So, I'm creating a very simple reset function. One file on the index page is just a html form that looks like this:
<html>
<body>
<div>
<form id="reset" action="login/reset.php" method="post">
<fieldset>
<label for="reset-email"> Enter your e-mail address here :</label>
<input type="text" name="SignupEmailAdd" id="login-email" /><br />
<label for="reset-password"> Enter your new password here :</label>
<input type="password" name="SignupPassword" id="reset-password" /><br />
<input type="submit" id="reset-button" value="Reset my password!" />
</fieldset>
</form>
</div>
</body>
</html>
The other file that connects the database to the form is called reset.php and it has these function:
<? php
session_start();
mysql_connect('localhost','root','password');
mysql_select_db('testproject');
$SignupEmailAdd = $_POST['SignupEmailAdd'];
$SignupPassword = $_POST['SignupPassword'];
if($SignupPassword)
$sql=mysql_query("UPDATE users SET SignupPassword='$SignupPassword' where SignupEmailAdd='$SignupEmailAdd'");
if($sql)
{
echo 'Congratulations You have successfully changed your password.
<br /><a href= "http://www.bla.com/">Click here to go back to the login page.</a>';
}
else
{
echo 'The email address you've entered does not exist';.
}
?>
You see everything works except my else function. It would not show the message "the email address..does not exist" instead it shows "congrats..". What can I do with my else statement? I've also tried this instead of else:
<?php
if(!$sql){echo 'The username you entered does not exist';}
?>
Although you should really switch to PDO / mysqli and use prepared statements to solve the sql injection problem you have, the problem here is that you should not check for the return value of mysql_query. This will return a value that evaluates to true as long as there were no errors. If no row was updated, that does not mean that there was an error.
In your case, you would need mysql_affected_rows to see if a row was updated or not.
The function mysql_query() returns FALSE if the query is bad, and NOT when the query affects 0 rows. You need to do the following to verify your statement:
if(mysql_affected_rows($sql) < 1)
{
printf("There is no email address error!");
}
Also, please consider switching to PDO or MySQLi, which helps with these scenarios.. PLUS! You'd be way less susceptible to injection attacks.
The documentation for mysql_query() is here : http://us3.php.net/mysql_query , which provides navigation to all those functions.
Looks like the apostrophe in you've is messing up your code. Use double quotes around it and you should be fine. Also there's a period after your semicolon, and I don't know why.
But as others have mentioned the security issue should be your primary concern.
It's dangerous code as markus said.
The first $SQL variable and the last one are not the same.
try:
if($SignupPassword)
{
$sql=mysql_query("UPDATE users SET SignupPassword='$SignupPassword' where SignupEmailAdd='$SignupEmailAdd'");
if($sql)
...
else
...
}