Home/ Questions/Q 7680393
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-31T18:06:18+00:00

I have a change password script in PHP and I want to do is

  • 0

I have a change password script in PHP and I want to do is take variables from the previous screen that the user input and then compare them to the mysql db. If the old password does not match what they put in, i want it to fail with an error. This is the code i have so far.. but i know comparing a string to a variable is not going to work, but need to know how to convert them so they can compare. Below is the page in question.

Passwords are currently stored in Plain txt on the db but will change to md5 later on. Question is how to compare a inputted value to a value pulled from the db?

<html>
<head>
<title>Password Change</title>
</head>
<body>

<?php

mysql_connect("localhost", "kb1", "BajyXhbRAWSVKPsA") or die(mysql_error());
mysql_select_db("kb1") or die(mysql_error());

    $todo=mysql_real_escape_string($_POST['todo']);
    $username=mysql_real_escape_string($_POST['userid']); 
    $password=mysql_real_escape_string($_POST['password']);
    $password2=mysql_real_escape_string($_POST['password2']);
    $oldpass=mysql_real_escape_string($_POST['oldpass']);

/////////////////////////

if(isset($todo) and $todo == "change-password"){
//Setting flags for checking
$status = "OK";
$msg="";

//MYSQL query to pull the current password from the database and store it in  $q1

$results = mysql_query("SELECT password FROM kb_users WHERE username = '$username'") or             die(mysql_error());  
$q1 = mysql_fetch_array($results);
//print_r($q1)


//changing the string $oldpass to using the str_split which converts a string to an     array.

//$oldpass1 = str_split($oldpass,10);

if(!$q1)  

    {  
        echo "The username <b>$username</b> does not exist in the database.  Please         click the retry button to attempt changing the password again. <BR><BR><font face='Verdana'     size='2' color=red>$msg</font><br><center><input type='button' value='Retry'     onClick='history.go(-1)'></center>"; die();
    }  

if ($oldpass == $q1){

$msg = $msg.  "The provided password <b>$oldpass</b> is not the same as what is in the     database. Please click the retry button to attempt changing the password again.<BR><br>";

$status = "NOTOK";} 
/*
if ($q1 <> $oldpass1) {    
$msg = $msg.  "The provided password <b>$oldpass</b> is not the same as what is in the     database. Please click the retry button to attempt changing the password again.<BR><br>";
$status = "NOTOK";  }
*/

if ( strlen($password) < 3 or strlen($password) > 10 ){
$msg=$msg.  "Your new password must be more than 3 char legth and a maximum 10 char     length<BR><BR>";
$status= "NOTOK";}                  

if ( $password <> $password2 ){
$msg=$msg.  "Both passwords are not matching<BR>";
$status= "NOTOK";}                  


if($status<>"OK")
    { 
        echo "<font face='Verdana' size='2' color=black>$msg</font><br><center>    <input type='button' value='Retry' onClick='history.go(-1)'></center>";
    }
        else {
        // if all validations are passed.

            if (mysql_query("UPDATE kb_users SET password='$password' where         username='$username'") or die(mysql_error())); 

                {
                    echo "<font face='Verdana' size='2' ><center>Thanks     <br> Your password has been changed successfully. Please keep changing your password for     better security</font></center>";
                }
            }
        }


?>      
</body>
</html>
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    First of all, it’s not recommended to use POST data directly into your query. You’d better escape this data first, to avoid injections.

    Also, I think your way of using if’s isn’t the best way. There’s no need for a status variable in my opinion. That’s for sure in this case. $status is set to NOTOK just before you test it’s value. So it’ll always be NOTOK, which will cause your script to never update any password.

    I changed the structure of your tests to an, in my opinion, better one. Have a good look on what you would like to test on, because now your tests are all mixed up.

    <html>
<head>
    <title>Password Change</title>
</head>

<body>

    <?php
        // MySQL connection details

        $todo=mysql_real_escape_string($_POST['todo']);
        $username=mysql_real_escape_string($_POST['userid']); 
        $password=mysql_real_escape_string($_POST['password']);
        $password2=mysql_real_escape_string($_POST['password2']);
        $oldpass=mysql_real_escape_string($_POST['oldpass']);

        if(isset($todo) and $todo == "change-password"){

            $results = mysql_query("SELECT password FROM kb_users WHERE username = '$username'") or             die(mysql_error());  
            $q1 = mysql_fetch_array($results);

            if (!$q1) {
                // The user does not exist in the database. 
            }

            if ($oldpass == $q1) {
                // The current password matches the input from the oldpass field.

                if (strlen($password) > 3 or strlen($password) < 10) {
                    // Password meets requirements
                    if ($password == $password2) {
                        //Passwords match, update the password in the database
                    }
                    else {
                        // The new passwords do not match.
                    }
                }
                else {
                    // Password is too short / long
                }

            }
        }
    ?>
</body>

    • 0