I am working on a section of code that changes a password in a database upon completion of the following form:
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Password Change</title>
</head>
<body>
<h1>Change Password</h1>
<form method="POST" action="password_change.php">
<table>
<tr>
<td>Enter your UserName</td>
<td><input type="username" size="10" name="username"></td>
</tr>
<tr>
<td>Enter your existing password:</td>
<td><input type="password" size="10" name="password"></td>
</tr>
<tr>
<td>Enter your new password:</td>
<td><input type="password" size="10" name="newpassword"></td>
</tr>
<tr>
<td>Re-enter your new password:</td>
<td><input type="password" size="10" name="confirmnewpassword"></td>
</tr>
</table>
<p><input type="submit" value="Update Password">
</form>
<p>Home
<p>Logout
</body>
</html>
And the the PHP:
<?php
session_start();
include 'dbconfig.php';
$username = $_POST['username'];
$password = $_POST['password'];
$newpassword = $_POST['newpassword'];
$confirmnewpassword = $_POST['confirmnewpassword'];
$result = mysql_query("SELECT password FROM user_info WHERE
user_id='$username'");
if(!$result)
{
echo "The username you entered does not exist";
}
else if($password!= mysql_result($result, 0))
{
echo "You entered an incorrect password";
}
if($newpassword=$confirmnewpassword)
$sql=mysql_query("UPDATE user_info SET password='$newpassword' where
user_id='$username'");
if($sql)
{
echo "Congratulations You have successfully changed your password";
}
else
{
echo "Passwords do not match";
}
?>
The problem I have at the moment is when I submit the submit button takes me to a read only page of this code.
Any suggestions?
On first looks I can figure out few major mistakes you made:
if you are comparing you should use
$newpassword == $confirmnewpassword
and not
$newpassword=$confirmnewpassword
secondly when you use if..elseif... loop format shold be
if (condition)
{
//code to be executed if condition is true;
}
else if (condition)
{
// code to be executed if condition is true;
}
else
{
//code to be executed if condition is false;
}
You apparently miss the else part in one of your such loops.
Please correct your syntax and try again...
u can 1st select a table and check a password is correct and if correct a update a password .else display a error message.hey this just update a password if old is password is match to update a password....,
Cracker World
$old_password=$_POST['old_password'];
$new_password=$_POST['new_password'];
$con_password=$_POST['con_password'];
$chg_pwd=mysql_query("select * from users where id='1'");
$chg_pwd1=mysql_fetch_array($chg_pwd);
$data_pwd=$chg_pwd1['password'];
if($data_pwd==$old_password){
if($new_password==$con_password){
$update_pwd=mysql_query("update users set password='$new_password' where id='1'");
$change_pwd_error="Update Sucessfully !!!";
}
else{
$change_pwd_error="Your new and Retype Password is not match !!!";
}
}
else
{
$change_pwd_error="Your old password is wrong !!!";
}}
You made a mistake here
This include 'dbconfig.php';
Should be like this include ('dbconfig.php');
After seen your script, i found that you have not use '==' in your password comparison condition.
if($newpassword=$confirmnewpassword)
Which is wrong. You accepted the birju shah's answer above which is pointing out what i want to say.
Apart from this, i found that you did't use any encryption method, which is extremely wrong. Anyone can hack your password from the database.
You should use Password_verify() and Password_hash() functions to encrypt and decrypt your password. These encryption and decryption are considered most safe now days. You should not use md5 encryption because now days anyone can decrypt md5 algorithm.
Here i have made one tutorial Change password code in PHP. I have covered all the above topics. I Hope that this tutorial will help you.
