Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Page 1 of 2 12 LastLast
Results 1 to 15 of 18
  1. #1
    Regular Coder
    Join Date
    Jun 2010
    Posts
    163
    Thanks
    10
    Thanked 0 Times in 0 Posts

    password checking problems

    I'm creating a profile page that allows users to change their first name, last name, email or password.

    Everything is working fine, except the password part.

    On one of the else statements, it says "Old passwords do not match".

    That is the message i get when I try changing the password. It could be an MD5 error

    MySQL version: 5.0.19
    I'm not getting any mysql errors

    Here's the code:
    PHP Code:
    <?php

    session_start
    ();
    include(
    'inc/connect.php');

    $username $_SESSION['username'];

    if (
    $username)
    {
        
    //if user is logged in

    $sql mysql_query("SELECT * FROM `users` WHERE `username`='".$username."'");
    $row mysql_fetch_assoc($sql);

    $fname $row['fname'];
    $lname $row['lname'];
    $email $row['email'];
    $edit = ($_POST['edit']);

    // Edit variables
    $fnamenew ucfirst(strip_tags($_POST['fname']));
    $lnamenew ucfirst(strip_tags($_POST['lname']));
    $emailnew strip_tags($_POST['email']);
    $password strip_tags(md5($_POST['password']));
    $passwordnew strip_tags(md5($_POST['passwordnew']));
    $passwordconf strip_tags(md5($_POST['passwordconf']));


    if(
    $edit){

    // check password against database

    $oldpassworddb $row['password'];

    // check passwords
    if($password==$oldpassworddb)
    {
        
    //check two new passwords
        
    if($passwordnew==$passwordconf)
        {
            
    // success
            // change password in database
            
    $edit "UPDATE users SET `fname`='$fnamenew', `lname`='$lnamenew', `email`='$emailnew', `password`='$passwordnew' WHERE username='$username'";
            
    mysql_query($edit);

            
    $fname ucfirst(strip_tags($_POST['fname']));
            
    $lname ucfirst(strip_tags($_POST['lname']));
            
    $email strip_tags($_POST['email']);
            
            
    $submitted "Changes Submitted";
            
        
        }
        else
            die(
    "New Passwords Don't Match!");

    }
    else
        die(
    "Old Password doesn't match!");

    }
    }
    else
        
    header("Location: index.php");

    ?>

    <html>
    <head>
    <title>Profile</title>
    </head>
    <body>

    <form action="profile.php" method="POST">
        Username: <input type="text" value="<?php echo $username?>" readonly="readonly"><br />
        First Name: <input type="text" maxlength="25" name="fname" value="<?php echo $fname?>"><br />
        Last Name: <input type="text" maxlength="25" name="lname" value="<?php echo $lname?>"><br />
        Email: <input type="text" maxlength="64" name="email" value="<?php echo $email?>"><br />
        Password: <input type="password" maxlength="32" name="password"><br />
        New Password: <input type="password" maxlength="32" name="passwordnew"><br />
        Confirm Password: <input type="password" maxlength="32" name="passwordconf"><br />
        
        <input type="submit" name="edit" value="Submit Changes">
        <?php echo $submitted?>
    </form>
    </body>
    </html>

  • #2
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,987
    Thanks
    4
    Thanked 2,660 Times in 2,629 Posts
    Before:
    PHP Code:
    if($password==$oldpassworddb
    Add:
    PHP Code:
    printf("\$password = %s, \$oldpassworddb = %s\n"$password$oldpassworddb); 
    And post that result.
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 

  • #3
    New Coder
    Join Date
    Jan 2010
    Location
    UT
    Posts
    35
    Thanks
    1
    Thanked 3 Times in 3 Posts
    Well for one, you don't need to do strip_tags after something has been md5()'d
    Last edited by Zoic; 06-17-2010 at 11:33 PM.
    Just here to help.

  • #4
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,987
    Thanks
    4
    Thanked 2,660 Times in 2,629 Posts
    Quote Originally Posted by Zoic View Post
    Check the names of your variables.

    You have $oldpassworddb in your if statement.
    The names look fine to me:
    PHP Code:
    $oldpassworddb $row['password']; 

    // check passwords 
    if($password==$oldpassworddb
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 

  • #5
    New Coder
    Join Date
    Jan 2010
    Location
    UT
    Posts
    35
    Thanks
    1
    Thanked 3 Times in 3 Posts
    Yeah... lol I just woke up, cut me some slack :P
    Just here to help.

  • #6
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,987
    Thanks
    4
    Thanked 2,660 Times in 2,629 Posts
    Quote Originally Posted by Zoic View Post
    Yeah... lol I just woke up, cut me some slack :P
    Hah, well I definitely know how that goes
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 

  • #7
    Regular Coder
    Join Date
    Jun 2010
    Posts
    163
    Thanks
    10
    Thanked 0 Times in 0 Posts
    Sorry about the wait.

    I placed that code and get the following result:

    $password = e63ecc8562f85d493f170a75412b22d0, $oldpassworddb = 0050c32551ba1a7f34ef07a68fe5efc5 Old Password doesn't match!

    I got no mysql errors.

  • #8
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,987
    Thanks
    4
    Thanked 2,660 Times in 2,629 Posts
    The passwords just don't match, and the datatypes are fine (char32). How are you checking the password for login, can you post that too?
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 

  • #9
    Regular Coder
    Join Date
    Jun 2010
    Posts
    163
    Thanks
    10
    Thanked 0 Times in 0 Posts
    sure, here is login.php

    PHP Code:
    <?php
    $username 
    ucfirst($_POST['username']);
    $password $_POST['password'];


    include(
    'inc/connect.php');


    if (
    $username&&$password)
    {

    $query mysql_query("SELECT * FROM users WHERE username='$username'");

    $numrows mysql_num_rows($query);

    if (
    $numrows!=0)
    {

     while (
    $row mysql_fetch_assoc($query))
     {
           
    $dbusername $row['username'];
           
    $dbpassword $row['password'];
           
    $userid $row['id'];


    session_start();
    $_SESSION['username'] = $username;
    $_SESSION['userid'] = $userid;
     }

     
    // check to see if they match
     
    if ($username==$dbusername&&md5($password)==$dbpassword)
    {
      
    //echo "You're In! <a href='member.php'>Click</a> here to enter the member page.";
      
    $_SESSION['username']=$username;
        
      
    header('Location:http://www.daobux.com/member.php');
    }
    else
        echo 
    "Incorrect Password!";

    }
    else
        die(
    "That user doesn't exist!");


    }
    else
        die(
    "Please fill out all fields!");


    ?>

  • #10
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,987
    Thanks
    4
    Thanked 2,660 Times in 2,629 Posts
    The login is flawed, the session will always be set regardless of if the password is valid. Only set these if the check is true.
    Other than that, the password change should be ok. It was mentioned that strip tags needn't be done on hashed values, though leaving them shouldn't cause fault either (I'd remove). You're going to need to run some tests, but best I can see it should work for matching passwords which indicate that the passwords just don't match. Start by MD5 ing your actual password and update the db, then try again.
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 

  • #11
    Regular Coder
    Join Date
    Jun 2010
    Posts
    163
    Thanks
    10
    Thanked 0 Times in 0 Posts
    Alright, this is where I am at.

    The login and password change is now working, however there are still a couple minor issues.

    1. If the user doesn't want a new password, and they leave those 2 fields blank, the database sets their password as nothing, leaving an MD5 of their blank password. Not sure how to fix this.

    2. If the user's current password doesn't match, it takes them to another page that says "Old Password Doesn't Match!". How can I set this error message so it appears on the same page next to my submit button?

    Thanks much everyone!

  • #12
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,987
    Thanks
    4
    Thanked 2,660 Times in 2,629 Posts
    • Use empty() to check if a new password is entered, an dynamically build sql on that condition or set the new password to equal the old before updating.
    • Capture errors in a variable and print them where desired. If its on another page, pass it with get or use a session.

    On ps3 so can't codes
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 

  • #13
    Regular Coder
    Join Date
    Jun 2010
    Posts
    163
    Thanks
    10
    Thanked 0 Times in 0 Posts
    Alright thanks!

    I tried using the empty as an if statement, but it's like it isn't even going through the script. It still gives the new password empty values.

    PHP Code:
        if (empty($passwordnew)) {
            
    $passwordnew $oldpassworddb;
            } 

  • #14
    Regular Coder
    Join Date
    Jul 2009
    Posts
    187
    Thanks
    16
    Thanked 8 Times in 8 Posts
    why not just try ignoring the pass change if the field is left empty instead of creating another mysql connection which is unneeded.

    PHP Code:
    <?php
    if ($passwordnew != NULL) {
            
    //then do the change password stuff
    }  
    ?>
    This way, the password would only be changed if the user actually enters a password in the new password box

    As for the errors:
    You could various things, 2 common examples are:
    - you could store them in arrays
    - you could just echo them out on the same page.
    Last edited by Jazz914; 06-18-2010 at 09:37 AM.

