I have a page title changepassword.php ... In this page, users are able to change their password for an account. The query goes through and gives the message that it sent, however, the database does not change. The password stays the same as it used to be. I am using a sha1 hash that I am not used to (first time using it). Anyone know what is happening with it? Thanks!
<?php
session_start ();
$user_name = $_SESSION['user_name'];
if($user_name)
{
//user is logged in
if(isset($_POST['submit']))
{
//check fields
$oldpassword = $_POST['oldpassword'];
$newpassword = $_POST['newpassword'];
$repeatnewpassword = $_POST['repeatnewpassword'];
//check password against db
$connect=mysql_connect("localhost","root","passssssssword") or die();
mysql_select_db("database") or die();
$queryget= mysql_query ("SELECT user_pass FROM users WHERE user_name='$user_name'") or die("Query didn't work.");
$row = mysql_fetch_assoc ($queryget);
$oldpassworddb = $row['user_pass'];
//check passwords
if (sha1($oldpassword)==$oldpassworddb)
{
if ($newpassword==$repeatnewpassword)
{
if (strlen ($newpassword)>25 || strlen ($newpassword)<6)
{
echo "Password must be between 6 and 25 characters";
}
else
{
//change password in db
$newpassword = sha1($newpassword);
$querychange = mysql_query("UPDATE users SET password='$newpassword' WHERE user_name='$user_name'");
session_destroy();
die ("Your password has been changed. <a href='index.php'>Return</a> to the main page and login with your new password.");
}
}
else
die ("New passwords do not match!");
}
else
die ("Old password is inncorrect!");
}
else
{
echo
"<form action = 'changepassword.php' method = 'POST'>
<table>
<tr>
<td>
Old password:
</td>
<td>
<input type='text' name='oldpassword'><p>
</td>
</tr>
<tr>
<td>
New password:
</td>
<td>
<input type='password' name='newpassword'>
</td>
</tr>
<tr>
<td>
Repeat new password:
</td>
<td>
<input type='password' name='repeatnewpassword'>
</td>
</tr>
<table>
<input type='submit' name='submit' value='Change password'>
</form>
";
}
}
else
die("You must be logged in to change your password!");
?>
Query_1:
SELECT user_pass FROM users WHERE user_name='$user_name'
Your Query_2:
UPDATE users SET **password**='$newpassword' WHERE user_name='$user_name'
But, Query_2 should be:
UPDATE users SET **user_pass**='$newpassword' WHERE user_name='$user_name'
Not sure if literal/single quotes will allow PHP to interpolate the variables. I usually use sprintf, too. Also, in general you don't want to just check on username, but username AND old password.
"SELECT user_pass FROM users WHERE user_name='$user_name'"
should be:
$sql = sprintf("select user_pass from users where user_name = "%s",$user_name);
also, your "die()" would be better if you output the mysql_error(), i.e.
$connect=mysql_connect("localhost","root","passssssssword") or die();
mysql_select_db("database") or die("cannot connect".mysql_error());
But, probably the fastest way to troubleshoot is to put an error on the mysql_query:
$sql = sprintf("UPDATE users SET password="%s" WHERE user_name="%s"",$newpassword,$user_name);
$querychange = mysql_error($sql) or die ("Error updating: ".mysql_error());
Related
i have created a login page where a student is able to register using username, password and email. I have created a table which contains all the students ID. So when a students registers they have to enter a correct ID which has to match the table in order for them to register. I was wondering how can i do this. I am using php and mysql.
f(isset($_POST["submit"])){ `if(!empty($_POST['user']) && !empty($_POST['pass']) && !empty($_POST['email'])) {
$user=$_POST['user'];
$pass=$_POST['pass'];
$email=$_POST['email'];
$con=mysql_connect('localhost','root','') or die(mysql_error());
mysql_select_db('user_registration') or die("cannot select DB");
query=mysql_query("SELECT * FROM login WHERE username='".$user."'");
$numrows=mysql_num_rows($query); if($numrows==0)
$sql="INSERT INTO login(username,password,email) VALUES('$user','$pass', '$email')";
$result=mysql_query($sql);
if($result){ echo "Account Successfully Created"; } else {
echo "Failure!";
else { echo "That username already exists! Please try again with another.";
else { echo "All fields are required!";
i have not included the student ID part as i am unsure
You would need to query the MySQL database and check that the user ID that the person has submitted is in the table. If it is in the table, then do whatever you want to do, or if not then tell the user that the user ID is incorrect.
