhost/htdocs/changepassword.php on line 11
You must be logged in to change your password.
Thanks in advance for your help.
Well first you should notice that mysql is deprecated, use mysqli or PDO instead More info or like NullPointer has pointed More Good Info :)
change the end of your code like this to get the right results that you want for fail:
}else
die ("Nothing came from the $_POST variable");
}else
die ("You must be logged in to change your password");
The error that your getting is maybe because your $_POST variable isn't set, use isset() to check if $_POST was set.example:
if (isset($_POST['submit']))
{
//submit post was set
}else
{
//submit post wasn´t set
}
If you still not getting any value, check your form.
UPDATE:
to see the actual form you must end the isset before the form your code stays like this:
<?php
session_start();
$user = $_SESSION['username'];
if (isset($_SESSION['username']))
{
//user is logged in
if (isset($_POST['submit']))
{
//start changing password
//check fields
$oldpassword = md5($_POST['oldpassword']);
$newpassword = md5($_POST['newpassword']);
$repeatnewpassword = md5($_POST['repeatnewpassword']);
//check password against db
include('connection.php');
$queryget = mysql_query("SELECT password FROM Users WHERE username='$user'") or die ("change password failed");
$row = mysql_fetch_assoc($queryget);
$oldpassworddb = $row['password'];
//check passwords
if ($oldpassword==$oldpassworddb)
{
//check two new passwords
if ($newpassword==$repeatnewpassword)
{
//successs
//change password in db
$querychange = mysql_query("UPDATE Users SET password='$newpassword' WHERE username='$user'");
session_destroy();
die("Your password has been changed. <a href='homepage.php'> Return</a>");
}
else
die("New password doesn't match!");
}else
die("Old password doesn't match!");
}
else
{
echo"
<form action='changepassword.php' method='POST'>
Old Password: <input type='text' name='oldpassword'><p>
New Password: <input type='password' name='newpassword'><p>
Repeat New Password: <input type='password' name='repeatnewpassword'><p>
<input type='submit' name ='submit' value='submit'>
</form>
";
}
}else
die ("You must be logged in to change your password");
?>
But you wont see it until your logged in. Your second problem is that your $user variable seems to dont have any value. after trying the above code if it wont work.
put this line after
$user = $_SESSION['username'];
echo 'Here it shold show the user: '.$user.'';
if it wont show up your not passing the session value right.
One more thing, if your form is pointing to same page, thats what it looks like change your line to this line:
<form action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"], ENT_QUOTES, "utf-8");?>" method='POST'>
Your input html form has an extra space in it
<input type='submit' name ='submit' value='submit'>
Change it to
<input type='submit' name='submit' value='submit'>
You should also make sure
if (isset($_POST['submit']))
Related
A part of a website I am making gives the option to the user to change their password. I have configured this code and it works fine.
I now want to add a form to the same page, that gives the user an option to change their USERNAME instead. (Individually, so they change their username but don't change the password).
Do I need to repeat the exact same following code and paste it beneath it, obviously adapting particular words to be for the username not password, or is there a way I can ADD to the existing code so that its one single processing code? How do I do this? So for example the first line:
if ($submit == 'Change Password') {,
in my head in English language, I'd like the code to say IF 'change password' OR the 'change username' button is submitted... do the following code etc.
