Forum Moderators: coopster
here is my php code
<?php # script - password.php
//this will let a user change the password.
$page_title = 'change your password';
//if(isset($_POST['submitted'])) {
require_once('mysql_connect.php');
$errors = array();
if (empty($_POST['email'])) {
$errors[] = 'you forgot to enter your email address. ';
} else {
$_POST['email'];
}
if(empty($_POST['password'])) {
$errors[] = 'you forgot to enter your existing password. ';
} else {
$_POST['password'];
}
//check for password and match agenst the confirmed password
if (!empty($_POST['password'])) {
if ($_POST['password1']!= $_POST['password2']) {
$errors[] = 'Your new password does not match the confirmed new password. ';
} else {
$_POST['password1'];
}
} else {
$errors[] = 'you forgot to enter your new password. ';
}
if (empty($errors)) {//if everything is ok
//check that they enter the right email and password combination.
$query = "SELECT fname FROM users WHERE (email='$email' AND password='$password')";
$result = mysql_query($query);
$num = mysql_num_rows($result);
if(mysql_num_rows($result) == 1)
{ //Match was made.
//get the first name
$row = mysql_fetch_array ($result, MYSQL_NUM);
//make the update query
$query = "UPDATE users SET password=('password1') WHERE fname=$row[0]";
$result = @mysql_query ($query);
if (mysql_affected_row() == 1)
{ //if it ran ok
//print message
echo 'thank you, your password has been updated. ';
exit();
} else { //if it did not run ok
echo 'your password could not be changed due to system error. ';
exit();
}
}
else {
echo 'the email and password do not match those on file. ';
}
mysql_close();
}
//}
?>
and here is my coresponding html code
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www/w3.org/TR/xhtml1/DTD/xhtml1-transittional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<title>update password</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body bgcolor="#CFECEC" text="#000000">
<div align="center"><font color="#000099"><b><font size="6">update
password</font></b></font>
</div>
<form action="password.php" method="post">
<p>Email address: <input type="text" name="email"/> </p>
<p>Current Password: <input type="password"/></p>
<p>NEW Password: <input type="password" name="password1"/><p>
<p>Confirm new password: <input type="password" name="password2"/></p>
<p><input type="submit" name"submit" value="Change My Password"/></p>
</form>
</body>
</html>
any help would be great :)
Taking a quick look at the script, I see that your queries have undefined variables. They should be changed as follows:
Query 1:
$query = "SELECT fname FROM users WHERE (`email`='".[url=http://us3.php.net/manual/en/function.mysql-real-escape-string.php]mysql_real_escape_string[/url]($_POST['email'])."' AND `password`='".mysql_real_escape_string($_POST['password'])."')";
Query 2:
$query = "UPDATE users SET `password`='".mysql_real_escape_string($_POST['password1'])."' WHERE `fname`='".$row[0]."'";
Also, I would suggest using some type of encryption for your passwords. I like md5 [us3.php.net] :)
Remember to check your error logs.
if (empty($_POST['email'])) {
$errors[] = 'you forgot to enter your email address. ';
} else {
$email = mysql_real_escape_string($_POST['email']);
}
if(empty($_POST['password'])) {
$errors[] = 'you forgot to enter your existing password. ';
} else {
$password = mysql_real_escape_string($_POST['password']);
}
the better way would be to store md5:
$password = md5($_POST['password']);
and
$query = "UPDATE users SET password='". md5($_POST['password1']) ."' WHERE fname='{$row[0]}'";
Hope this helps you
Michal