It might help if you gave some more information about what you've actually already done...
like MattFiler said, you need to query the MYSQL database and check that the user ID and password a person has submitted is in the table or not. something like this;
PHP
require ('config.php');
if (isset($_POST['uname']) && isset($_POST['pass'])) {
$user = $_POST['uname'];
$pass = $_POST['pass'];
$que = "SELECT * FROM login WHERE username = '$user' AND password = '$pass' ";
$run = mysql_query($que);
$row = mysql_fetch_array($run);
$user_db = $row['username'];
$pass_db = $row['password'];
if ($user == $user_db && $pass == $pass_db) {
echo "LOGGED IN!";
// anything else you want to do here..
}
else {
echo "INVALID USER ID OR PASSWORD<br />Please Sign Up if you are a new user.";
die();
}
}
HTML
<form action="" method="post">
<p><label class="field">Username:</label></p>
<input class="textbox-300" name="uname" pattern="[a-zA-Z0-9\. ]+" required="" title="Please enter your Username" type="text">
<p><label class="field">Password:</label></p>
<input class="textbox-300" id="pass" name="pass" required="" type="password"> <input name="check" type="hidden">
<input class="button" name="sub" type="submit" value="Login">
</form>
Note: this is just a demo, do it with mysqli/PDO and consider taking care of SQL Injection/XSS before you go live.
<?php
include("config.php");
session_start();
if($_SERVER["REQUEST_METHOD"] == "POST")
{
// username and password sent from Form
$myusername = addslashes($_POST['username']);
$mypassword = addslashes($_POST['password']);
$sql = 'SELECT user_id FROM users WHERE username = "'.$myusername.'" and password = "'.$mypassword.'" ';
$result = mysql_query($sql);
$row = mysql_fetch_array($result);
$active = $row['active'];
$count = mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row
if ($count==1)
{
$session_id = $row['user_id'];
session_register("session_id");
$_SESSION['login_user'] = $session_id;
$login_session = $_SESSION['login_user'];
header("location:resetpwd.php?user_session=".$login_session."");
}
else
{ echo "invalid username/password"; }
}
?>
<html>
<body>
<form action='' method='post' accept-charset='UTF-8'>
<table class="login">
<tr><td><label>Username </label></td>
<td><input type="text" name="username" maxlength="20" size="30px"/></td>
</tr>
<tr><td><label>Password </label></td>
<td><input type="password" name="password" maxlength="50" size="30px"/></td>
</tr>
</table>
<div><input type="submit" class="loginbutton" style="cursor:pointer;" value=""/></div>
</form>
</body>
</html>
The above code is a login page. When a user registers, he/she will get an auto generated password to his/her mail. Now the user will login with that username and password from email, I need to redirect the page to change to password only at first time login and later it should redirect to welcome.php
Could anyone suggest me. Many Thanks
Have a database column saying "is first login". Alternatively, you can have a "most recent login", and if it's null then they've never logged in before and need to set a password.
Or just do what normal people do and have "password" be a field on the registration form.
I am wanting to use a html form to reset passwords to a hashed md5 password. I will include all of my code. i get a blank screen when i submit the form. I am a beginner so please keep that in mind. I check myphpadmin and the hashed password does not change.
