Password updation

Mazhar_Shaikh · May 17, 2016, 7:32am

hi im new to php and i want to change the password after user logs in but it wont change dynamiclly form the table using php can you help

<?php
include 'session.php';
if(!isset($_SESSION['login_user']))
{
	header("location:login.php");
}
?>
<?php
		$user_check = $_SESSION['login_user'];
		$link=mysqli_connect("localhost","root",'',"sysp");
		if($link===false)
		{
		 die("error cant connect".mysqli_connect_error());
		}
		
		$query="select * form user where email='$user_check'";
				while($row = mysqli_fetch_array($query)){
						$oldpassword=$row['pass'];
				}	
				
			mysqli_close($link);
		?>
		<?php
		if(isset($_POST['submit']))
		{
		$oldpassword = mysqli_real_escape_string($link,$_POST['pass']); 
		$newpassword = mysqli_real_escape_string($link,$_POST['newpass']); 
		
		$change="UPDATE pass FROM user  SET pass='$newpassword' WHERE email='$user_check' AND pass='$oldpassword' ";
		}
		if($change==1)
		{
			echo "password changed ";
		}
		else
		{
			echo "password didnt changed ";
		}
?>

droopsnoot · May 17, 2016, 9:06am

You don’t seem to execute a query here:

$query="select * form user where email='$user_check'";
  while($row = mysqli_fetch_array($query)){
    $oldpassword=$row['pass'];
    }

You create the query in $query, but you need to execute it before you can fetch the results.

And then here:

$change="UPDATE pass FROM user  SET pass='$newpassword' WHERE email='$user_check' AND pass='$oldpassword' ";
		}
		if($change==1)

You just assign the query to the string $change, but again you don’t execute it. So it never touches the database. I don’t use mysqli but it might be something like:

  $change="UPDATE pass FROM user  SET pass='$newpassword' WHERE email='$user_check' AND pass='$oldpassword' ";
  $res = mysqli_query($change);
		}
		if($res)
...

There’s also an issue that you only create that second query if the submit button has been pressed, but you check for the results of it in any case, so you might run into issues there.

Mazhar_Shaikh · May 17, 2016, 9:28am

hi im not getting it ? see at first it checks the table for valid email ,i also tested to check if the old password matched the database password of that user it works the porbelm is that after that un $change query it wont go so what am i missing ?

THIS IS MY UPDATED code still it wont update

<?php
include 'session.php';
if(!isset($_SESSION['login_user']))
{
	header("location:login.php");
}
?>
<?php
		$user_check = $_SESSION['login_user'];
		$link=mysqli_connect("localhost","root",'',"sysp");
		if(isset($_POST['submit']))
				
				{
					$oldpassword = mysqli_real_escape_string($link,$_POST['pass']); 
					$newpassword = mysqli_real_escape_string($link,$_POST['newpass']); 
				}
		if($link===false)
		{
		 die("error cant connect".mysqli_connect_error());
		}
			
					$oldpassword = mysqli_real_escape_string($link,$_POST['pass']); 
					$newpassword = mysqli_real_escape_string($link,$_POST['newpass']); 
		$change="SELECT  pass FROM user  WHERE email='$user_check' ";
		$result=mysqli_query($link,$change);
		while($row=mysqli_fetch_array($result))
		{
			$old=$row['pass'];
		}
		if($oldpassword!=$old)
		{
			echo "old password didnt match try again";
		}
		else
		{
			$sql="UPDATE  pass FROM user SET pass='$newpassword' WHERE pass='$oldpassword' AND email='$user_check' ";
			echo"password changed successfully";
			echo $sql;
		}
		mysqli_close($link);
?>

Dormilich · May 17, 2016, 9:49am

for the exact same reason @droopsnoot already mentioned: you don’t execute the UPDATE.

note: $link will never be false, even if the connection fails.

Mazhar_Shaikh · May 17, 2016, 9:51am

can you show me how

droopsnoot · May 17, 2016, 9:52am

OK, now you’re executing the query to get the original password and see if it compares to what the user entered as their original password - your original post didn’t have that line. Now you don’t execute the query to actually change the password.

And I don’t think the syntax on that second query is correct in any case. I think it should read

$sql="UPDATE  user SET pass='$newpassword' WHERE email='$user_check' ";
$res = mysqli_query($link, $sql); // ** actually run the query
if ($res) echo"password changed successfully";

There’s no need to have a condition where the old password is included, because you’ve already checked that in your code - the only way that query runs is if the password matches.

Mazhar_Shaikh · May 17, 2016, 10:13am

hi thanks man it works i didnt use the mysqli_query

felgall · May 17, 2016, 7:10pm

where is the call to password_hash()? you shouldn’t be storing passwords in plain text.

system · August 17, 2016, 2:10am

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Need a little help with the update code PHP	2	642	July 14, 2011
UPDATE database - error might be obvious, but I can't see it! PHP	2	340	July 31, 2011
Need help locating my mistake in a change password script PHP	13	1090	December 2, 2011
Updating user credentials PHP	9	990	March 19, 2017
Broken login script PHP	2	581	October 8, 2014

Password updation

Related topics