Change Password function.

Report · Dec 15, 2011

Hello! I'm pretty fresh in MySQL world, but already know a bit from check magazine tutorial. I wanted to do a change password function, but I have actually no idea what server behavior I have to use to find out the user ID of the current user logged in. Can anyone please help me with that? Step-by step tutorials are more likely than welcome, as I'm not so good at dreamweaver stuff yet. Oh, and I'm using dreamweaver 5.5.

Report · Dec 15, 2011

When someone is properly logged in, a session variable called "MM_Username" is created. You can either use the value of that username to search the database and find the user's record ID on this page, or you can hack into the user authentication code to add another session variable containing that record ID, or you can just put that record ID into the MM_UserGroup session variable (which is only used if you are authenticating based on username, password, and usergroup. Do you know how to do any of those things?

Report · Dec 15, 2011

First of all, thanks for the answer. Basically what I would like to know is, if I make a recordset and then assign the stuff to end of url: its like change_pw.php?username=What php code i must have here to have it to automatically find current MM_Username in use? Please help me with a step-by-step tutorial, if possible.

Regards,

Alo

Report · Dec 15, 2011

You don't need to use that method at all.

Get your new password for the logged in user, and then do the following -

1. At the very top of the page, put this (you may already have it if you have used the User Authentication Restrict Access feature on the page -

<?php if (!isset($_SESSION)) { session_start(); } ?>

2. Then in the SQL statement definition panel, where you would insert the new password into the database, you would filter on the userID field, i.e., WHERE userID = " . $_SESSION['MM_Username']"

Report · Dec 15, 2011

Like this after the "submit" button in the change_pw.php file?

Report · Dec 16, 2011

No. My item 2 (above) referred to the PHP code block at the top of the page where the SELECT statement for your recordset is being built. Can you show us that block of code?

Report · Dec 16, 2011

Here is the current recordset code.

<?php

if (!function_exists("GetSQLValueString")) {

function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")

{

if (PHP_VERSION < 6) {

$theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;

}

$theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

switch ($theType) {

case "text":

$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";

break;

case "long":

case "int":

$theValue = ($theValue != "") ? intval($theValue) : "NULL";

break;

case "double":

$theValue = ($theValue != "") ? doubleval($theValue) : "NULL";

break;

case "date":

$theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";

break;

case "defined":

$theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;

break;

}

return $theValue;

}

$editFormAction = $_SERVER['PHP_SELF'];

if (isset($_SERVER['QUERY_STRING'])) {

$editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);

}

if ((isset($_POST["MM_update"])) && ($_POST["MM_update"] == "form1")) {

$updateSQL = sprintf("UPDATE users SET password=%s WHERE user_id=%s",

GetSQLValueString($_POST['password'], "text"),

GetSQLValueString($_POST['user_id'], "int"));

mysql_select_db($database_check_mag, $check_mag);

$Result1 = mysql_query($updateSQL, $check_mag) or die(mysql_error());

$updateGoTo = "index.php";

if (isset($_SERVER['QUERY_STRING'])) {

$updateGoTo .= (strpos($updateGoTo, '?')) ? "&" : "?";

$updateGoTo .= $_SERVER['QUERY_STRING'];

}

header(sprintf("Location: %s", $updateGoTo));

}

mysql_select_db($database_check_mag, $check_mag);

$query_getPost = "SELECT user_id, username, password FROM users";

$getPost = mysql_query($query_getPost, $check_mag) or die(mysql_error());

$row_getPost = mysql_fetch_assoc($getPost);

$totalRows_getPost = mysql_num_rows($getPost);

$colname_getPost = "-1";

if (isset($_GET['post_id'])) {

$colname_getPost = $_GET['post_id'];

}

mysql_select_db($database_check_mag, $check_mag);

$query_getPost = sprintf("SELECT post_id, title, blog_entry FROM news WHERE post_id = %s", GetSQLValueString($colname_getPost, "int"));

$getPost = mysql_query($query_getPost, $check_mag) or die(mysql_error());

$row_getPost = mysql_fetch_assoc($getPost);

$totalRows_getPost = mysql_num_rows($getPost);

?>

Report · Dec 16, 2011

This is the code that is building the SQL query -

$query_getPost = "SELECT user_id, username, password FROM users";

You would want to change it to this -

$query_getPost = "SELECT user_id, username, password FROM users WHERE username ='" . $_SESSION['MM_Username'] . "'";

That will give you the user_id in the recordset.

Report · Dec 16, 2011

After that there is no need for change_pw.php[?username= <------?]

EDIT:Added that.

also,

Are those 2 neccessary after the submit button?

Report · Dec 18, 2011

Please reply, I need it fixed really quickly.

Report · Dec 22, 2011

Change the update statement to use the user id from the session variable as Murray suggested. Don't pass it from the form - it's too easy for someone to hack. You should also force the user to input their current password for validation as an additional security measure.

Report · Dec 23, 2011

Thanks for the reply. Could you please explain it further how i should do that? I'm a complete noob at that stuff.