<html>
<head><title> Administrator reset password page</title></head>
<body>
<form action="forgotpass.php" method="post">
<table>
<tr><td>User Name:</td><td><input type="text" name="password" /></td></tr>
<tr><td>Password:</td><td><input type="text" name="user" /></td></tr>
<tr><td colspan="2" align="center"><input type="submit" value="Reset Password"/></td> </tr>
</table>
</form>
</body>
</html>
<?php
include "connect.php"
$tmpPass = $_POST['password'];
$tmpuser= $_POST['user'];
$tmpPass = md5($tmpPass);
$sql = mysql_query("UPDATE employee set pass = $tmpPass WHERE usr = $tmpuser");
// Performs the $sql query on the server to insert the values
if ($conn->query($sql) === TRUE) {
echo 'Password Has Been Reset Successfully';
/*
$email_message.= "Hello ";
$email_message.= "User with username: " .$tmpUser. "\n";
$email_message.= "Your New password: " .$_POST['password']. "\n";
$email_to = "registration#joshuamoorehead.com";
$email_subject = "Registration";
*/
else {
echo 'Error: '. $conn->error;
}
$conn->close();
?>
You're missing quotes around your string values:
$sql = mysql_query("UPDATE employee set pass = '$tmpPass' WHERE usr = '$tmpuser'");
Also, why are you running your query a second time?
// Performs the $sql query on the server to insert the values
if ($conn->query($sql) === TRUE) { // <-- HERE
echo 'Password Has Been Reset Successfully';
Your $sql variable will contain the boolean result of your query, you need to check that variable is true as opposed to running the query again:
if($sql === true) {
echo 'Password Has Been Reset Successfully';
So actualy the problem is i need a login/register system and thast what i wrote and it works all fine login and register is working except when i try to create account i write in all the things its needed and create it and it says You've succsessfully registered! but when i go check the database there isnt the new data with id username pass and so on but i get no error connecting to database or anything and when i try to login i cant cuz there are no data from registering in database. I also checked the database name twice and its not wrong in the code i think or it is i m kinda new in php.
if anyone wants i can add him on skype or you can check over teamviewer if u prefer i rly need this fixed please!!
picture of the database: http://shrani.si/f/1f/pO/3sIbCuUk/brez-naslova.png cant post pictures directly yet
Database server
Server: 127.0.0.1 via TCP/IP
Server type: MySQL
Server version: 5.6.14 - MySQL Community Server (GPL)
Protocol version: 10
User: root#localhost
Server charset: UTF-8 Unicode (utf8)
Web server
Apache/2.4.7 (Win32) OpenSSL/1.0.1e PHP/5.5.6
Database client version: libmysql - mysqlnd 5.0.11-dev - 20120503
PHP extension: mysqli Documentation
this is my register.php file
echo "<h1>Sign Up</h1>";
$submit = #$_POST['submit'];
//form data
$fullname = strip_tags(#$_POST['fullname']);
$username = strip_tags(#$_POST['username']);
$password = strip_tags(#$_POST['password']);
$confirmpassword = strip_tags(#$_POST['confirmpassword']);
$date = date("Y-m-d");
if($submit)
{
//check for existance
if($fullname&&$username&&$password&&$confirmpassword)
{
if($password==$confirmpassword)
{
if (strlen($username)>25||strlen($fullname)>25)
{
echo "Lenght of username or full name is too long!";
}
else
{
if(strlen($password)>25||strlen($password)<6)
{
echo "Your password must be between 6 and 25 characters long!";
}
else
{
//register the user
//encrypt password
$password = md5($password);
$confirmpassword = md5($confirmpassword);
//connect to databases
$connect = mysql_connect("localhost", "root", "");
mysql_select_db("login");
$queryreg = mysql_query("INSERT INTO users VALUES ('','$fullname','$username','$password','$date'");
die("You've succsessfully registered! <a href='index2.php'>Click here to return to the login page!</a>");
}
}
}
else
{
echo "Your passwords do not match!";
}
}
else
{
echo "Please enter all fields!";
}
}
?>
<p>
<form action="register.php" method="POST">
<table>
<tr>
<td>
Full Name:
</td>
<td>
<input type="text" name="fullname" value="<?php echo $fullname?>">
</td>
</tr>
<tr>
<td>
Username:
</td>
<td>
<input type="text" name="username" value="<?php echo $username ?>">
