1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 10:20 pm Apr 28, 2026

Forum Moderators: coopster

Message Too Old, No Replies

Verifying email, and password availability

Checking email exists, & password is available

         

oceanwave

5:52 pm on Aug 21, 2004 (gmt 0)

10+ Year Member



Hi,

Yesterday, a visitor to my site wanted to change the random password they received, so I created a form page, and a php page. Though my php works, there are a few flaws I can't seem to address.

1. If a user enters an email address that is not already in the database and fills in all the form fields, s/he still gets the message that their password has been changed (even though they are not added to the database).

2. There is no check to see if the new password has already been used (by the way the passwords are encrypted).

I know I have to verify that the email address exists in the database, and check to see if the password exists. I'm also not sure if the old password is being matched with the registered email address, as part of the verification. I have tried everything, and nothing works without errors. Here is the php page (the existing database titles are password and email_address):

<?php
include 'db.php';

// Convert input box entries from the html form to variables
$regemail = $_POST['regemail'];
$old_pass = $_POST['old_pass'];
$new_pass = $_POST['new_pass'];
$conf_new_pass = $_POST['conf_new_pass'];

if (!preg_match("/\w+([-+.]\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*/", $regemail)) {
echo "<h4><font color=red>You are not using an appropriate email address format. Make sure all the fields are entered correctly.</font></h4>";
} elseif ($old_pass == "") {
echo "<h4><font color=red>You did not fill in the field asking for your current password. Make sure all the fields are entered correctly.</font></h4>";
} elseif ($new_pass == "") {
echo "<h4><font color=red>You did not fill in the field asking for your new password. Make sure all the fields are entered correctly.</font></h4>";
} elseif ($conf_new_pass == "") {
echo "<h4><font color=red>You did not fill in the field asking for you to confirm your new password. Make sure all the fields are entered correctly.</font></h4>";
}

elseif($new_pass == $conf_new_pass) {

// Convert passwords to md5 hash
$old_pass = md5($old_pass);
$new_pass = md5($new_pass);
$conf_new_pass = md5($conf_new_pass);

// If new_pass and conf_new_pass are the same, change the password in the database.

$sql = mysql_query("UPDATE users SET password='$new_pass' WHERE password='$old_pass' AND email_address='$regemail'");
echo "Your password has been changed.<BR>";
echo "<P align='center'><A href='http://mysite.org'>Back to Home Page</A>";

}else{
echo "<font color=red><br>Either you did not use your registered email address, you did not enter your current password, or the new password and the confirmation password do not match. Make sure all the fields are entered correctly.";
include 'change_pw_form.html';
exit();
}
?>

Where am I going wrong? Thanks so much!

dreamcatcher

10:59 pm on Aug 21, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Is the password encrypted in the database?

password='$old_pass'

Also, add mysql_error() to the end of your query. If there is a specific database problem you will seen an error message:

Change:


$sql = mysql_query("UPDATE users SET password='$new_pass' WHERE password='$old_pass' AND email_address='$regemail'");

to:


$sql = mysql_query("UPDATE users SET password='$new_pass' WHERE password='$old_pass' AND email_address='$regemail'") or die(mysql_error());

:)

oceanwave

12:15 am on Aug 22, 2004 (gmt 0)

10+ Year Member



Thanks so much for the help Dreamcatcher.

Most of the script came from a Webmaster's forum post as the starting point to change md5 passwords in a database. Here's the link in case anyone else is trying to learn how to do the same thing:

[phpfreaks.com...]

Thanks to all the skilled webmasters that take the time to teach others!

I then added some coding as suggested in the post. Since I posted my question here, the author of the post has explained to me how to complete the script. The only thing I have left to figure out is how to check that a user does not enter a password that already exists in the database.

Thanks again for your help!

dreamcatcher

7:26 am on Aug 22, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Query the database and use mysql_num_rows() to see if any results have been fetched.


$query = mysql_query("SELECT password FROM users WHERE password = '$new_pass' LIMIT 1") or die(mysql_error());

if (mysql_num_rows($query)>0)
{
echo "Error! This password already exists in Database!";
exit;
}

Something like that should do.

dcrombie

9:49 am on Aug 22, 2004 (gmt 0)



1) Don't let them change their email address - if you do, you need to send them a new random password to the old address to confirm the change.

2) It doesn't matter if they use a duplicate password - your system should only require username + password to be a unique combination.

;)

dreamcatcher

10:32 am on Aug 22, 2004 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



The user should be able to change his/her e-mail address because people do change their e-mail addresses. In some cases because they change ISP`s. Users of web based services maybe not as often.

But yes, as dcrombie mentioned, some verification would be a good idea. Maybe disable their account once they have changed their e-mail addy, then re-enable it once its been verified?

oceanwave

12:39 am on Aug 23, 2004 (gmt 0)

10+ Year Member



Thanks to everyone for all of your help!
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 10:20 pm Apr 28, 2026