0

I am having trouble getting this to work correctly I am trying to clean up my php files and make a function that changes the users password. It works fine if I keep the copied code from the function file under function setPass in the Login_success.php file. When I copy the working code into the functions.php file with a function name setPass it does not work I am not getting an error message either. I realize that not using PDO prepared statements is unsafe but I will change it once I get this working. Here is my code for the login_success file and the functions file:

Functions.php

<?php
require 'DB.php';
function setPass(){ 
foreach($conn->query("SELECT password FROM CLL_users WHERE user_name= '$userCurrent'") as $password1) {
 $old_pass = ($password1['password']);
}
$new_pass = md5($_POST['new_pass']);
 if (md5($_POST['old_password']) == ($old_pass) && ($_POST['new_pass']) == ($_POST['verify_pass'])) {
 $sql="UPDATE CLL_users SET password= '$new_pass' WHERE user_name= '$userCurrent'";
 $result=mysql_query($sql);
 echo "Match";
 } else {
 echo "Not a Match";
 }
}
?>

login_success.php

<?php
require 'functions.php';
require 'DB.php';
session_start();
session_is_registered(myusername);
$userCurrent = $_SESSION['myusername'];
$host="localhost"; // Host name 
$username="user"; // Mysql username 
$password="XXXXXX"; // Mysql password 
$db_name="db"; // Database name 
$tbl_name="CLL_users"; // Table name 
date_default_timezone_set('America/Chicago');
$dateCreated = date('m/d/Y h:i:s a', time());
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");
$sql="UPDATE CLL_users SET last_login= '$dateCreated' WHERE user_name= '$userCurrent'";
$result=mysql_query($sql);
if(!session_is_registered(myusername)){
header("location:main_login.php");
}
?>
 <!DOCTYPE html>
 <html>
 <head>
 <title>user</title>
 <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
 <LINK href="CLL.css" rel="stylesheet" type="text/css">
 </head>
 <body> 
 <form id ="css" action="" method="post">
 <div class="row">
 <label class ="formLabel" for="old_password">Old password:</label>
 <input type="password" name="old_password" id="old_password" />
 <br> <label class ="formLabel" for="new_pass">New Password:</label>
 <input type="password" name="new_pass" id="new_pass" />
 <br> <label class ="formLabel" for="verify_pass">Verify new password:</label>
 <input type="password" name="verify_pass" id="verify_pass" />
 </div> 
 <input type="submit" />
 </form>
<?php 
 $_POST['old_password'] = $old_pass;
 $_POST['new_pass'] = $new_pass;
 $_POST['verify_pass'] = $verify_pass;
 if ($_SERVER['REQUEST_METHOD'] == 'POST'){
 setPass($userCurrent, $old_pass, $new_pass, $verify_pass);
 }
 ?>
 </body>
 </html>
asked Nov 3, 2012 at 2:06
11
  • just wondering why would you make a function called valid_email($email) that returns the return variable from the other function filter_var(); seems devious. You might as well just use the filter_var function where ever you wanted to use the valid_email function. Same result, except less code and more readability. Commented Nov 3, 2012 at 2:09
  • you forgot to concatenate here: WHERE user_name= '$userCurrent'" Commented Nov 3, 2012 at 2:11
  • @user1534664 I am new to PHP and I seen in a video tutorial on "tutsplus.com" thats the method that he used to accomplish verifying an email met the proper criteria to be valid to an extent. Commented Nov 3, 2012 at 2:13
  • @user1534664 wrapping php's functions with your own functions is fine, specially if you're going to be using them a lot. And this way he doesn't have to pass the FILTER_VALIDATE_EMAIL constant each time Commented Nov 3, 2012 at 2:17
  • 1
    Please, please tell me you are not storing passwords without a salt. Commented Nov 3, 2012 at 3:01

1 Answer 1

1

I think the problem lays in the sequence of the code. You should try passing $userCurrent as a parameter, try and use this function: (I also fixed a few syntax errors)

function setPass($userCurrent)
{ 
 foreach($conn->query("SELECT password FROM CLL_users WHERE user_name= '" . $userCurrent . "'") as $password1) {
 echo $password1['password'];
 $old_pass = ($password1['password']);
 }
 $new_pass = md5($_POST['new_pass']);
 echo "<br>";
 if (md5($_POST['old_password']) == ($old_pass) && ($_POST['new_pass']) == ($_POST['verify_pass'])) {
 $sql="UPDATE CLL_users SET password= '" . $new_pass . "' WHERE user_name= '" . $userCurrent . "'";
 $result=mysql_query($sql);
 echo "Match";
 } else {
 echo "Not a Match";
 }
 echo "<br>";
 echo md5($_POST['old_password']);
 echo "<br>";
 echo ($old_pass);
 echo "<br>";
 echo ($new_pass);
}

btw, what the BBQ where you thinking here, lol:

 $_POST['old_password'] = $old_pass;
 $_POST['new_pass'] = $new_pass;
 $_POST['verify_pass'] = $verify_pass;
answered Nov 3, 2012 at 2:29
Sign up to request clarification or add additional context in comments.

3 Comments

Thanks for the code but its still not functioning. Do I have to add the $_POST parameters to the function and if so how would I do that because I tried and I kept getting syntax errors...
Its a bit difficult for me to see what you're doing. But first of all what you should make sure is that every variable that you're going to use has a value (unless you dont want it to have a value ofcourse). The one problem you had inside your setPass() function was that $userCurrent had no value.
Thats why I wanted to pass it as a parameter, that way you're forced to pass the value, which validates you can use it consequently.

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.