</td>
</tr>
<tr>
<td>
Password:
</td>
<td>
<input type="password" name="password">
</td>
</tr>
<tr>
<td>
Confirm Password:
</td>
<td>
<input type="password" name="confirmpassword">
</td>
</tr>
</table>
<p>
<input type="submit" name="submit" value="Create Account">
</p>
</form>
thats my index2.php i named it index2.php cuz i arleady have 1 index.php
<head>
<title>Login Session</title>
</head>
<body>
<form method="POST" action="login.php">
Username: <input type="text" name="username"><br/>
Password: <input type="password" name="password"><br/>
<input type="submit" name="submit" value="Log in">
Create An Account
Domov
</form>
</body>
and here is login.php
session_start();
$username = $_POST['username'];
$password = $_POST['password'];
if ($username&&$password)
{
$connect = mysql_connect("localhost", "root", "") or die("Couldn't connect to host!");
mysql_select_db("login") or die("Couldn't find database!");
$query = mysql_query("SELECT * FROM users WHERE username ='$username'");
$numrows = mysql_num_rows($query);
if ($numrows!=0)
{
while ($row = mysql_fetch_assoc($query))
{
$dbusername = $row['username'];
$dbpassword = $row['password'];
}
if($username==$dbusername&&md5($password)==$dbpassword)
{
$_SESSION['username']=$username;
header("Location: member.php");
}
else
{
echo "Wrong password!";
}
}
else
{
die("That user hasn't been created!");
}
}
else
{
echo "Username and password must be entered!";
}
and member.php
session_start();
if ($_SESSION['username'])
echo "Hello, ".$_SESSION['username']."!<br/><a href='logout.php'>Sign Out";
else
{
header("Location: index2.php");
}
I think you are trying to insert a record without a valid primary key. Use null instead of '' for the primary key
$queryreg = mysql_query("INSERT INTO users VALUES (null,'$fullname','$username','$password','$date'");
You can also see if there is any error in the query using die(mysql_error()); after the query.
Very Important
You should NOT use md5 to hash a password, it is very vulnerable and insecure. Use bcrypt instead. Also you shouldn't use the mysql_* functions, as they are deprecated, use mysqli instead
Well, there are a few things that i would recommend.
There is no use for the # symbol in the post fields: http://us3.php.net/manual/en/language.operators.errorcontrol.php
There is no point of using strip_tags for $password and $confirmpassword.
You are hashing them in md5. I recommend you to use mcrypt: http://php.net/mcrypt
$password = md5($password);
$confirmpassword = md5($confirmpassword);
In:
$queryreg = mysql_query("INSERT INTO users VALUES ('','$fullname','$username','$password','$date'");
Provide the columns name in the query, like:
$queryreg = mysql_query("INSERT INTO users (fullname, username, password, date) VALUES ('$fullname','$username','$password','$date'");
You don't need to provide blank space as id in order to let MYSQL use AUTOINCREMENT.
Check your column value type for date, you are passing it as string.
Try to resolve first your inserts to the database.
your errors
1.the connection
the connection line should be:
$db = mysql_connect("localhost", "root", "" ,"login") or trigger_error(mysql_error());
instead of:
$connect = mysql_connect("localhost", "root", "");
mysql_select_db("login");
---summary-----keep it in one line and always declare an error where ever possible
2.the insertion into the database
first of all you should specify in which columns it should insert what
for eg.
$new_user= mysqli_query("INSERT INTO userinfo (id,firstname,lastname) VALUES ('','firstname','$lastname')");
explaination:the above code states that insert the values stored in the variable firstname & lastname into the column firstname & column lastname.The value of id is left blank because we want it to auto_increment
secondly
you should use a if....else condition to kill the script if it does not insert the data in the database
ok since you clearly know that your php extenson is mysqli the simply change mysql to mysqli note:if your connection line is in the same file and not in a different one you should include the connection variable before the sql line
for eg:
$search=mysqli_query($db,"select * from userinfo where ......
