0

i have created one form for user to change the password for which programming is as bellow-

include("../database.php");
if(isset($_SESSION['user_name']))
{
    $password=$_POST['new_password'];
    $query="select password from login where  username = '".$_SESSION['user_name']."' and password='".md5($password)."'";
    echo $query."<br>\n";
    $result=mysql_query($query) or die(mysql_error());
    echo $result."<br>\n";
    echo "abc<br>\n";
    echo mysql_num_rows($result)."<br>\n";
    if(mysql_num_rows($result))
    {   
        echo "def";
        $row=mysql_fetch_row($result);
        $pass=$row['password'];
        echo $pass;
        if($pass==$password)
        {
            $query2="UPDATE login SET password='$password' WHERE username='$_SESSION[user_name]'";
            echo $query2;
            echo "Password changed successfully";
        }
        else
        {
            echo "You entered wrong current password";
        }
    }
    else
    {
        echo "here";
    }
}
else
{
    header('Location:index.php');
}

It gives $result=0. So it doesn't going to update user password . it directly goes to else part and gives output "here" as written. what is the solution for that.

Improve this question
3
  • 2
    Hard to be sure, but you're doing a SELECT using $_POST['new_password'], and then an UPDATE using that same value. Surely you should be using the existing password for the SELECT, as their password won't be changed at that point? Commented Oct 29, 2013 at 12:36
  • whats does your query look like, does the username and password actually exist in the database Commented Oct 29, 2013 at 12:37
  • 1
    change '".$_SESSION[user_name]."' Commented Oct 29, 2013 at 12:38

3 Answers 3

Reset to default
1

You are using one variable - password - for two things: the old password, which is saved as an MD5 hash in the db with the user ID, and the new password, which is being passed into your routine from the user.

Make them two different variables. The first query should set "old_password" from the MD5 of the password in the db. You can use that to confirm that the user knows the old password.

Then save the new password in the database if everything checks out.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

You are using new_password instead of the password field to look up the existing user.

I guess it should be like that (assuming that your user also provides the old password in the field 'password'):

$password=$_POST['password'];
    $query="select password from login where  username = '".$_SESSION['user_name']."' and password='".md5($password)."'";

If that is not the case, then you should at least add a field for the old password and use that field to look up the user in the DB.

Improve this answer

Comments

0

Your are trying to fetch user by hash of new password

$password=$_POST['new_password'];
$query="select password from login where  username = '".$_SESSION['user_name']."' and password='".md5($password)."'"

If your form contains old_password input, you should assigment to:

$password=md5($_POST['old_password']);
$query="select password from login where  username = '".$_SESSION['user_name']."' and password='".$password."'";

and change update query to:

$newPassword=md5($_POST['new_password']);
$query2="UPDATE login SET password='$newPassword' WHERE username='$_SESSION[user_name]'";
Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.