+- LCKB (https://lckb.dev/forum)
+-- Forum: ** OLD LCKB DATABASE ** (https://lckb.dev/forum/forumdisplay.php?fid=109)
+--- Forum: Website Scripting & Security (https://lckb.dev/forum/forumdisplay.php?fid=197)
+---- Forum: Website Releases (https://lckb.dev/forum/forumdisplay.php?fid=135)
+----- Forum: Ep2 Websites (https://lckb.dev/forum/forumdisplay.php?fid=171)
+----- Thread: Change Password,php (/showthread.php?tid=1792)
- crankchaos - 04-05-2013
Can one tell me where the error is
<?php
include("include/config.php");
// connect to the mysql server
$link = mysql_connect($ip, $userdb, $sqlpw)
or die ("Could not connect to mysql because ".mysql_error());
// select the database
mysql_select_db($database)
or die ("Could not select database because ".mysql_error());
$username = $_POST[username];
$password = $_POST[password];
$newpassword = $_POST[newpassword];
$confirmnewpassword = $_POST[confirmnewpassword];
$result = mysql_query("SELECT password FROM users WHERE username=$username");
if(!$result)
{
echo "The username you entered does not exist. <a href=change_pw.php>Try Again</a> or <a href=index.htm>Quit</a>";
}
else
if($password!= mysql_result($result, 0))
{
echo "You entered an incorrect password. <a href=changepw.htm>Try Again</a> or <a href=index.htm>Quit</a>";
}
if($newpassword=$confirmnewpassword)
$sql=mysql_query("UPDATE users SET password=$newpassword where username=$username");
if($sql)
{
echo "Congratulations! You have successfully changed your password. <a href=index.php>Continue</a>";
}
else
{
echo "The new password and confirm new password fields must be the same. <a href=change_pw.php>Try Again</a> or <a href=index.php>Quit</a>";
}
?>
- crankchaos - 04-05-2013
- luoo - 04-05-2013
wrong db name?
sql injection..
- Sentence - 04-10-2013
The error is : This script is complete [CeNsOrEd].
- Wizatek - 04-11-2013
I hope for you that not your entire website is written like that else your server is doomed to be hacked.
- Gothic - 04-11-2013
<b>Change Password</b> <br /><br />
<form action="" method="post">
Old Password : <input type="password" name="oldpassword" /> <br />
New Password : <input type="password" name="newpassword" />
<input type="submit" name="changepass" value="Change Password" /> <br /><br />
<?php
if(isset($_POST[changepass]))
{
$oldpass = anti_injection($_POST[oldpassword]);
$newpass = anti_injection($_POST[newpassword]);
if($oldpass&&$newpass)
{
$conns22 = new mysqli($ip,$sqluser,$sqlpw,$userdb);
$query22 = "SELECT * FROM bg_user WHERE user_id=". $_SESSION[username] ."";
$exec22 = $conns22->query($query22);
$res22 = $exec22->fetch_assoc();
if($res22[truepasswd] == $oldpass)
{
$realpasss = hash("sha256",strtolower($_SESSION[username]).$salt.$newpass);
$conns22d = new mysqli($ip,$sqluser,$sqlpw,$userdb);
$conns22d->query("UPDATE bg_user SET truepasswd=$newpass WHERE user_id=". $_SESSION[username] ."");
$conns22d->query("UPDATE bg_user SET passwd=$realpasss WHERE user_id=". $_SESSION[username] ."");
echo <b>Password changed.</b>;
} else {
echo "<b>Error! Old password isnt correct.</b>";
}
} else {
echo <b>Error! Please enter old and new password.</b>;
}
}
?>
it was fast writing from me
- Wizatek - 04-11-2013
Even mysqli supports prepared statements. Concatting variables in querys is just not done anymore