  • #15
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,987
    Thanks
    4
    Thanked 2,660 Times in 2,629 Posts
    Null isn't the same as empty, but its the right idea. Empty will attempt to cast anything its given to a string and evaluate it as empty, and since null when cast to string is empty, empty will also return true for null, but an empty string will not equate to null.
    Lol, less winded: null == '' when checking with empty(), but '' != null when checking $str == null.

    Input fields will send an empty string across, not null. I actually wish they were since it would reduce complications; hashing null returns null, but hashing an empty string with md5 returns 'd41d8cd98f00b204e9800998ecf8427e'.
    The empty check needs to be performed before you hash the value (either that or hash the value and compare it to md5(''), but that seems like a waste of resource to me).
    PHP Code:
    <?php 

    session_start
    (); 
    include(
    'inc/connect.php'); 
        
    $username = isset($_SESSION['username']) ? $_SESSION['username'] : ''
    $curfname '';
    $curlname '';
    $curemail '';

    $aNotice = array();

    if (!empty(
    $username))

        
    //if user is logged in 

        
    $sql mysql_query("SELECT * FROM `users` WHERE `username`='$username'"); 
        
    $row mysql_fetch_assoc($sql); 

        
    $curfname $row['fname']; 
        
    $curlname $row['lname']; 
        
    $curemail $row['email']; 
        
    $curpassword $row['password'];

        if (isset(
    $_POST['edit']))
        {
            
    // Edit variables 
            // You should validate these for any required fields.  If you allow empty values, then this is fine.  I'd allow all to be optional except email, so you may want to validate that with filter_var or regex
            
    $fnamenew mysql_real_escape_string(ucfirst(strip_tags($_POST['fname']))); 
            
    $lnamenew mysql_real_escape_string(ucfirst(strip_tags($_POST['lname']))); 
            
    $emailnew mysql_real_escape_string(strip_tags($_POST['email'])); 

            
    // I would take a different approach to handling these with looping, but I won't overcomplicate things here.
            
    $sUpdate "UPDATE `users` SET `fname` = '$fnamenew', `lname` = '$lnamenew', `email` = '$emailnew'";

            if (isset(
    $_POST['passwordnew']) && !empty($_POST['passwordnew']))
            {
                
    $password md5($_POST['password']); 
                
    $passwordnew md5($_POST['passwordnew']); 
                
    $passwordconf md5($_POST['passwordconf']); 
                if (
    strcmp($password$curpassword) <> 0)
                {
                    
    array_unshift($aNotice'Old password does not match!');
                }
                else if (
    strcmp($passwordnew$passwordconf) <> 0)
                {
                    
    array_unshift($aNotice'New passwords do not match!');
                }
                else
                {
                    
    $sUpdate .= ", `password` = '$passwordnew'";
                }
       
            
    $sUpdate .= " WHERE `username` = '$username'";
            
    // Here you can decide if you want the 'ok' values to be updated.
            // Personally, I'd check on if errors have occured and only update if its clean
            
    mysql_query($sUpdate) or die('Unable to execute query: ' mysql_error());
            
    array_unshift($aNotice'Changes Submitted.');
        }
    }

    ?> 

    <html> 
    <head> 
    <title>Profile</title> 
    </head> 
    <body> 

    <form action="profile.php" method="POST"> 
        Username: <input type="text" value="<?php echo $username?>" readonly="readonly"><br /> 
        First Name: <input type="text" maxlength="25" name="fname" value="<?php echo $curfname?>"><br /> 
        Last Name: <input type="text" maxlength="25" name="lname" value="<?php echo $curlname?>"><br /> 
        Email: <input type="text" maxlength="64" name="email" value="<?php echo $curemail?>"><br /> 
        Password: <input type="password" maxlength="32" name="password"><br /> 
        New Password: <input type="password" maxlength="32" name="passwordnew"><br /> 
        Confirm Password: <input type="password" maxlength="32" name="passwordconf"><br /> 
         
        <input type="submit" name="edit" value="Submit Changes"> 
    <?php
        
    if (count($aNotice) > 0)
        {
            print 
    '<div id="submission_notices">';
            foreach (
    $aNotice AS $notice)
            {
                
    printf("<div>%s</div>\n"$notice);
            }
            print 
    '</div>';
        }
     
    ?> 
    </form> 
    </body> 
    </html>
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 


  •  
    Page 1 of 2 12 LastLast

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •