Reputation: 89
updating user md5 password in sql table using user change password form
I am creating a user form and form action where the user (already logged in using session variable) can change their md5 (i know MD5 is outdated and unsecured, this is for test purposes) encrypted account password stored in the sql database 'users' table.
I have a form which requests the inputs 'currentpassword', 'newpassword' and 'confirmnewpassword'. The form passes the entered data to passwordaction.php using $_POST.
The username is acquired from the $_SESSION 'autheticatedUser' and passwords acquired from the previous $_POST form variables. I then use an sql statement to get the password from the database for comparison to 'currentpassword' variable, DOES THIS COUNT AS INSECURE CLIENT SIDE VALIDATION? ?
I then have an SQL UPDATE statement to update the password row of the specified user in the database and the user is redirected and notified of success or failure using $_SESSION headers.
I have been reading and re-reading through my code trying to figure out where ive gone wrong as when trying to change a user account password I keep being returned to my login page (using $SESSION header) telling me it has updated properly however when i check the database the password has not been updated.
Im hoping someone elses view or perspective may be able to help me see what ive missed, can anyone suggest why my sql UPDATE statement is not working?
any constructive criticism welcome
below is my code for the 'action' php page
<?php
session_start();
$username = $_SESSION["authenticatedUser"];
$currentpassword = md5($_POST['currentpassword']);
$newpassword = md5($_POST['newpassword']);
$confirmnewpassword = md5($POST['confirmnewpassword']);
/* make a connection with database */
$con = mysql_connect("localhost", "root", "") or die(mysql_error());
/* select the database */
mysql_select_db("groupproject") or die(mysql_error());
$queryget = mysql_query("SELECT password FROM users WHERE username='$username'") or
die(mysql_error());
$row = mysql_fetch_assoc($queryget);
$currentpasswordDB = $row['password'];
//check passwords
if ($currentpassword==$currentpasswordDB)
{
if ($newpassword==$confirmnewpassword)
{
//success, change password in DB
$querychange = mysql_query("UPDATE users SET password='$newpassword' WHERE
username='$username'") or die(mysql_error());
}
else header("Location: passwordmismatch.php");
if ($querychange == true){
$_SESSION["passchange"] = "Your password has been changed, Please Log in";
header("Location:login.php");
}
else $_SESSION["nopasschange"] = "Your password could not be changed, Please try
again";
header("Location:userchangepassword.php");
}
else header("Location: passwordmismatch.php");
mysql_close($con);
?>
Upvotes: 0
Views: 9780
Answers (2)
Reputation: 1
Bit late :P
but in the row $confirmnewpassword = md5($POST['confirmnewpassword']);
it should be
$confirmnewpassword = md5($_POST['confirmnewpassword']);
Upvotes: 0
Related Questions
- Change Password using md5 in PHP and Jquery
- SQL Update of MD5 Passwords
- PHP - Validating Password with MD5 and MySQL
- How to ReHash a password stored into my Database ? (PHP)
- Change User Password Form
- Updating md5 passwords with the php password_hash function
- Switching from md5 to password_hash
- SQL Update of MD5 Passwords with plain text
- change password form using MD5?
- Changing Passwords PHP