//processing code
<?php
require_once('checklog.php');
require_once('functions.php');
// Grab the form data
$submit = trim($_POST['submit']);
$password = trim($_POST['password']);
$newpassword = trim($_POST['newpassword']);
$repeatpassword = trim($_POST['repeatpassword']);
// Create some variables to hold output data
$message = '';
// Start to use PHP session
session_start();
if ($submit == 'Change Password') {
include_once('connect.php');
mysqli_select_db($db_server, $db_database) or die("Couldn't find db");
//clean the input now that we have a db connection
$password = clean_string($db_server, $password);
$newpassword = clean_string($db_server, $newpassword);
$username = $_SESSION['username'];
$repeatpassword = clean_string($db_server, $repeatpassword);
if ($password && $newpassword) {
if ($repeatpassword == $newpassword) {
if (strlen($newpassword) > 25 || strlen($newpassword) < 6) {
$message = "Password must be 6-25 characters long";
} else {
// check whether username exists
$password = salt($password);
$query = "SELECT username FROM users WHERE username='$username' and password='$password'";
$result = mysqli_query($db_server, $query);
//if theres a result change password to new password
if ($row = mysqli_fetch_array($result)) {
$newpassword = salt($newpassword);
$repeatpassword = salt($repeatpassword);
//update password
$query = "UPDATE users SET password='$newpassword' WHERE username='$username'";
mysqli_query($db_server, $query) or die("Update failed. " . mysqli_error($db_server));
$message = "<strong>Password change successful!</strong>";
} else {
$message = "User account not found.";
}
mysqli_free_result($result);
}
} else {
$message = "Password must match";
}
} else {
$message = "Please enter all fields";
}
include_once('db_close.php');
}
include_once('header_logged.php');
?>
// the forms to change the password or username
!--change password form -->
To change your Password:
<form method="post" action="changepassword.php">
Current password: <input type='password' name='password'>
<br>
<br>
New Password: <input type='password' name='newpassword'>
<br>
<br>
Repeat New Password: <input type='password' name='repeatpassword'>
<input type='submit' name='submit' value='Change Password'>
<input type='reset' name='reset' value='Reset'>
</form>
<p><strong><?php
echo $message;
?></strong></p>
<!--change username form -->
To change your Username:
<form method="post" action="changepassword.php">
Current Username: <input type='username' name='username'>
<br>
<br>
New Username: <input type='username' name='newusername'>
<br>
<br>
Repeat New Username: <input type='username' name='repeatusername'>
<input type='submit' name='change' value='Change Username'>
<input type='reset' name='reset' value='Reset'>
</form>
Thanks for any help, very much appreciated.
use this:
if(isset($_POST['submit']) || isset($_POST['change'])){
//write your code here
}
I am learning PHP, and I'm busy with this tutorial over here:
https://www.youtube.com/watch?v=kebwxI1Bw88
I did everything according to the video and went over it 3 times, but my script isn't working... and I was wondering if anyone can help me figure out why? My code seems to be exactly like the guy's code on the video.
The video is about creating the login functionality for a forum. What happens with my script is.... It does what it's supposed to when I type in the WRONG user/pass combination (showing the message that it's supposed to show). But, when I type in the RIGHT user/pass combination... The file redirects to the index like it's supposed to... but it's still displaying the login form and not showing the "You are logged in as _ " message.
My Login Form on the index page:
if (!isset($_SESSION['uid'])) {
echo "<form action='login_parse.php' method='post'>
Username: <input type='text' name='username' />
Password: <input type='password' name='password' />
<input type='submit' name='submit' value='Log In'>
";
} else {
echo "<p>You are logged in as ".$_SESSION['username']." $bull; <a href='logout_parse.php'>Logout</a>";
}
My login_parse.php file:
session_start();
include_once("connect.php");
if (isset($_POST['username'])) {
$username = $_POST['username'];
$password = $_POST['password'];
$sql = "SELECT * FROM users WHERE username='".$username."' AND password='".$password."' LIMIT 1";
$res = mysql_query($sql) or die (mysql_error());
if (mysql_num_rows($res) == 1) {
$row = mysql_fetch_assoc($res);
$_SESSION['uid'] = $row['id'];
$_SESSION['username'] = $row['username'];
header("Location: index.php");
exit ();
} else {
echo "Invalid login information. Please return to the previous page. ";
exit ();
}
}
Check if $_SESSION['uid'] has a value.
print_r($_SESSION);
to see all the values
In the Below code i have Current password, new password and repeat new password fields but i don't want current password field to change password.
Note : I want only new password and repeat new password in the form.
