Posts: 72
Threads: 16
Thanks Received:
0 in 0 posts
Thanks Given: 0
Joined: Nov 2012
Reputation:
0
Can one tell me where the error is
<?php
include("include/config.php");
// connect to the mysql server
$link = mysql_connect($ip, $userdb, $sqlpw)
or die ("Could not connect to mysql because ".mysql_error());
// select the database
mysql_select_db($database)
or die ("Could not select database because ".mysql_error());
$username = $_POST[username];
$password = $_POST[password];
$newpassword = $_POST[newpassword];
$confirmnewpassword = $_POST[confirmnewpassword];
$result = mysql_query("SELECT password FROM users WHERE username=$username");
if(!$result)
{
echo "The username you entered does not exist. <a href=change_pw.php>Try Again</a> or <a href=index.htm>Quit</a>";
}
else
if($password!= mysql_result($result, 0))
{
echo "You entered an incorrect password. <a href=changepw.htm>Try Again</a> or <a href=index.htm>Quit</a>";
}
if($newpassword=$confirmnewpassword)
$sql=mysql_query("UPDATE users SET password=$newpassword where username=$username");
if($sql)
{
echo "Congratulations! You have successfully changed your password. <a href=index.php>Continue</a>";
}
else
{
echo "The new password and confirm new password fields must be the same. <a href=change_pw.php>Try Again</a> or <a href=index.php>Quit</a>";
}
?>
Posts: 282
Threads: 5
Thanks Received:
0 in 0 posts
Thanks Given: 0
Joined: Oct 2012
Reputation:
0
wrong db name?
sql injection..
Posts: 82
Threads: 16
Thanks Received:
0 in 0 posts
Thanks Given: 0
Joined: Aug 2012
Reputation:
0
The error is : This script is complete [CeNsOrEd].
Posts: 768
Threads: 40
Thanks Received:
0 in 0 posts
Thanks Given: 0
Joined: May 2011
Reputation:
0
I hope for you that not your entire website is written like that else your server is doomed to be hacked.
Posts: 138
Threads: 20
Thanks Received:
0 in 0 posts
Thanks Given: 0
Joined: Nov 2012
Reputation:
0
<b>Change Password</b> <br /><br />
<form action="" method="post">
Old Password : <input type="password" name="oldpassword" /> <br />
New Password : <input type="password" name="newpassword" />
<input type="submit" name="changepass" value="Change Password" /> <br /><br />
<?php
if(isset($_POST[changepass]))
{
$oldpass = anti_injection($_POST[oldpassword]);
$newpass = anti_injection($_POST[newpassword]);
if($oldpass&&$newpass)
{
$conns22 = new mysqli($ip,$sqluser,$sqlpw,$userdb);
$query22 = "SELECT * FROM bg_user WHERE user_id=". $_SESSION[username] ."";
$exec22 = $conns22->query($query22);
$res22 = $exec22->fetch_assoc();
if($res22[truepasswd] == $oldpass)
{
$realpasss = hash("sha256",strtolower($_SESSION[username]).$salt.$newpass);
$conns22d = new mysqli($ip,$sqluser,$sqlpw,$userdb);
$conns22d->query("UPDATE bg_user SET truepasswd=$newpass WHERE user_id=". $_SESSION[username] ."");
$conns22d->query("UPDATE bg_user SET passwd=$realpasss WHERE user_id=". $_SESSION[username] ."");
echo <b>Password changed.</b>;
} else {
echo "<b>Error! Old password isnt correct.</b>";
}
} else {
echo <b>Error! Please enter old and new password.</b>;
}
}
?>
it was fast writing from me
Posts: 768
Threads: 40
Thanks Received:
0 in 0 posts
Thanks Given: 0
Joined: May 2011
Reputation:
0
Even mysqli supports prepared statements. Concatting variables in querys is just not done anymore