Cheers,
Related
<?php
session_start();
$db =mysqli_connect("localhost", "root", "","registration" );
if (isset($_POST['login_btn'])){
$username = mysql_real_escape_string($_POST ['username']);
$password = mysql_real_escape_string($_POST ['password']);
$password= md5($password);
$sql = "SELECT * FROM users WHERE username= '$username' AND password= '$password'";
$result = mysqli_query($db, $sql);
if(mysqli_num_rows($result) == 1 ){
$_SESSION['message']= "You are now logged in";
$_SESSION['username'] = $username;
header("Location: home.php");
}else{
$_SESSION['message'] = "Username and password combination is incorrect";
}
}
?>
<html>
<head>
</head>
<body>
<div class="header"> <h1>login</h1></div>
<?php
if (isset($_SESSION['message'])){
echo "<div id = 'error_msg>".$_SESSION['message']."</div>";
unset($_SESSION['message']);
}
?>
<form method="post" name="loginform" action="login.php">
<table>
<tr>
<td> Username:</td>
<td><input type = "text" name="username" placeholder="Username" class="textInput" required></td>
</tr>
<tr>
<td> Password:</td>
<td><input type = "password" placeholder="Password" name="password" class="textInput" required></td>
</tr>
<tr>
<td></td>
<td><input type = "submit" name="login_btn" value="Login"></td>
</tr>
</table>
</form>
</body>
</html>
Hi guys, this is my login page with PHP. Apart from logging in it allows passwords which are not the same. According to the code its set to check if the two passwords are matching and if they aren't, it displays an error.
This one doesn't display an error even if the two passwords don't match. Why does it allows a user to log in with wrong passwords??
I want it to display an error when passwords don't match and in return doesn't allow logging in because of wrong credentials.
You are not using mysql_real_escape_string properly. You should use either mysqli_real_escape_string or use mysql_connect to connect to MySQL.
mysql_real_escape_string's second parameter is assumed automatically if mysql_connect is used, but you are using mysqli_connect instead, that's why it's not finding any connection.
From pph website it states:
The MySQL connection. If the link identifier is not specified, the last link opened by mysql_connect() is assumed. If no such link is found, it will try to create one as if mysql_connect() had been called with no arguments. If no connection is found or established, an E_WARNING level error is generated.
Reference: http://php.net/manual/en/function.mysql-real-escape-string.php
Try changing
$username = mysql_real_escape_string($_POST ['username']);
$password = mysql_real_escape_string($_POST ['password']);
to
$username = mysqli_real_escape_string($db, $_POST ['username']);
$password = mysqli_real_escape_string($db, $_POST ['password']);
<?php
session_start();
include_once 'dbconnect.php';
if (isset($_SESSION['user']) != "") {
header("Location: home.php");
}
if (isset($_POST['btn-login'])) {
$email = mysql_real_escape_string($_POST['email']);
$upass = mysql_real_escape_string($_POST['pass']);
$res = mysql_query("SELECT * FROM telecomt_user WHERE email='$email'");
$row = mysql_fetch_array($res);
if ($row['password'] == md5($upass)) {
$_SESSION['user'] = $row['user_id'];
header("Location: home.php");
} else {
?>
<script>alert('wrong details');</script>
<?php
}
}
?>
This is my code for fetching data from database to let the user to log in by email and password. My table name is "telecomt_user".
<form method="post">
<table align="center" width="30%" border="0">
<tr>
<td><input type="text" name="email" placeholder="Your Email" required /> </td>
</tr>
<tr>
<td><input type="password" name="pass" placeholder="Your Password" required /></td>
</tr>
<tr>
<td><button type="submit" name="btn-login">Sign In</button></td>
</tr>
<tr>
<td>Sign Up Here</td>
</tr>
</table>
</form>
And this my html form code. The code works fine in localhost but when I uploaded it to my server it does not work. It always executes this line:
<script>alert('wrong details');</script>
Is it problem in my database? But I am using the same name and pattern what I used in my localhost and also my sign up form works with the same database. My "dbconnect.php" file is also okay. What is the problem?
instead of $row['password'] , can you try to type the column of the password in the string, for example $row[0] (if password column is the first column).
I think you have to put break point in each condition like
if(your condition){
echo "something";exit;
}else{
echo "nothing";exit;
}
Better to do checking on query only email and password
$res=mysql_query("SELECT * FROM telecomt_user WHERE email='$email' AND password='md5($upass)'");
$row=mysql_fetch_array($res);
Now condition login or not
if(count($row)>=1){
//login
}else{
// credentials wrong message
}
I have a very simple login script, it requires just a password and thats it. The user will attempt to login and when the user enters the wrong password the php script will append the password to a text file but first the script checks whether the password is already in the file and if it is, the script will then add 1 to the number of attempts in the file. My problem is i am trying to find a way to check every password and then add the password but not check each individual password and add the password right away. I am using a class file found at this website My code is below.
<!DOCTYPE html>
<html>
<head>
<title>Website</title>
</head>
<body>
<form method="post" action="Assets/Scripts/PHP/Login.php">
<table>
<tr>
<td>
<label for="Password">Password:</label>
</td>
<td>
<input type="password" name="password" placeholder="Password" id="Password" />
</td>
</tr>
<tr>
<td>
</td>
<td>
<input type="submit" name="submit" value="Log In" />
</td>
</tr>
</table>
</form>
</body>
</html>
Login.php
<?php
$Password = $_POST['password'];
$Submit = $_POST['submit'];
if(isset($Submit))
{
if($Password != '' && $Password == 'Password')
{
session_start();
$_SESSION['Login'] = 'True';
$Login = $_SESSION['Login'];
if(isset($Login))
{
header("location:../../../main.php");
}
else
{
header("location:../../../index.html");
}
}
else
{
include("../../../MyTXT.php");
$File = new MyTXT("../../Texts/Passwords.txt");
foreach($File->rows as $Row)
{
if($Row != $Password)
{
$File->add_row(array($Password, "1"));
$File->save();
}
else
{
}
}
echo 'The Password Is Incorrect';
echo '<br />';
echo 'Go Back';
}
}
else
{
header("location:../../../index.html");
}
Txt File
Password:|:Attempts
Test:|:26
Test123:|:2
Test456:|:5
Is there a specific reason you're using the code from the link? It looks like a LOT of code for what is a simple task.
Try these:
Read contents of the file into a string:
http://php.net/manual/en/function.file-get-contents.php
Read contents of file into an array:
http://php.net/manual/en/function.file.php
I'm still not exactly sure how you're checking if their password is correct, as your file contains incorrect passwords, however, a quick example (v quick..) of how to check for a string in a file:
$strPassword = '123test';
$strFilename = 'pass.txt';
$strFileContents = file_get_contents($strFilename);
if(strpos($strFileContents, $strPassword))
{
//$strPassword is there, log them in/whatever
}
else
{
//password not there
}
However if you want/need to use that script from that site, then in the downloads there are examples of how to use it. You should study those and write code with them, and if you are stuck, ask specific questions.
I'm pretty new to PHP, but I decided to try and make a simple login page on my test website, just to see how things work. I know it's not very secure, but I'm not worrying too much about that yet. The problem I am having is when I try to login, be the username correct or not, I am redirected to the login page instantly. I don't think it is even going to the PHP script that checks the username and password or anything, since I get the same results when I use an incorrect username or password. I'm not entirely sure if this is a PHP problem or not, since the form is in HTML, so sorry if it's not.
Login Page:
<?
include"includes/head.inc";
?>
<div class="login" align="center";>
<h1>Log In</h1>
<form action="/cp/login.php" method="post">
<table border="0" cellspacing="2" cellpadding="2">
<tr>
<td>
Email
</td>
<td>
<input type="text" name="username">
</td>
</tr>
<tr>
<td>
Password
</td>
<td>
<input type="password" name="password">
</td>
</tr>
</table>
<input type="submit">
</form>
</div>
<?
include"includes/footer.inc";
?>
Login.php:
<?
$username = $_POST['username'];
$password = $_POST['password'];
session_start();
include"../includes/connect.inc";
$q = "SELECT * from users where email='$username' and password='MD5($password)'";
$result = mysql_query($q, $connection) or die
("Could not execute query : $q." . mysql_error());
if (!$result) {
echo "<h1>Incorrect username or password.</h1>";
}
else {
$r = mysql_fetch_array($result);
$login_username = $r["email"];
session_register("login_username");
Header("Location: protected.php");
}
?>
Protected.php:
<?
session_start();
if ($login_username == "") {
Header("Location: ../login.php");
}
else {
include"../includes/head.inc";
include"../cp.inc";
include"../includes/footer.inc";
}
?>
I included all the files just in case they are needed, but it seems to just be looping the login page, not cycling through the others. The username and password I am entering are correct, and worked in my previous login system before I rewrote it to make it work better. I hope I'm not missing anything silly or obvious. Thanks for reading.
Something that might cause this:
session_start();
if($login_username=="") {
You're referring to something inside the session; this is how you should do that:
session_start();
if (!isset($_SESSION['login_username']) || $_SESSION['login_username']=="") {
Another small issue:
<?
$username=$_POST['username'];
$password=$_POST['password'];
session_start();
You should test the $_POST keys first before attempting to access them.
if (!isset($_POST['username'], $_POST['password'])) {
die("Invalid page request");
}
session_start();
$username=$_POST['username'];
$password=$_POST['password'];
Last but not least, learn PDO; see also the page here that warns about continued use of mysql_ functions: http://uk.php.net/manual/en/function.mysql-connect.php
Can anyone help me with this code? Everytime I want to try out my registerform.php, I don't get redirected to the successful message page. The browsers said that the link was broken. I'm not getting any errors.
registerform.php
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>register</title>
</head>
<body>
<FORM ACTION="register.php" METHOD="POST">
<h1>welcome to the registration page</h1>
please input the registration details to create an account here<br>
<table border="2">
<tr>
<td>User Name :</td><td><input name="regname" type="text" size"20"></input></td>
</tr>
<tr>
<td>email :</td><td><input name="regemail" type="text" size"20"></input></td>
</tr>
<tr>
<td>password :</td><td><input name="regpass1" type="password" size"20"></input></td>
</tr>
<tr>
<td>retype password :</td><td><input name="regpass2" type="password" size"20"></input></td>
</tr>
</table>
<input type="submit" value="register me!"></input>
</FORM>
</body>
</html>
register.php
<?php
session_start();
if($_GET["regname"] && $_GET["regemail"] && $_GET["regpass1"] && $_GET["regpass2"] )
{
if($_GET["regpass1"]==$_GET["regpass2"])
{
$servername="localhost";
$username="root";
$password="";
$conn= mysql_connect($servername,$username,$password)or die(mysql_error());
mysql_select_db("tweetball",$conn);
$sql="insert into users (UserName,UserEmail,Password)values('$_GET[regname]','$_GET[regemail]','$_GET[regpass1]')";
$result=mysql_query($sql,$conn) or die(mysql_error());
print "<h1>you have registered sucessfully</h1>";
print "<a href='main_login.php'>go to login page</a>";
}
else print "passwords doesnt match";
}
else print"invaild input data";
?>
It looks like you have your form set to POST method, but you call the values with GET. try this:
register.php -- >
<?php
session_start();
if($_POST["regname"] && $_POST["regemail"] && $_POST["regpass1"] && $_POST["regpass2"] )
{
if($_POST["regpass1"]==$_POST["regpass2"])
{
$servername="localhost";
$username="root";
$password="";
$conn= mysql_connect($servername,$username,$password)or die(mysql_error());
mysql_select_db("tweetball",$conn);
$sql="insert into users (UserName,UserEmail,Password)values('$_POST[regname]','$_POST[regemail]','$_POST[regpass1]')";
$result=mysql_query($sql,$conn) or die(mysql_error());
print "<h1>you have registered sucessfully</h1>";
print "<a href='main_login.php'>go to login page</a>";
}
else print "passwords doesnt match";
}
else print"invaild input data";
?>
Edit: Also, as the others says, you should really read up on SQL injections and php's "mysql_real_escape_string" function.
Edit 2: Again, as the others say, make sure that you are linking properly to the "register.php" file in your "registerform.php" FROM tag.
The form you've given is POST method. But you've get GET method values
While what Kristoffer la Cour said is true and will cause some problems. If the browser is saying that the link is broken then I believe it is more likely that the 'register.php' file has been incorrectly named or does not exist in the correct directory.
Problem is you need to add some code to stop an already registered username from being re-registered.