<?php
session_start();
$user = $_SESSION['username'];
if (isset($_SESSION['username']))
{
//user is logged in
if (isset($_POST['submit']))
{
//start changing password
//check fields
$oldpassword = md5($_POST['oldpassword']);
$newpassword = md5($_POST['newpassword']);
$repeatnewpassword = md5($_POST['repeatnewpassword']);
//check password against db
include_once "connect_to_mysql.php";
$queryget = mysql_query("SELECT password FROM members WHERE username='$user'") or die ("change password failed");
$row = mysql_fetch_assoc($queryget);
$oldpassworddb = $row['password'];
//check passwords
if ($oldpassword==$oldpassworddb)
{
//check two new passwords
if ($newpassword==$repeatnewpassword)
{
//successs
//change password in db
$querychange = mysql_query("UPDATE members SET password='$newpassword' WHERE username='$user'");
session_destroy();
die("Your password has been changed. <a href='login.php'> Login Again</a>");
}
else
die("New password doesn't match!");
}else
die("Old password doesn't match!");
}
else
{
echo"
<form action='change_password.php' method='POST'>
Old Password: <input type='text' name='oldpassword'><p>
New Password: <input type='password' name='newpassword'><p>
Repeat New Password: <input type='password' name='repeatnewpassword'><p>
<input type='submit' name ='submit' value='submit'>
</form>
";
}
}else
die ("You must be logged in to change your password");
?>
Try with this code:
<?php
session_start();
$user = $_SESSION['username'];
if (isset($_SESSION['username']))
{
//user is logged in
if (isset($_POST['submit']))
{
//start changing password
//check fields
$newpassword = md5($_POST['newpassword']);
$repeatnewpassword = md5($_POST['repeatnewpassword']);
//check password against db
include_once "connect_to_mysql.php";
$queryget = mysql_query("SELECT password FROM members WHERE username='$user'") or die ("change password failed");
$row = mysql_fetch_assoc($queryget);
//check two new passwords
if ($newpassword==$repeatnewpassword)
{
//successs
//change password in db
$querychange = mysql_query("UPDATE members SET password='$newpassword' WHERE username='$user'");
session_destroy();
die("Your password has been changed. <a href='login.php'> Login Again</a>");
}
else {
die("New password doesn't match!");
}
else
{
echo"
<form action='change_password.php' method='POST'>
Old Password: <input type='text' name='oldpassword'><p>
New Password: <input type='password' name='newpassword'><p>
Repeat New Password: <input type='password' name='repeatnewpassword'><p>
<input type='submit' name ='submit' value='submit'>
</form>
";
}
}else
die ("You must be logged in to change your password");
?>
Remove old password field from your form as well remove if condition which checks your old password in database with old password to form
here is code you may need
<?php
session_start();
$user = $_SESSION['username'];
if (isset($_SESSION['username']))
{
//user is logged in
if (isset($_POST['submit']))
{
//start changing password
//check fields
$newpassword = md5($_POST['newpassword']);
$repeatnewpassword = md5($_POST['repeatnewpassword']);
//check password against db
include_once "connect_to_mysql.php";
$queryget = mysql_query("SELECT password FROM members WHERE username='$user'") or die ("change password failed");
$row = mysql_fetch_assoc($queryget);
$oldpassworddb = $row['password'];
//check two new passwords
if ($newpassword==$repeatnewpassword)
{
//successs
//change password in db
$querychange = mysql_query("UPDATE members SET password='$newpassword' WHERE username='$user'");
session_destroy();
die("Your password has been changed. <a href='login.php'> Login Again</a>");
}
else
die("New password doesn't match!");
}
else
{
echo"
<form action='change_password.php' method='POST'>
New Password: <input type='password' name='newpassword'><p>
Repeat New Password: <input type='password' name='repeatnewpassword'><p>
<input type='submit' name ='submit' value='submit'>
</form>
";
}
}else
die ("You must be logged in to change your password");
?>
PLEASE dont comment on here telling me about my SQL injections, I already know :)...
Every time I use my login.html page (which is linked to the login.php file) the code generates the following message: 'Please enter a valid username and a password!'
The code was working fine earlier so i'm not sure what i have done wrong ...
The code is below :
<?php
$username = $_POST['username'];
$password = $_POST['password'];
if ($username&&$password)
{
$connect = mysql_connect("localhost","user_ben","password") or die ("Couldn't Connect!");
mysql_select_db("user_phplogin"); //select database
$query = mysql_query("SELECT * FROM users WHERE username='$username'");
if(mysql_num_rows($query))
{
while ($row = mysql_fetch_assoc($query))
{
$dbusername = $row['username'];
$dbpassword = $row['password'];
}
// check to see if they match
if ($username==$dbusername&&$password==$dbpassword)
{
echo "Youre in! <a href='members.php'> Visit your user profile! </a>";
}
else
{
echo "Incorrect Password! <a href='login.html'> Return to login page</a>";
}
}
else
{
die("That user doesnt exist! <a href='login.html'> Return to login page</a>");
}
}
else
{
die("Please enter a valid username and a password! <a href='login.html'> Return to login page</a>");
}
?>
This is my form code...
