Comparing Variable to what is in db

mcj212 · #1 (**permalink**) 11-25-11, 06:43 PM

Hello

I am trying to write a script that will compare the current password stored in the database (encrypted) and then compare to what the user is putting in. I have the following so far and need some help as it is not working as expected. I would think that it should fail if the two variables do not match..

Code:


<html>
<head>
<title>Password Change</title>
</head>
<body>

<?php

mysql_connect("HOSTNAME", "USERNAME", "PASSWORD") or die(mysql_error());
mysql_select_db("DBName") or die(mysql_error());

$todo=$_POST['todo'];
$username=$_POST['userid'];
$password=$_POST['password'];
$password2=$_POST['password2'];
$oldpass=$_POST['oldpass'];

/////////////////////////

if(isset($todo) and $todo=="change-password"){
//Setting flags for checking
$status = "OK";
$msg="";

$results = mysql_query("SELECT Fieldname FROM tablename WHERE username='$username'") or die(mysql_error());  
$q1 = mysql_fetch_array($results);

if(!$q1)  
	{  
		echo "The username and password combination does not exist in the database <font face='Verdana' size='2' color=red>$msg</font><br><center><input type='button' value='Retry' onClick='history.go(-1)'></center>"; die();
	}  

$oldpass=md5($oldpass); 
if ($password === $q1){
$msg=$msg."Old Password is the same as the old password <br>";
$status= "NOTOK";}	

if ($oldpass == $q1){
$msg=$msg."Old Password does not match the database <br>";
$status= "NOTOK";}	

if ( strlen($password) < 3 or strlen($password) > 10 ){
$msg=$msg."Password must be more than 3 char legth and maximum 10 char length<BR>";
$status= "NOTOK";}					
 
if ( $password <> $password2 ){
$msg=$msg."Both passwords are not matching<BR>";
$status= "NOTOK";}					

$password=md5($password); 

if($status<>"OK")
	{ 
		echo "<font face='Verdana' size='2' color=red>$msg</font><br><center><input type='button' value='Retry' onClick='history.go(-1)'></center>";
	}
		else {
		// if all validations are passed.

			if (mysql_query("UPDATE tablename SET password='$password' where username='$username'") or die(mysql_error())); 
			
				{
					echo "<font face='Verdana' size='2' ><center>Thanks <br> Your password changed successfully. Please keep changing your password for better security</font></center>";
				}
	//else {
		//		echo "<font face='Verdana' size='2' color=red><center>Sorry <br> Failed to change password Contact Site Admin</font></center>" <br>;
			//	echo "<font face='Verdana' size='2' color=red>$msg</font><br><center><input type='button' value='Retry' onClick='history.go(-1)'></center>"	
			// }
			}
}


?>  
</body>
</html>

Any help would be greatly appreciated.

phplabs · #2 (**permalink**) 11-28-11, 02:48 AM

hi,

first, in your query:

$results = mysql_query("SELECT Fieldname FROM tablename WHERE username='$username'")...

did you really name that column 'Fieldname'? i see that later in the code you have a field named 'password'.

second,

if ($oldpass == $q1){

when you have $q1 = mysql_fetch_array($results); in your code, $q1 is not a string but an array. so you should compare it something like $oldpass == $q1['password'].

use functions print_r() and var_dump() to print the variables to screen - this way you'll see what values they *actually* have, because oftentimes the errors occur when the variables have different values (or even different types of values) from what is expected.

mcj212 · #3 (**permalink**) 12-03-11, 12:08 PM

Quote:

Originally Posted by phplabs

hi,

first, in your query:

$results = mysql_query("SELECT Fieldname FROM tablename WHERE username='$username'")...

did you really name that column 'Fieldname'? i see that later in the code you have a field named 'password'.

second,

if ($oldpass == $q1){

when you have $q1 = mysql_fetch_array($results); in your code, $q1 is not a string but an array. so you should compare it something like $oldpass == $q1['password'].

use functions print_r() and var_dump() to print the variables to screen - this way you'll see what values they *actually* have, because oftentimes the errors occur when the variables have different values (or even different types of values) from what is expected.

Thanks for your reply....

I added the print_r($q1) right after the query and lines to compare the old password to what the password is in the database. with the following:

Code:

$results = mysql_query("SELECT password FROM kb_users WHERE username='$username'") or die(mysql_error());  
$q1 = mysql_fetch_array($results);

if(!$q1)  
	{  
		echo "The username and password combination does not exist in the database <font face='Verdana' size='2' color=red>$msg</font><br><center><input type='button' value='Retry' onClick='history.go(-1)'></center>"; die();
	}  

$oldpass = md5($oldpass); 

if  ($oldpass == $results){
$msg = $msg."Old Password is the same as the old password <br>";
$status = "NOTOK";}

and it is coming back the following:

Array ( [0] => e10adc3949ba59abbe56e057f20f883e [password] => e10adc3949ba59abbe56e057f20f883e )
array
0 => string 'e10adc3949ba59abbe56e057f20f883e' (length=32)
'password' => string 'e10adc3949ba59abbe56e057f20f883e' (length=32)

Thanks
Your password changed successfully. Please keep changing your password for better security

So I am not sure why it is allowing the password to be changed since I am putting in a different password than what is in the database.

Is it possible since the password is in MD5 on the db that it can not be pulled and has to be converted from MD5 to plain text to compare? If so, how?

phplabs · #4 (**permalink**) 12-04-11, 04:39 PM

ok, so at first you set $status to OK. then from both posts i can see the following if clauses where $status might be changed to NOTOK.

if ($oldpass == $results){
// will never pass because $results is a resource and $oldpass is a string

if ($password === $q1){
// will never pass because $q1 is an array and $password is a string

if ($oldpass == $q1){
// will never pass, same as above

if ( strlen($password) < 3 or strlen($password) > 10 ){
// will break if password too short/long

if ( $password <> $password2 ){
// will break if the passwords don't match

the only cases when you will have OK changed to NOTOK is 1) password length; 2) password <> password2. it means that it doesn't matter whether you enter a good or a bad password - $status will remain OK in both cases and thus your password gets always changed.

kfurlong · #5 (**permalink**) 12-12-11, 11:07 PM

Okay. I think I know what you are trying to do and I think I see your problem. If you have fixed the problems stated above then your only problem left is that you are comparing to see if it does match if so then it is not okay but you really want to see if it's not matching to make it not okay. Sooooo change this:

if ($oldpass == $q1){
$msg=$msg."Old Password does not match the database <br>";
$status= "NOTOK";}

To

PHP Code:


			
if ($oldpass <> $q1[password]){

$msg=$msg."Old Password does not match the database <br>";

$status= "NOTOK";}