0

Yesterday I have posted some code asking how the user can update a password through a form. Look here

However after updating the password, I couldn't login though my android app. So I decided to change a bit the forgotpassword.php file. 

<?php
session_start();
require "../init.php";
ini_set('display_errors', 1);



if(isset($_POST['update'])){


    $email = $_POST['email'];
    $user_name = $_POST['user_name'];
    $password = $_POST['user_pass'];
    $passwordEncrypted = sha1($user_pass); 

    $confpassword = $_POST['confirm_pass'];
    $confPasswordEncrypted = sha1($confirmPass);  

    if($password !== $confpassword){
       echo "<script>alert('Passwords are not equal')</script>";
    }else{
        $select_query = "SELECT * FROM user_info";

        $run_select_query = mysqli_query($con,$select_query); 

        while ($row_post=mysqli_fetch_array($run_select_query)){

              $_SESSION['id'] = $row_post['id'];
              $user_id = $_SESSION['id'];
              $useremail = $row_post['email'];
              $username = $row_post['user_name'];

              var_dump($user_id);

            if($useremail == $email AND $username == $user_name){
                //echo "<script>alert('$useremail')</script>";
                //echo "<script>alert('$username')</script>";
                echo "<script>alert('$id')</script>";
                $update_posts = "UPDATE user_info SET user_pass='$passwordEncrypted',confirm_pass ='$confPasswordEncrypted'  
                WHERE $id='$_userid'";  

                $run_update = mysqli_query($con,$update_posts); 
                //var_dump($user_name);
            echo "<script>alert('Password Has been Updated!')</script>";
            }else{
             echo "<script>alert('No email or username was found')</script>";
            }

        }

    }

}
?>

But now the password is not updated as it was before. There is something wrong in the update statement or a line before that. The $_SESSION['id'] is not null so the select query works fine.

Any ideas?

Thanks.

Improve this question
3
  • 1
    You've got no error checking in your code. And why 2 SQL statements when this can be implemented with 1 (update where the password and user matches - if it changes 0 rows, the username or password was invalid).
    – symcbean
    Apr 22, 2016 at 8:02
  • Single round of sha1 is not enough for password hashing. See here: stackoverflow.com/questions/401656/…
    – 1615903
    Apr 22, 2016 at 11:07
  • Please use PHP's built-in functions to handle password security. If you're using a PHP version less than 5.5 you can use the password_hash() compatibility pack. Make sure that you don't escape passwords or use any other cleansing mechanism on them before hashing. Doing so changes the password and causes unnecessary additional coding.
    – Jay Blanchard
    Apr 22, 2016 at 15:56

4 Answers 4

Reset to default
3

typo in where clause. WHERE $id='$_userid'";

change update query's where clause to this: WHERE $id='$user_id'";

Improve this answer
1

Update your select query:

$select_query = "SELECT * FROM user_info where email = '".$email."' and user_name = '".$username."' ";

and then check if mysqli_num_rows(). If it > 0 then only execute the update query & put the data in the session.

Also your update query is not proper.It should be : 

$update_posts = "UPDATE user_info SET user_pass='$passwordEncrypted',confirm_pass ='$confPasswordEncrypted'  
                WHERE $id='$userid'";
Improve this answer
1

Your update query should be like this :

$update_posts = "UPDATE user_info 
    SET
           user_pass='$passwordEncrypted',
           confirm_pass ='$confPasswordEncrypted' 
    WHERE id = $user_id";
Improve this answer
0

Ok. I have changed the code and made it work. So this is what I am doing.

1) I run a select query to check if the user is already registered. If yes then update the password and send a new one in his email.

2) If not then you get a json response in my android app saying that the user email is not found.

3) And finally the user can login with his updated 5 digit password:).

<?php
 require "init.php";
 $email = $_POST['email'];



  if($email){
        $select_query = "SELECT * FROM user_info";

        $run_select_query = mysqli_query($con,$select_query); 

        while ($row_post=mysqli_fetch_array($run_select_query)){

            $id = $row['id'];
            $usermail = $row_post['email'];
            $username = $row_post['user_name'];



        }
            if($usermail == $email){
                $don = array('result' =>"success","message"=>"user mail found.");

                $random = rand(72891, 92729);
                $new_pass = $random;

                $email_password = $new_pass;
                $new_pass = sha1($new_pass);

                $update_pass = "update user_info set user_pass='$new_pass',confirm_pass='$new_pass' where user_name='$username'";

                $run_update = mysqli_query($con,$update_pass); 


                    $subject = "Login information";

                    $message = "Your password has been changed to $email_password";

                    $from = "From: [email protected]";

                    mail($email,$subject,$message,$from);

                $don = array('result' =>"success","message"=>"your password has been updated. Please check your email");



            }else{
                $don = array('result' =>"fail","message"=>"user mail not found.");
            }
        }else{
            $don = array('result' =>"fail","message"=>"please enter your email");
        }

   echo json_encode($don);
?>
Improve this answer

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Not the answer you're looking for? Browse other questions tagged or ask your own question.