<form action='login.php' method='submit'>
Username: <input type='text' name='username'/><br>
Password: <input type='password' name='password'/><br>
<input type='submit' value='Log In'/>
</form>
check like
if(!empty($username) && !empty($password))
it will check not empty also username and password is set
and
<form action='login.php' method='POST'>
since it default is GET (it mean if you dont type method it will be GET)
also you are using method="submit" there isn't any submit method
method (GET|POST) GET -- HTTP method used to submit the form--
w3 form:17.3 The FORM element
change
<form action='login.php' method='submit'>
to
<form action='login.php' method='POST'>
change
<form action='login.php' method='submit'>
to
<form action='login.php' method='POST'>
start login.php with this lines and answer:
<?php print_r($_POST);
and see what in the post
I have a page title changepassword.php ... In this page, users are able to change their password for an account. The query goes through and gives the message that it sent, however, the database does not change. The password stays the same as it used to be. I am using a sha1 hash that I am not used to (first time using it). Anyone know what is happening with it? Thanks!
<?php
session_start ();
$user_name = $_SESSION['user_name'];
if($user_name)
{
//user is logged in
if(isset($_POST['submit']))
{
//check fields
$oldpassword = $_POST['oldpassword'];
$newpassword = $_POST['newpassword'];
$repeatnewpassword = $_POST['repeatnewpassword'];
//check password against db
$connect=mysql_connect("localhost","root","passssssssword") or die();
mysql_select_db("database") or die();
$queryget= mysql_query ("SELECT user_pass FROM users WHERE user_name='$user_name'") or die("Query didn't work.");
$row = mysql_fetch_assoc ($queryget);
$oldpassworddb = $row['user_pass'];
//check passwords
if (sha1($oldpassword)==$oldpassworddb)
{
if ($newpassword==$repeatnewpassword)
{
if (strlen ($newpassword)>25 || strlen ($newpassword)<6)
{
echo "Password must be between 6 and 25 characters";
}
else
{
//change password in db
$newpassword = sha1($newpassword);
$querychange = mysql_query("UPDATE users SET password='$newpassword' WHERE user_name='$user_name'");
session_destroy();
die ("Your password has been changed. <a href='index.php'>Return</a> to the main page and login with your new password.");
}
}
else
die ("New passwords do not match!");
}
else
die ("Old password is inncorrect!");
}
else
{
echo
"<form action = 'changepassword.php' method = 'POST'>
<table>
<tr>
<td>
Old password:
</td>
<td>
<input type='text' name='oldpassword'><p>
</td>
</tr>
<tr>
<td>
New password:
</td>
<td>
<input type='password' name='newpassword'>
</td>
</tr>
<tr>
<td>
Repeat new password:
</td>
<td>
<input type='password' name='repeatnewpassword'>
</td>
</tr>
<table>
<input type='submit' name='submit' value='Change password'>
</form>
";
}
}
else
die("You must be logged in to change your password!");
?>
Query_1:
SELECT user_pass FROM users WHERE user_name='$user_name'
Your Query_2:
UPDATE users SET **password**='$newpassword' WHERE user_name='$user_name'
But, Query_2 should be:
UPDATE users SET **user_pass**='$newpassword' WHERE user_name='$user_name'
Not sure if literal/single quotes will allow PHP to interpolate the variables. I usually use sprintf, too. Also, in general you don't want to just check on username, but username AND old password.
"SELECT user_pass FROM users WHERE user_name='$user_name'"
should be:
$sql = sprintf("select user_pass from users where user_name = "%s",$user_name);
also, your "die()" would be better if you output the mysql_error(), i.e.
$connect=mysql_connect("localhost","root","passssssssword") or die();
mysql_select_db("database") or die("cannot connect".mysql_error());
But, probably the fastest way to troubleshoot is to put an error on the mysql_query:
$sql = sprintf("UPDATE users SET password="%s" WHERE user_name="%s"",$newpassword,$user_name);
$querychange = mysql_error($sql) or die ("Error updating: ".mysql_error());