I'm working on a website with a register system. In the userCP you can change your password. I made this script for it but it doesnt work. Can somebody help me? When I change the password it doesnt give an error but it just doesnt update it.
PHP Code:
<?php
if (isset($_POST['updatePassBtn']))
{
$cpassword = $_POST['cpassword'];
$npassword = $_POST['npassword'];
$rpassword = $_POST['rpassword'];
if (!empty($cpassword) && !empty($npassword) && !empty($rpassword))
{
if ($npassword == $rpassword)
{
if (mysql_num_rows(mysql_query("SELECT * FROM `users` WHERE `username` = '".$_SESSION['username']."' AND `password` = '".SHA1($cpassword)."'")))
{
mysql_query("UPDATE `users` SET `password` = '".SHA1($npassword)."' WHERE `username` = '".$_SESSION['username']."' AND `ID` = '".$_SESSION['id']."'");
echo '<div class="nNote nSuccess hideit"><p><strong style="color:green;">SUCCESS: </strong>Password Has Been Updated</p></div>';
}
else
{
echo '<div class="nNote nFailure hideit"><p><strong style="color:red;">FAILURE: </strong>Current Password is incorrect.</p></div>';
}
}
else
{
echo '<div class="nNote nFailure hideit"><p><strong style="color:red;">FAILURE: </strong>New Passwords Did Not Match.</p></div>';
}
}
else
{
echo '<div class="nNote nFailure hideit"><p><strong style="color:red;">FAILURE: </strong>Please fill in all fields</p></div>';
}
}
?>
My form:
<form action="" class="form" method="POST">
<fieldset>
<label></label>
<input name="cpassword" type="text" value="Current Password" onfocus="this.value = (this.value=='Current Password')? '' : this.value;" onblur="if(this.value == ''){this.value='Current Password';}"/>
</fieldset>
<fieldset>
<label></label>
<input name="npassword" type="text" value="New Password" onfocus="this.value = (this.value=='New Password')? '' : this.value;" onblur="if(this.value == ''){this.value='New Password';}"/>
</fieldset>
<fieldset>
<label></label>
<input name="rpassword" type="text" value="Repeat Password" onfocus="this.value = (this.value=='Repeat Password')? '' : this.value;" onblur="if(this.value == ''){this.value='Repeat Password';}"/>
<input type="submit" value="Update" name="updatePassBtn"/>
</fieldset>
</form>
You count the number of rows that match the username and password, but then when you update you also have the condition that it has to match $_SESSION['id']. If your session doesn't contain the right 'id', then your update could match no rows.
You should check mysql_affected_rows() before reporting that the update was successful.
You should also check that the mysql functions return success (as #RocketHazmat suggests in a comment). Many return false on error.
mysql_query("UPDATE `users` SET `password` = '".SHA1($npassword)."' WHERE `username` = '".$_SESSION['username']."' AND `ID` = '".$_SESSION['id']."'");
You have the mysql_query set up but i dont see you executing it
Related
I want to force user to use > or = 8 char. password but can not get it working for some reason, i tried count() and strlen()
if(count($_POST['newpass']) < 8){
// ERROR
}
UPDATE (whole php code for the password change):
if(!empty($_POST['update'])){
if( strlen( trim( $_POST['newpass'] ) ) < 8 ){
$error = error('Password should be at least 8 characters in length.');
}
$options = array("cost"=>4);
$hashPassword = password_hash($_POST['newpass'],PASSWORD_BCRYPT,$options);
$getpass = $odb -> prepare("SELECT `password` FROM `users` WHERE `ID` = :id");
$getpass -> execute(array(":id" => $_SESSION['ID']));
$row = $getpass -> fetch();
$saved_password = $row['password'];
if (password_verify($_POST['oldpass'], $saved_password)) {
$SQLUpdate = $odb -> prepare("UPDATE `users` SET `password` = :password WHERE `username` = :username AND `ID` = :id");
$SQLUpdate -> execute(array(':password' => $hashPassword,':username' => $_SESSION['username'], ':id' => $_SESSION['ID']));
$error = success('Password has been successfully changed');
} else {
$error = error('Current password is incorrect.');
}
}
html form (located in MODAL but that does not matter i guess):
<form method="post">
<div class="form-group">
<label for="recipient-name" class="col-form-label">Current password</label>
<input class="form-control" style="color:black;" type="password" id="oldpass" name="oldpass" required="">
</div>
<div class="form-group">
<label for="recipient-name" class="col-form-label">New password</label>
<input class="form-control" style="color:black;" type="password" id="newpass" name="newpass" required="">
</div>
</div>
<div class="form-group">
<div class="modal-footer">
<button class="btn btn-primary" name="update" value="change" type="submit">Change</button>
</div>
</div>
</form>
try this:
if( isset( $_POST['update'])) {
echo "password entered: " . $_POST['newpass'] . "<br />";
if(strlen($_POST['newpass']) < 8 ) {
echo "Yea nah!, password is too short" . "<br />";
} else {
echo "Nah yea!, password is long enough" . "<br />";
}
}
result 1:
password entered: sadfsdf
Yea nah!, password is too short
result 2:
password entered: asdfghjklo
Nah yea!, password is long enough
I migrated website to new hosting but now I cannot login to admin. And I dont know why.
