SitePoint Sponsor

User Tag List

Results 1 to 7 of 7
  1. #1
    SitePoint Enthusiast
    Join Date
    Nov 2011
    Posts
    42
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Unhappy Change Password with PHP, where to put the code?

    ok i got this peculiar error, i created a user registration panel with php which works fine & users can log in bt the changepassword.php is getting on my nerves, YES users can chnge their passwords but my code for PASSWORD MUST BE WITHIN 6-25 CHARACTERS is not working, I dunno if I have put the code in the wrong place, would you please check it out, whenever i put a new password, whether its less than 6 or greater than 6 or 25, its always showing "Password must be within 6-25". & yeah if i remove the code user can register with any length of code. HELP please!

    I've marked out the code below!

    Code PHP:
    <?php
     
     
     
     
    session_start();
     
     
    $user = $_SESSION['username'];
     
    if ($user)
     
    {
     
    //user is logged in
     
    		if ($_POST['submit'])
    		{
    		//check fields
     
    		$oldpassword = md5($_POST['oldpassword']);
    		$newpassword = md5($_POST['newpassword']);
    		$repeatnewpassword = md5($_POST['repeatnewpassword']);
     
    		//check pass against db
    		$connect = mysql_connect("localhost","root","");
    		mysql_select_db("phplogin");
     
    		$queryget = mysql_query("SELECT password FROM users WHERE username='$user'") or die("Query didn't work");    
    		$row = mysql_fetch_assoc($queryget);
     
    		$oldpassworddb = $row['password'];
     
     
     
    		//check pass
    		if ($oldpassword==$oldpassworddb)
    		{
     
     
     
    		//check twonew pass
    		if ($newpassword==$repeatnewpassword)
    		{
    		//success
    		//change pass in db
     
    		 if (strlen($newpassword)>25||strlen($newpassword)<6)   <---------------Here is the code
    		{
    		 echo "Password must be betwwen 6 & 25";
    		}
     
    		else
    		{
     
    				$querychange = mysql_query("
    				UPDATE users SET password='$newpassword' WHERE username='$user'
    				");
     
    				session_destroy();
    				die("Your pass has benn changed.<a href='index.php'>Return</a> to the main page");
     
     
     
     
     
    		}
    		}
    		else
    				die("New Pass don't match");
     
     
     
     
     
    		}
    		else
    			die("Old Pass doesn't match");
     
     
     
     
     
     
    		}
     
    		else
    		{
    		echo "
     
    		<form action='changepassword.php' method='POST'>
    			Old password:    <input type='text' name='oldpassword'><p>
    			New password:	<input type='password' name='newpassword'><p><br>
    			Repeat new password:	<input type='password' name='repeatnewpassword'><p>
    			<input type='submit' name='submit' value='Change Password'>
     
    		</form>
     
    		";
     
    }		
     
    }
     
     
    		else 
    		   die("You must be logged in to change your password");
     
     
     
     
     
     
     
    ?>

  2. #2
    SitePoint Enthusiast jakub_polak's Avatar
    Join Date
    Jan 2012
    Location
    Slovakia
    Posts
    35
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hello,

    you make a hash from your password here:

    PHP Code:
    $newpassword md5($_POST['newpassword']); 
    And then you use this code:

    PHP Code:
    if (strlen($newpassword)>25||strlen($newpassword)<6) {
        echo 
    "Password must be betwwen 6 & 25";

    Md5 hash is always longer then 25 characters, that is why you always run into the message "Password must be between 6 & 25".

  3. #3
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    Some advice. Remove the max limitation. Just remove it. When it comes to passwords do not limit what characters are supplied or the length. A minimum length is fine but not a maximum.
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  4. #4
    Foozle Reducer ServerStorm's Avatar
    Join Date
    Feb 2005
    Location
    Burlington, Canada
    Posts
    2,699
    Mentioned
    89 Post(s)
    Tagged
    6 Thread(s)
    deleted my post already answered
    ictus==""

  5. #5
    I solve practical problems. bronze trophy
    Michael Morris's Avatar
    Join Date
    Jan 2008
    Location
    Knoxville TN
    Posts
    2,053
    Mentioned
    66 Post(s)
    Tagged
    0 Thread(s)
    salt your passwords. Otherwise you're vulnerable to rainbow table attacks.

  6. #6
    SitePoint Zealot blackberryfan's Avatar
    Join Date
    Nov 2010
    Location
    middleOnowhere, South Africa.
    Posts
    101
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I think you should be thinking more along the lines of something like this:

    if ($newpassword==$repeatnewpassword)
    {
    if (strlen($newpassword) > 25 || strlen($newpassword) < 6)
    {
    echo "Password must be betwwen 6 & 25";
    exit();
    }

    if ($newpassword !=="")
    {
    $querychange = mysql_query("
    UPDATE users SET password='$newpassword' WHERE username='$user'
    ");
    if (!mysql_query($querychange ))
    {
    echo "There was an error in updating your password...";
    exit();
    }

    session_destroy();
    die("Your pass has benn changed.<a href='index.php'>Return</a> to the main page");

    }
    }
    As your application will end if the criteria are not met, there is no need to the added else, you are basically creating an unneccessary complication in that.

    You would ideally handle something like this by checking all of the input, then if this is all in order, proceed, first by cleaning the input, then whatever else you have in mind.

  7. #7
    SitePoint Zealot blackberryfan's Avatar
    Join Date
    Nov 2010
    Location
    middleOnowhere, South Africa.
    Posts
    101
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    logic_earth also presents a point, one i think i need to think about myself... But if you are creating a hash of the password using md5, it is 32 characters long, so no matter how many characters are entered... There will not be any change in the volume of data stored in your database... If that is how you are thinking. Generally though, this would be used to limit the input in cases of sql/script injection... But then again this is what the cleaning i mentioned previously should be for.

    So does Mr. Morris, here is an example:
    $password = md5($_POST['password'] . 'blah');


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •