update mysql password

[joshuaer]

hello I am working on a simple script to update a users password based on their email address. I do not need high security for this password change, it is behind an internal intrnet site. I do not get any errors when the script runs but it is not updating the password form to update

<form action="/icloud/forgot/updateinfo.php" method="post"><input type="text" name="password"/><br> <font face="Arial, Helvetica, sans-serif">Change Email:</font><br/><input type="text" name="email" name="email"/><br/> <input type="submit" value="Update Email"/></form>

and the backend updateinfo.php

<?phpini_set('display_errors', 1);error_reporting(E_ALL);    include("../sql.php");$result = mysql_query("SELECT * FROM users")or die(mysql_error());while ($row = mysql_fetch_array($result)){    $email = $row['email'];    $password = $_POST['password'];}$sql = "UPDATE `users` SET `password` = '$password' WHERE password='$password' AND email='$email' ''";mysql_query($sql) or die ("Error: ".mysql_error());echo "Database updated. <a href='update_email.php'>Return to edit info</a>";?>

[birbal]

$result = mysql_query("SELECT * FROM users")or die(mysql_error());while ($row = mysql_fetch_array($result)){ $email = $row['email']; $password = $_POST['password'];}

what is it suppose to do? you can remove this part. simply updating the column where both email and password match will work. now when you use that, it takes all user from DB an keep looping thorugh untill it reaches last user. at thattime it keep it overwriting $email and lastly it has the value of last user. where as $password remains same as you inserted through the form. so both is not being the same to match the combo.

[birbal]

also printing out the success message wil not ensure that updates is successfull. it will display it anyway. you have to use mysql_affected_rows() to get actual number of rows it updated. and display succes message when the condition met. http://php.net/mysql_affected_rows

[joshuaer]

Thanks for the help birbal I am having a different problem with it now, when I run the script it is updating the password field now but I am getting this error Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1' at line 1 And when i try to login with the new password it is not working

<?php//ini_set('display_errors', 1);//error_reporting(E_ALL);    include("../sql.php");    $email = $_POST['email'];$password = $_POST['password'];$sql = mysql_query("UPDATE `users` SET password = MD5(password) WHERE email ='$email'!= ''");mysql_query($sql) or die ("Error: ".mysql_error());echo "Database updated. <a href='update_email.php'>Return to edit info</a>";?>

[birbal]

UPDATE `users` SET password = MD5(password) WHERE email ='$email'!= ''"

Your syntaxis not right. you shoud add condition using conditional operators like and,or. if you want to match where email and pasword combo matches you have to include password in WHERE condition too. also 'password' should be $password if you want to insert password in db. for hashing you should use one of sha family or whirlpool, or blowfish, or rjindal family instead of md5. Edited October 1, 2012 by birbal

[oldscholar]

// I think the proper code for this is as follows://Please take note that MD5 or PASSWORD function of mysql varies from version 4 to version 5. $sql = mysql_query("UPDATE `users` SET password = MD5($password) WHERE email ='$email''"); //or $sql = mysql_query("UPDATE `users` SET password = PASSWORD($password) WHERE email ='$email''");

Please read further regarding the changes of the password hash. http://dev.mysql.com...rd-hashing.html

Edited October 12, 2012 by oldscholar