where $db is the variable that holds the connection script
I created a PHP script that allows a user on my website to change their password once registered, but am getting an error when I try to open it on the site. I believe it is due to a syntax error on my part but I can't seem to spot it. Can someone take a look and see what you can find? Here is the script:
<?php
session_start();
$user = $_SESSION['username'];
if ($user)
{
//user is logged in
if ($_POST['submit'])
{
//start changing password
//check fields
$oldpassword = md5($_POST['oldpassword']);
$newpassword = md5($_POST['newpassword']);
$repeatnewpassword = md5($_POST['repeatnewpassword']);
//check password against db
include('connection.php');
$queryget = mysql_query("SELECT password FROM Users WHERE username='$user'") or die ("change password failed");
$row = mysql_fetch_assoc($queryget);
$oldpassworddb = $row['password'];
//check passwords
if ($oldpassword==$oldpassworddb)
{
//check two new passwords
if ($newpassword==$repeatnewpassword)
{
//successs
//change password in db
$querychange = mysql_query("UPDATE Users SET password='$newpassword' WHERE username='$user'");
session_destroy();
die("Your password has been changed. <a href='homepage.php'> Return</a>");
}
else
die("Old password doesn't match!");
}
else
echo"
<form action='changepassword.php' method='POST'>
Old Password: <input type='text' name='oldpassword'><p>
New Password: <input type='password' name='newpassword'><p>
Repeat New Password: <input type='password' name='repeatnewpassword'><p>
<input type='submit' name ='submit' value='submit'>
</form>
";
}
else
die ("You must be logged in to change your password");
}
?>
The error I am getting is as follows:
Notice: Undefined index: submit in /var/www/localhost/htdocs/changepassword.php on line 11
You must be logged in to change your password.
Thanks in advance for your help.
Well first you should notice that mysql is deprecated, use mysqli or PDO instead More info or like NullPointer has pointed More Good Info :)
change the end of your code like this to get the right results that you want for fail:
}else
die ("Nothing came from the $_POST variable");
}else
die ("You must be logged in to change your password");
The error that your getting is maybe because your $_POST variable isn't set, use isset() to check if $_POST was set.example:
if (isset($_POST['submit']))
{
//submit post was set
}else
{
//submit post wasn´t set
}
If you still not getting any value, check your form.
UPDATE:
to see the actual form you must end the isset before the form your code stays like this:
<?php
session_start();
$user = $_SESSION['username'];
if (isset($_SESSION['username']))
{
//user is logged in
if (isset($_POST['submit']))
{
//start changing password
//check fields
$oldpassword = md5($_POST['oldpassword']);
$newpassword = md5($_POST['newpassword']);
$repeatnewpassword = md5($_POST['repeatnewpassword']);
//check password against db
include('connection.php');
$queryget = mysql_query("SELECT password FROM Users WHERE username='$user'") or die ("change password failed");
$row = mysql_fetch_assoc($queryget);
$oldpassworddb = $row['password'];
//check passwords
if ($oldpassword==$oldpassworddb)
{
//check two new passwords
if ($newpassword==$repeatnewpassword)
{
//successs
//change password in db
$querychange = mysql_query("UPDATE Users SET password='$newpassword' WHERE username='$user'");
session_destroy();
die("Your password has been changed. <a href='homepage.php'> Return</a>");
}
else
die("New password doesn't match!");
}else
die("Old password doesn't match!");
}
else
{
echo"
<form action='changepassword.php' method='POST'>
Old Password: <input type='text' name='oldpassword'><p>
New Password: <input type='password' name='newpassword'><p>
Repeat New Password: <input type='password' name='repeatnewpassword'><p>
<input type='submit' name ='submit' value='submit'>
</form>
";
}
}else
die ("You must be logged in to change your password");
?>
But you wont see it until your logged in. Your second problem is that your $user variable seems to dont have any value. after trying the above code if it wont work.
put this line after
$user = $_SESSION['username'];
echo 'Here it shold show the user: '.$user.'';
if it wont show up your not passing the session value right.
One more thing, if your form is pointing to same page, thats what it looks like change your line to this line:
<form action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"], ENT_QUOTES, "utf-8");?>" method='POST'>
Your input html form has an extra space in it
<input type='submit' name ='submit' value='submit'>
Change it to
<input type='submit' name='submit' value='submit'>
You should also make sure
if (isset($_POST['submit']))