1

I am working on a simple script that allows users to create an account and change password in a database. The only problem I'm having is creating a script that allows the user to change their password. It doesn't update in my DB. I am getting successfully message but it doesn't update in DB. Please help me any suggestions will be much appreciated Please let me know if any more details required?

            <form method="POST">
                old:<input type="text" name="old_pass">
                new:<input type="text" name="">
                conf:<input type="text" name="">
                <input type="submit" name="submit" value="save">
            </form>
            <?php 

            $conn_db = mysqli_connect("localhost","root","","oz");
            if(!$conn_db)
            {
                echo "not connect";
            }
                echo "connect".mysqli_error($conn_db);

                SESSION_START();
            if($_SERVER['REQUEST_METHOD']=="POST")
            {
            if(isset($_POST['submit']))
                {

                $old_pass=$_POST['old_pass'];
                $new_pass=$_POST['new_pass'];
                $re_pass=$_POST['re_pass'];
                $chg_pwd=mysqli_query($conn_db,"SELECT * FROM admin WHERE email='$email'");
                $chg_pwd1=mysqli_fetch_array($chg_pwd);
                $data_pwd=$chg_pwd1['pass'];
                if($data_pwd==$old_pass){
                if($new_pass==$re_pass){
                  $update_pwd=mysqli_query($conn_db,"UPDATE admin SET pass='$new_pass' where email='$email'");

                  echo "<script>alert('Update Sucessfully'); window.location='index.php'</script>";
                }
                else{
                  echo "<script>alert(`Your new and Retype Password is not match`); window.location='index.php'</script>";
                }
                }
                else
                {
                echo "<script>alert(`Your old password is wrong`); window.location='change.php'</script>";
                }}
            }
              ?>
Spencer Wieczorek
  • 21,229
  • 7
  • 44
  • 54
test
  • 11
  • 2
  • 3
    pleas stop storeing plain text passwords –  Oct 08 '17 at 02:42
  • 3
    **Never store plain text passwords!** Please use **[PHP's built-in functions](http://php.net/manual/en/function.password-hash.php)** to handle password security. If you're using a PHP version less than 5.5 you can use the password_hash() **[compatibility pack](https://github.com/ircmaxell/password_compat)**. Make sure you **[don't escape passwords](http://stackoverflow.com/q/36628418/1011527)** or use any other cleansing mechanism on them before hashing. Doing so changes the password and causes unnecessary additional coding. – John Conde Oct 08 '17 at 02:43
  • 1
    Along with that your code is subject to SQL injection attacks, you will want to use parametrized statements or at least escape your input. – Spencer Wieczorek Oct 08 '17 at 02:43
  • Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). – John Conde Oct 08 '17 at 02:43
  • 1
    Where do you set `$email`? – Lawrence Cherone Oct 08 '17 at 02:44
  • (1) your `new`&&`conf` inputs don't have `name` values - `new:`/`conf:`. (2) You are using `$email` in your query, but don't set it anywhere before using it. – Sean Oct 08 '17 at 02:52

3 Answers3

0

  1. You are getting the success message because you are not actually checking if the update was successful. You're just checking if the password match: if($new_pass==$re_pass)

  2. You never define $email, so your WHERE clause generates an empty data set.

Try defining $email, for example: $email = $_POST['email'] and moving your alert and redirect inside of an if statement that checks the result of the query

if(mysqli_query($conn_db,"UPDATE admin SET pass='$new_pass' where email='$email'")) {
    echo "<script>alert('Update Sucessfully'); window.location='index.php'</script>";
}

NOTE:

  1. You shouldn't store your passwords in plain text.
  2. You should safely cast all input before running it in a query to prevent SQL Injection.
mcjcloud
  • 351
  • 2
  • 11
0

TRY USING THIS

if($new_pass==$re_pass){
  $update_pwd = $conn_db->query("UPDATE admin SET pass='$new_pass' WHERE email='$email'");
  if($update_pwd){ echo "<script>alert('Update Sucessfully'); window.location='index.php'</script>";
 } else { //echo server error }

                }
chris85
  • 23,846
  • 7
  • 34
  • 51
holuwertoeying
  • 1
  • 2
0

change your 'mysqli_query' to '$conn_db->query'. there will be no need to include '$conn_db' in the parenthesis. Meanwhile, if error logging is set in your php settings, you can see the error

holuwertoeying
  • 1
  • 2