joshuaer Posted September 30, 2012 Share Posted September 30, 2012 hello I am working on a simple script to update a users password based on their email address. I do not need high security for this password change, it is behind an internal intrnet site. I do not get any errors when the script runs but it is not updating the password form to update <form action="/icloud/forgot/updateinfo.php" method="post"><input type="text" name="password"/><br> <font face="Arial, Helvetica, sans-serif">Change Email:</font><br/><input type="text" name="email" name="email"/><br/> <input type="submit" value="Update Email"/></form> and the backend updateinfo.php <?phpini_set('display_errors', 1);error_reporting(E_ALL); include("../sql.php");$result = mysql_query("SELECT * FROM users")or die(mysql_error());while ($row = mysql_fetch_array($result)){ $email = $row['email']; $password = $_POST['password'];}$sql = "UPDATE `users` SET `password` = '$password' WHERE password='$password' AND email='$email' ''";mysql_query($sql) or die ("Error: ".mysql_error());echo "Database updated. <a href='update_email.php'>Return to edit info</a>";?> Link to comment Share on other sites More sharing options...
birbal Posted September 30, 2012 Share Posted September 30, 2012 $result = mysql_query("SELECT * FROM users")or die(mysql_error());while ($row = mysql_fetch_array($result)){ $email = $row['email']; $password = $_POST['password'];} what is it suppose to do? you can remove this part. simply updating the column where both email and password match will work. now when you use that, it takes all user from DB an keep looping thorugh untill it reaches last user. at thattime it keep it overwriting $email and lastly it has the value of last user. where as $password remains same as you inserted through the form. so both is not being the same to match the combo. Link to comment Share on other sites More sharing options...
birbal Posted September 30, 2012 Share Posted September 30, 2012 also printing out the success message wil not ensure that updates is successfull. it will display it anyway. you have to use mysql_affected_rows() to get actual number of rows it updated. and display succes message when the condition met. http://php.net/mysql_affected_rows Link to comment Share on other sites More sharing options...
joshuaer Posted September 30, 2012 Author Share Posted September 30, 2012 Thanks for the help birbal I am having a different problem with it now, when I run the script it is updating the password field now but I am getting this error Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1' at line 1 And when i try to login with the new password it is not working <?php//ini_set('display_errors', 1);//error_reporting(E_ALL); include("../sql.php"); $email = $_POST['email'];$password = $_POST['password'];$sql = mysql_query("UPDATE `users` SET password = MD5(password) WHERE email ='$email'!= ''");mysql_query($sql) or die ("Error: ".mysql_error());echo "Database updated. <a href='update_email.php'>Return to edit info</a>";?> Link to comment Share on other sites More sharing options...
birbal Posted October 1, 2012 Share Posted October 1, 2012 (edited) UPDATE `users` SET password = MD5(password) WHERE email ='$email'!= ''" Your syntaxis not right. you shoud add condition using conditional operators like and,or. if you want to match where email and pasword combo matches you have to include password in WHERE condition too. also 'password' should be $password if you want to insert password in db. for hashing you should use one of sha family or whirlpool, or blowfish, or rjindal family instead of md5. Edited October 1, 2012 by birbal Link to comment Share on other sites More sharing options...
oldscholar Posted October 12, 2012 Share Posted October 12, 2012 (edited) // I think the proper code for this is as follows://Please take note that MD5 or PASSWORD function of mysql varies from version 4 to version 5. $sql = mysql_query("UPDATE `users` SET password = MD5($password) WHERE email ='$email''"); //or $sql = mysql_query("UPDATE `users` SET password = PASSWORD($password) WHERE email ='$email''"); Please read further regarding the changes of the password hash. http://dev.mysql.com...rd-hashing.html Edited October 12, 2012 by oldscholar Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now