I have a page title changepassword.php ... In this page, users are able to change their password for an account. The query goes through and gives the message that it sent, however, the database does not change. The password stays the same as it used to be. I am using a sha1 hash that I am not used to (first time using it). Anyone know what is happening with it? Thanks!
<?php
session_start ();
$user_name = $_SESSION['user_name'];
if($user_name)
{
//user is logged in
if(isset($_POST['submit']))
{
//check fields
$oldpassword = $_POST['oldpassword'];
$newpassword = $_POST['newpassword'];
$repeatnewpassword = $_POST['repeatnewpassword'];
//check password against db
$connect=mysql_connect("localhost","root","passssssssword") or die();
mysql_select_db("database") or die();
$queryget= mysql_query ("SELECT user_pass FROM users WHERE user_name='$user_name'") or die("Query didn't work.");
$row = mysql_fetch_assoc ($queryget);
$oldpassworddb = $row['user_pass'];
//check passwords
if (sha1($oldpassword)==$oldpassworddb)
{
if ($newpassword==$repeatnewpassword)
{
if (strlen ($newpassword)>25 || strlen ($newpassword)<6)
{
echo "Password must be between 6 and 25 characters";
}
else
{
//change password in db
$newpassword = sha1($newpassword);
$querychange = mysql_query("UPDATE users SET password='$newpassword' WHERE user_name='$user_name'");
session_destroy();
die ("Your password has been changed. <a href='index.php'>Return</a> to the main page and login with your new password.");
}
}
else
die ("New passwords do not match!");
}
else
die ("Old password is inncorrect!");
}
else
{
echo
"<form action = 'changepassword.php' method = 'POST'>
<table>
<tr>
<td>
Old password:
</td>
<td>
<input type='text' name='oldpassword'><p>
</td>
</tr>
<tr>
<td>
New password:
</td>
<td>
<input type='password' name='newpassword'>
</td>
</tr>
<tr>
<td>
Repeat new password:
</td>
<td>
<input type='password' name='repeatnewpassword'>
</td>
</tr>
<table>
<input type='submit' name='submit' value='Change password'>
</form>
";
}
}
else
die("You must be logged in to change your password!");
?>
Query_1:
SELECT user_pass FROM users WHERE user_name='$user_name'
Your Query_2:
UPDATE users SET **password**='$newpassword' WHERE user_name='$user_name'
But, Query_2 should be:
UPDATE users SET **user_pass**='$newpassword' WHERE user_name='$user_name'
Not sure if literal/single quotes will allow PHP to interpolate the variables. I usually use sprintf, too. Also, in general you don't want to just check on username, but username AND old password.
"SELECT user_pass FROM users WHERE user_name='$user_name'"
should be: $sql = sprintf("select user_pass from users where user_name = "%s",$user_name);
also, your "die()" would be better if you output the mysql_error(), i.e.
$connect=mysql_connect("localhost","root","passssssssword") or die();
mysql_select_db("database") or die("cannot connect".mysql_error());
But, probably the fastest way to troubleshoot is to put an error on the mysql_query:
$sql = sprintf("UPDATE users SET password="%s" WHERE user_name="%s"",$newpassword,$user_name);
$querychange = mysql_error($sql) or die ("Error updating: ".mysql_error());