...

View Full Version : Change Password



Jon W
01-18-2008, 12:02 PM
Hello, I'm having problems with my script not working the way that I want it to. See what I want it to do is first check and see if there is a user_id up in the address bar, and if there is move on to grabbing the random_key user_id from the table called recovery. Once it does that, its suppose to check the one key that was submitted to the database and see if the one thats in the database matches the one thats in the URL. If thats true, then display a form that they can then change their password. But its not doing that at all. No errors are being displayed as well, so I'm confused what I'm doing wroing. I do realize that this may not be the best way to do things. Please do understand that I do not run my own website that people will be using this feature on my site. This is just for learning purposes only. This is just so that I can looking from my wrongs and rights, once I understand what I'm doing a lot better, then I'll worry about other things such as making a more secure website. Heres the PHP code:





<?php

if($_GET['user_id'] !='')

{

include('db.php');

$query = mysql_query("SELECT user_id, random_key FROM recovery WHERE user_id = '$user_id'") or die('Database error: ' . mysql_error());

if(mysql_num_row($query) == 1)

{

$row = mysql_fetch_assoc($query);

if($_GET['key'] != $row['random_key'] && $_GET['user_id'] != $row['user_id'])
{

$error = 'Error';

}
else
{

$newpass = $_POST['newpass'];

$sql = mysql_query("UPDATE INTO users SET password = '$newpass'") or die('Database error: ' . mysql_error());

echo '<form action="" method="post">
<input name="newpass" type="password" />
<input name="retype" type="password" />
<input name="submit" type="submit" value="Change Password" />
</form>';


}
}
else
{
$error = 'Error:';
}
}

?>




Thanks guys,

Jon W(Newbie)

abduraooft
01-18-2008, 12:33 PM
I think there must be some change in the logic, say
1) Check the random key & userid in the url, if a match found display a form to enter new password.
2)Put hidden fields to store the usrid&random key and post the form along with these info.
3)Now, in the POST you can again check for integrity and then do the other stuffs.

Jon W
01-18-2008, 01:10 PM
Hrmm.. I'm kinda confused on what you mean there. Can you example yourself a little better?

Thanks
Jon

fl00d
01-18-2008, 06:31 PM
First off, this


if(mysql_num_row($query) == 1)
should be


if(mysql_num_rows($query) == 1)
(notice the s at the end of rows).

I see you've set an error variable, but its never being echoed out anywhere.
Finally in your SQL query, you seem to be using the variable $user_id, but I haven't seen it be initialized anywhere?

WHERE user_id = '$user_id'")

So fixing the few things pointed out should fix it... I think :)


<?php

if($_GET['user_id'] !='')

{

include('db.php');
$user_id = $_GET['user_id'];
$query = mysql_query("SELECT user_id, random_key FROM recovery WHERE user_id = '$user_id'") or die ('Database error: ' . mysql_error());

if(mysql_num_rows($query) == 1)

{

$row = mysql_fetch_assoc($query);

if($_GET['key'] != $row['random_key'] && $_GET['user_id'] != $row['user_id'])
{

$error = 'Error';

}
else
{

$newpass = $_POST['newpass'];

$sql = mysql_query("UPDATE INTO users SET password = '$newpass'") or die('Database error: ' . mysql_error());

echo '<form action="" method="post">
<input name="newpass" type="password" />
<input name="retype" type="password" />
<input name="submit" type="submit" value="Change Password" />
</form>';


}
}
else
{
$error = 'Error:';
}
}
//added this in to check for errors
if(isset($error)){
echo $error;
}
?>

abduraooft
01-19-2008, 04:53 AM
else
{

$newpass = $_POST['newpass'];

$sql = mysql_query("UPDATE INTO users SET password = '$newpass'") or die('Database error: ' . mysql_error());

echo '<form action="" method="post">
<input name="newpass" type="password" />
<input name="retype" type="password" />
<input name="submit" type="submit" value="Change Password" />
</form>';


}
You've put your update query and display form in the same case. How can you expect this? If update is OK then why do you want to display the form again?
Also have a look at mysql update syntax (http://dev.mysql.com/doc/refman/5.0/en/update.html)



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum