change password code

Hi,

I'm trying to change the password after logging in to web site. Following is the code that change the password. However, the password is not changing in the table. Please let me know if I'm making any error in below code.

Thanks.





<?php

$password=mysql_real_escape_string($_POST['newpassword']);
$password2=mysql_real_escape_string($_POST['confirmnewpassword']);


if ( strlen($password) < 5 or strlen($password) > 12 ){
echo "Password must be more than 5 char legth and maximum 12 char lenght<BR>";
}

if ( $password <> $password2 ){
echo "Both passwords are not matching";
}

if($password == $password2){
if(mysql_query("update users set password='$password' where empid='$_SESSION[login]'")){
echo "<font face='Verdana' size='2' ><center>Thanks <br> Your password changed successfully. Please keep changing your password every 2 monthsfor better security</font></center>";
}
}

Try putting an else after your query:


if(mysql_query("update users set password='$password' where empid='$_SESSION[login]'")){
echo "<font face='Verdana' size='2' ><center>Thanks <br> Your password changed successfully. Please keep changing your password every 2 monthsfor better security</center></font>";
}
else{
echo mysql_error();
}


You also need to change your ifs to else if otherwise even if your password is shorther than 5 or longer than 12, as long as $password and $password2 match the query will take place.

Mark

I tried that and the password is not getting changed in database.

However, I got the message that I Put in code.


"Thanks
Your password changed successfully. Please keep changing your password every 2 monthsfor better security".

any other options to change the password. If any one have their own simple change password code, then post it here..plz.

i think your $_SESSION variable is wrong

$_SESSION[login] should have quotes around 'login'


"update users set password='$password' where empid='{$_SESSION['login']}'"

I tried that also but not working.

When I echo the session variable, it only printed one digit. My user id is a 10 digit code.

Any one confirm if I'm making any error while creating the session.. Thank you.



<?php session_start(); ?>
<?php include_once("includes/connections.php"); ?>
<?php include_once("functions/funphp.php"); ?>
<?php

if (isset($_POST['password']) && isset($_POST['login'])) // if the password is set then the form has been submitted on login.php page
{

$login = mysql_real_escape_string($_POST['login']);
$password = mysql_real_escape_string($_POST['password']);
$qstr = "SELECT * from users where empid='$login' and password ='$password'";

$result = mysql_query($qstr);
$_SESSION['login']=$login['login'];
$_SESSION['username'] = $username['username'];
if (mysql_num_rows($result)==1)
{

redirect("home.php");
}
else
{
echo "<font color=#000000><b>Invalid User Name or Password. <a href=index.php> Click here</a> to go back to the login screen </a></Center></font>";

}
mysql_close();
}
?>

$_SESSION['login']=$login['login'];


This is wrong because $login is not an array. It should simply just be holding a string value that was in $_POST['login']. So it should be like this


$_SESSION['login'] = $login;


Although ideally you should just forget about $login altogether and set $_SESSION['login'] like this

$_SESSION['login'] = mysql_real_escape_string($_POST['login']);