Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 3 of 3
  1. #1
    New to the CF scene
    Join Date
    Feb 2009
    Posts
    7
    Thanks
    2
    Thanked 0 Times in 0 Posts

    Password changing questions

    I'm in a teach it to yourself php class and im making a web page that allows you to change your password which is kept in a mysql database. I have a couple questions on this certain assignment.

    How do you set a php script to run off a button click, also am i using post right because i thought post wasn't supposed to show anything in your address bar. By the way since this is mostly a learn by yourself class we don't have to do any encoding for security reasons, yet.

    Heres my form code:
    Code:
    form action="test.php" method="post()">
    Username:                    
    <input name="user" type="text" maxlength="40">
    <br>
    Current Password:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
    <input name="oldpassword" type="password" maxlength="20">
    <br>
    New Password:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
    <input name="newpassword" type="password" maxlength="20">
    must contain at least one numeric and one alphabetic character.
    <br>
    Retype New Password:
    <input name="retypepass" type="password" maxlength="20">
    must contain at least one numeric and one alphabetic character.
    <br>
    <br>
    <input type="submit" value="submit" onclick="check()">
    Heres my php code:

    PHP Code:
    <?php
        $connect
    mysql_connect('localhost'"lafulton""");
        if(!
    $connect)
            {
            die(
    'Could not connect: ' mysql_error());
            }
        
        
    mysql_select_db("lafulton"$connect);
        
        
    $phpuser$_POST["user"];
        
    $phpoldpass$_POST["oldpassword"];
        
    $phpnewpass$_POST["newpassword"];
        
    $phpretypepass$_POST["retypepassword"];
        
        
    $query"SELECT * FROM Accounts WHERE '$phpuser'= username AND '$phpoldpass'= password";
        
    $resultmysql_query($query);
        
    $result1=mysql_num_rows($result);
        if(
    $result1==1)
            
    mysql_query("UPDATE Accounts Set password= '$phpretypepass' WHERE username = '$phpuser'");
        else
            
    trigger_error("There was an error in processing the information, try again.");
        
        
    mysql_close($connect);
    ?>

  • #2
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    Post is not a sub routine call, its type. So no, you're post is incorrect, which is also why you're other stuff won't work.
    Ouch on this line, good thing this is the server side forum
    Code:
    Username: &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
    Ouch.
    Code:
    <form action="test.php" method="post">
        <fieldset>
            <label for="txtUser">Username</label>
            <input type="text" name="user" id="txtUser" />
            <label for="txtPassword">Password</label>
            <input type="password" name="oldpassword" id="txtPassword" />
            <label for="txtNewPassword">New Password</label>
            <input type="password" name="newpassword" id="txtNewPassword" />
            <label for="txtConfirmPassword">Confirm Password</label>
            <input type="password" name="retypepass" id="txtConfirmPassword" />
        </fieldset>
        <input type="submit" value="Change Password" />
    </form>
    There, thats better. Style it up with CSS.

    For you're actual processing, its not bad. Needs some work, specifically error checking, escaping and correcting you're SQL syntax. The first thing you should do (can be before or after you're sql connection, but I'd do it before), is ensure you're getting a form submission. I'm lazy, so I'd just wrap it in an if (isset($_POST['submit'])) block. Next, escape you're data. To do this, you use mysql_real_escape_string, but you'll want to remove the escaping if its been done magically for you:
    PHP Code:
    if (@get_magic_quotes_gpc())
    {
        
    $_POST['name'] = stripslashes($_POST['name']);
        
    $_POST['oldpassword'] = stripslashes($_POST['oldpassword']);
        ...

    Never trust a user.
    Next, you're sql is backwards here:
    Code:
        $query= "SELECT * FROM Accounts WHERE '$phpuser'= username AND '$phpoldpass'= password";
    It is always WHERE FIELD = VALUE combinations. Flip the value and field pairs, and that will work. I see you error check this one kinda, you should handle if the mysql calls actually fail. Most of us are lazy, so we use an undocumented feature which may or may not fail in the future:
    PHP Code:
    mysql_query("SELECT * FROM table") or die(mysql_error()); 
    And on a final note, you're not actually confirming that the two new password values are matching. You should also consider storing a password in a hash instead, any type of encryption is better than no encryption.
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 
    Been gone for a few months, and haven't programmed in that long of a time. Meh, I'll wing it ;)

  • Users who have thanked Fou-Lu for this post:

    blader544 (03-03-2009)

  • #3
    New to the CF scene
    Join Date
    Feb 2009
    Posts
    7
    Thanks
    2
    Thanked 0 Times in 0 Posts
    Thanks for you help, much appreciated.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •