PHP/MySQLi Creating a Forum - Part 15 - Password Change Form

Submitted by Yorkiebar on Friday, January 24, 2014 - 13:01.
PHP/MySQLi Creating a Forum - Part 14 - User Login and User Levels Theory Introduction: This tutorial will be continuing my series of creating a forum in PHP/MySQLi/HTML. This part will be covering a changing password form for the user. Pre-creation: First you will need a host for your PHP, either a web host or localhost is fine but you will need PHP and MySQL(i) capabilities. Also, this will not be covering creating users, or styling the pages. For the purpose of using the logged in users username, we will be using $_SESSION['username']; from my login script, you can find that tutorial on my profile page. Obviously you will also need to go through all the previous parts of this tutorial series which can all be found on my profile tracking page. Account Page Editing: Before we can do anything with processing the information, we need the information. So we are going to add a simple HTML form to our accountPage.php page with some instructions for the user to enter their current/previous password and a new password to change it to... 
  1. <br/>
  2. <h1>Change Password:</h1>
  3. <form action='accountPage.php' method='POST'>
  4. 	<table>
  5. 		<tbody>
  6. 			<tr>
  7. 				<td>Current Password: </td><td><input type='text' name='curPass' /></td>
  8. 			</tr>
  9. 			<tr>
  10. 				<td>New Password: </td><td><input type='text' name='newPass' /></td>
  11. 			</tr>
  12. 			<tr>
  13. 				<td></td><td><input type='submit' value='Change Password' name='changePass' /></td>
  14. 			</tr>
  15. 		</tbody>
  16. 	</table>
  17. </form>
PHP: Now that we can get the information from the user through the HTML form, we can process it. First we want to get the current password of the user and make sure that the string entered as the current password within the HTML form is the same, if it is, we want to update the password within the users table with the new password entered in tot he HTML form. This all wants to be done inside a check to see if the submit button is pressed. We also output any outcome... 
  1. if (isSet($_POST['changePass']) && isSet($_POST['newPass']) && isSet($_POST['curPass']) && $_POST['curPass'] != '' && $_POST['newPass'] != '') {
  2. 	$new = $_POST['newPass'];
  3. 	$new = md5($new);
  4. 	$cur = $_POST['curPass'];
  5. 	$cur = md5($cur);
  6. 	$user = $_SESSION['username'];
  7. 	$q = mysqli_query($con, "SELECT * FROM `users` WHERE `username`='$user'");
  8. 	if (mysqli_num_rows($q) > 0) {
  9. 		$info = mysqli_fetch_array($q);
  10. 		if ($info['password'] == $cur) {
  11. 			$qq = mysqli_query($con, "UPDATE `users` SET `password`='$new' WHERE `username`='$user'") or die(mysql_error());
  12. 			if ($qq) {
  13. 				echo 'Updated password!';
  14. 			}else
  15. 				echo 'Failed to update your password.';
  16. 		}else
  17. 			echo 'Your entered current password was not correct. Please try again.';
  18. 	}else
  19. 		echo 'Your username was not found in our users database!';
  20. }
That should update our password with a new md5 encrypted password which was entered in the 'New Password' field of the HTML form. We could also adda confirmation of the new password by adding an extra 'New Password (Confirm)' input to our table... 
  1. <tr>
  2. 	<td>New Password (confirm): </td><td><input type='text' name='newPass2' /></td>
  3. </tr>
Then checking that the two new password fields match (before encrypting them, we can do it after but there's no point in encrypting both fields if they are the same)... 
  1. if (isSet($_POST['changePass']) && isSet($_POST['newPass']) && isSet($_POST['newPass2']) && isSet($_POST['curPass']) && $_POST['curPass'] != '' && $_POST['newPass'] != '' && $_POST['newPass2'] != '') {
  2. 	$new = $_POST['newPass'];
  3. 	$new2 = $_POST['newPass2'];
  4. 	if ($new == $new2) {
  5. 		$new = md5($new);
  6. 		$cur = $_POST['curPass'];
  7. 		$cur = md5($cur);
  8. 		$user = $_SESSION['username'];
  9. 		$q = mysqli_query($con, "SELECT * FROM `users` WHERE `username`='$user'");
  10. 		if (mysqli_num_rows($q) > 0) {
  11. 			$info = mysqli_fetch_array($q);
  12. 			echo $info['password'].' : '.$cur;
  13. 			if ($info['password'] == $cur) {
  14. 				$qq = mysqli_query($con, "UPDATE `users` SET `password`='$new' WHERE `username`='$user'") or die(mysql_error());
  15. 				if ($qq) {
  16. 					echo 'Updated password!';
  17. 				}else
  18. 					echo 'Failed to update your password.';
  19. 			}else
  20. 				echo 'Your entered current password was not correct. Please try again.';
  21. 		}else
  22. 			echo 'Your username was not found in our users database!';
  23. 	}else
  24. 		echo 'The two new passwords did not match. Please ensure they match and that the current password field is correct then try again.';
  25.  
  26. }

Tags

Comments

Submitted byomoyeni (not verified)on Sun, 05/18/2014 - 14:48

nice code but it will be better to prevent sql injection by including prepared statement in your codes.
Submitted bynavchow (not verified)on Sat, 07/30/2016 - 13:34

in case if i want user to enter the username and then the new & confirm password, what changes needs to be done within the code

Add new comment

About text formats