View Full Version : Password changing questions

03-03-2009, 12:58 AM
I'm in a teach it to yourself php class and im making a web page that allows you to change your password which is kept in a mysql database. I have a couple questions on this certain assignment.

How do you set a php script to run off a button click, also am i using post right because i thought post wasn't supposed to show anything in your address bar. By the way since this is mostly a learn by yourself class we don't have to do any encoding for security reasons, yet.

Heres my form code:

form action="test.php" method="post()">
<input name="user" type="text" maxlength="40">
Current Password:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<input name="oldpassword" type="password" maxlength="20">
New Password:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
<input name="newpassword" type="password" maxlength="20">
must contain at least one numeric and one alphabetic character.
Retype New Password:
<input name="retypepass" type="password" maxlength="20">
must contain at least one numeric and one alphabetic character.
<input type="submit" value="submit" onclick="check()">

Heres my php code:

$connect= mysql_connect('localhost', "lafulton", "");
die('Could not connect: ' . mysql_error());

mysql_select_db("lafulton", $connect);

$phpuser= $_POST["user"];
$phpoldpass= $_POST["oldpassword"];
$phpnewpass= $_POST["newpassword"];
$phpretypepass= $_POST["retypepassword"];

$query= "SELECT * FROM Accounts WHERE '$phpuser'= username AND '$phpoldpass'= password";
$result= mysql_query($query);
mysql_query("UPDATE Accounts Set password= '$phpretypepass' WHERE username = '$phpuser'");
trigger_error("There was an error in processing the information, try again.");


03-03-2009, 02:09 AM
Post is not a sub routine call, its type. So no, you're post is incorrect, which is also why you're other stuff won't work.
Ouch on this line, good thing this is the server side forum ;)

Username: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;


<form action="test.php" method="post">
<label for="txtUser">Username</label>
<input type="text" name="user" id="txtUser" />
<label for="txtPassword">Password</label>
<input type="password" name="oldpassword" id="txtPassword" />
<label for="txtNewPassword">New Password</label>
<input type="password" name="newpassword" id="txtNewPassword" />
<label for="txtConfirmPassword">Confirm Password</label>
<input type="password" name="retypepass" id="txtConfirmPassword" />
<input type="submit" value="Change Password" />

There, thats better. Style it up with CSS.

For you're actual processing, its not bad. Needs some work, specifically error checking, escaping and correcting you're SQL syntax. The first thing you should do (can be before or after you're sql connection, but I'd do it before), is ensure you're getting a form submission. I'm lazy, so I'd just wrap it in an if (isset($_POST['submit'])) block. Next, escape you're data. To do this, you use mysql_real_escape_string, but you'll want to remove the escaping if its been done magically for you:

if (@get_magic_quotes_gpc())
$_POST['name'] = stripslashes($_POST['name']);
$_POST['oldpassword'] = stripslashes($_POST['oldpassword']);

Never trust a user.
Next, you're sql is backwards here:

$query= "SELECT * FROM Accounts WHERE '$phpuser'= username AND '$phpoldpass'= password";

It is always WHERE FIELD = VALUE combinations. Flip the value and field pairs, and that will work. I see you error check this one kinda, you should handle if the mysql calls actually fail. Most of us are lazy, so we use an undocumented feature which may or may not fail in the future:

mysql_query("SELECT * FROM table") or die(mysql_error());

And on a final note, you're not actually confirming that the two new password values are matching. You should also consider storing a password in a hash instead, any type of encryption is better than no encryption.

03-03-2009, 03:52 AM
Thanks for you help, much appreciated. :)