Maybe problem with sessions? Anny help?
This is part of code admin.php
<?php
include("auth/data/functions.php");
//$_SESSION["logged"] = true;
if (isset($_POST["auth_login"])) {
if($_POST["auth_login"]&&$_POST["auth_password"])
{
if (mysql_result(mysql_query("SELECT COUNT(*) FROM `admin` WHERE name = '".addslashes($_POST['auth_login'])."' AND password = '".sha1($_POST["auth_password"])."'"), 0))
{
$_SESSION["logged"] = true;
}
}
}
if (!isset($_SESSION["logged"]))
{
print('
<h1>Log in</h1>
');
if (isset($_POST["auth_login"])) {
print('<p>Error. Wrong username or password.</p>');
}
print('<br><form method="post">');
print('<label for="name">Name: </label><input name="auth_login" maxlength="30" id="name" /> ');
print('<label for="pass">Password: </label><input type="password" name="auth_heslo" id="pass" /> ');
print('<input type="submit" value="-->" title="Log in" style="cursor:pointer" /> ');
print('</form>');
}
elseif($_SESSION["logged"])
{
if(!$subsection)
{
?>
... Content
I am doing a project to add, update, delete, etc records from a p2pmyadmin database.
I am working on the current code. When update is hit, all the fields update in the database, except the 'Surname' field. I cannot figure out why... Can anyone advise?
$dirtyPassword = $_POST['frmPassword1'];
if (isset($_POST['formName']) && $_POST['formName'] == "addUser") {
if ( ($_POST['frmSurname'] != '') &&
($_POST['frmEmail'] != '') &&
($_POST['frmPassword1'] != '') ) {
if ($_POST['frmPassword1'] != $_POST['frmPassword2'] ) {
echo "Passwords do not match!";
//Clean form values
$cleanFirstName = mysqli_real_escape_string($db, $_POST['frmName']);
$cleanSurname = mysqli_real_escape_string($db, $_POST['frmSurname']);
$cleanEmail = mysqli_real_escape_string($db, $_POST['frmEmail']);
//Clean password
$password = sha1(mysqli_real_escape_string($db, $_POST['frmPassword1']));
// Build username
$username = strtolower($cleanFirstName.substr($cleanSurname,0,1));
$dateTime = date('Y-m-d g:i:s',time());
// Check email is unique
$QryEmail = "SELECT *
FROM registeredUsers
WHERE EmailAddress = '$cleanEmail'";
$chkEmail = mysqli_query($db,$QryEmail);
$numChkRowsE = mysqli_num_rows($chkEmail);
// Check Username is unique
$QryID = "SELECT *
FROM registeredUsers
WHERE UserName = '$username'";
$ChkID = mysqli_query($db,$QryID);
$numChkRowsI = mysqli_num_rows($chkID);
//check that zero records returned (no duplicates)
if ($numChkRowsE == 0 && $numChkRowsI == 0){
//Query
$query = "INSERT INTO registeredUsers VALUES(NULL, '$username', '$cleanFirstName', '$cleanSurname', '$cleanEmail', '$password', '$dateTime', 0) ";
$insQry = mysqli_query($db,$query);
if ($insQry) {
/* SUCCESS */
$_SESSION['success'] = 'Registration successful';
header("Location:project-users-manage.php");
exit;
} else {
/* FAIL */
}
}
}
?>
<fieldset style =width:30%>
<form method="post" action="">
<p>
First Name : <input type="text" name="frmName" value="" placeholder='First Name'><br>
Surname: <input type="text" name="frmSurname" value="" placeholder='Surname'><br>
Email Address: <input type="text" name="frmEmail" value="" placeholder='Email Address'><br>
Password: <input type="password" name="frmPassword1" value="" placeholder='Password'><br>
Repeat Password: <input type="password" name="frmPassword2" value="" placeholder='Password Again'><br>
<input type="submit" name="Register" value="Register">
<input type='hidden' name='formName' value='addUser' />
</p>
</form>
<br>
<a href='project-users-manage.php'>User Management</a>
<a href=''>Logout</a>
I am currently working on PHP forgot password reset, which partially doing the job but seeking some assistance to improve it further.
1st issue: It is not displaying the correct email address on the
submission form. It updates the password correctly but doesn't
display correct email address.
2nd issue: Also if the user makes an error while submitting the form on reloading the page doesn't update the password hence the user has to go back to his email to click back on the link.
<?php
include('../config/connection.php');
if(isset($_POST['submit'])){
$password = mysqli_real_escape_string($dbc,$_POST['password']);
$Rpassword = mysqli_real_escape_string($dbc,$_POST['Rpassword']);
$acode=$_POST['encrypt'];
$passmd = md5(SHA1($password));
if (empty($password) OR empty($Rpassword)) {
$error = 'One or either field is missing';
} if ($password != $Rpassword) {
$error = 'Passwords don\'t match';
} if(strlen($password)<6 OR strlen($Rpassword)>20) {
$error = 'Password must be between 6 to 20 characters';
}
else {
$query = mysqli_query($dbc,"select * from users where passreset='$acode'") or die(mysqli_error($dbc));
if (mysqli_num_rows ($query)==1)
{
$query3 = mysqli_query($dbc,"UPDATE users SET password='$passmd',passreset=0 WHERE passreset='$acode'")
or die(mysqli_error($dbc));
$sent = 'Password has been Changed successfully, Please sign in for loging in.';
}
else
{
$error = 'Please click back on the Forgot password link to reset your password ';
}
}
}
?>
<body>
<?php if(!isset($_POST['submit']) OR $error != '' OR isset($error)) { ?>
<?php if(isset($error) AND $error !='')
{
echo '<p style="color:#c43235">'.$error.'</p>';
}
?>
<form action="reset.php" method="post" role="form">
<div class="form-group">
<label for="password">Email</label>
<input type="text" class="form-control" id="email" name="email" value="
<?php
$acode=$_POST['encrypt'];
$query5 = mysqli_query($dbc,"SELECT * FROM users where passreset='$acode'") or die(mysqli_error($dbc));
$list = mysqli_fetch_array($query5); /* Error-----*/
$val = $list['email'];
echo $val;?>" >
</div>
<div class="form-group">
<label for="password">Password</label>
<input type="password" class="form-control" id="password" name="password" placeholder="Password" >
</div>
<div class="form-group">
<label for="password">Re-enter Password</label>
<input type="password" class="form-control" id="password" name="Rpassword" placeholder="Password" >
</div>
<input type="hidden" class="form-control" name="encrypt" value="<?php echo $_GET['encrypt'];?>" >
<button class="btn btn-success" type="submit" name="submit" />Submit</button>
</form>
Peace be to you all, I am working on a "forgotten username" system and my code goes like follows :-
First form :-
`<form action="security.php" method="post">
Please Enter your email address:<br>
<input type="text" name="email" value="<?php $_POST['email']?>">
<input type="submit" value="submit">
</form>`
the php code:
`<?php
$mode_allowed = array('username','password');
if(isset($_GET['mode']) === true && in_array($_GET['mode'],$mode_allowed) === true){
if(isset($_POST['email']) === true && empty($_POST['email']) === false){
if(email_exists($_POST['email']) === true){
header('location:security.php');
}else{
echo "Sorry, we can't find this email";
}
}
}else{
header('location:index.php');
}
?>`
Now the other page:
<form action="security.php" method="POST">
<p> Answer this question <p>
<select type="text" selected="selected" name="security_question" value="<?php $security_question?>">
<option name="security_question" value="<?php $security_question =mysql_query("SELECT `security_question` FROM `users` WHERE `email`='".mysql_real_escape_string($_POST['email'])."' ");
$array = mysql_fetch_array($security_question);
echo $array[0];
?>">
<?php $security_question =mysql_query("SELECT `security_question` FROM `users` WHERE `email`='".mysql_real_escape_string($_POST['email'])."' ");
$array = mysql_fetch_array($security_question);
echo $array[0];
?>
</option> </select> <br>
<input type="text" name="answer"/> <br>
<input type="submit" value="recover"/>
</form>
and its PHP:
<?php
include "session.php";
include "database/db.php";
if(isset($_POST['answer'])){
$answer = $_POST['answer'];
if(!empty($answer)){
$sql = mysql_query("SELECT `username` FROM `users` WHERE `email`='".mysql_real_escape_string($_POST['email'])."' AND `answer`='".mysql_real_escape_string($answer)."'");
if(mysql_num_rows($sql) == 1){
echo"hello";
}else {
echo "no";
}
}else{
echo "<script type='text/javascript'>alert('you must answer this question');</script>";
}
}
?>
I have also included a hidden field for the email:-
<input type="hidden" name="email" value="<?php echo $_POST['email'];?>">
Now, the code works perfectly only when i remove the "email" part from the SQL statement!! what's the mistake here?!
You haven't given the <input> a name attribute, so it will NOT submit with the form.
<input type="hidden" name="email" value="<?php echo $_POST['email'];?>"></input>
^ ^^^^^^^^^^^---missing ^^^^^^^^--illegal html
Your HTML is fundamentally broken...
try to echo email within isset
echo $email=mysql_real_escape_string($_POST['email']);
if here $email is not empty then use it simply
$sql = mysql_query("SELECT `username` FROM `users` WHERE `email`='$email' AND `answer`='".mysql_real_escape_string($answer)."'");
may this help to resolve....