prepared statement
nice code but it will be better to prevent sql injection by including prepared statement in your codes.
<br/> <h1>Change Password:</h1> <form action='accountPage.php' method='POST'> <table> <tbody> <tr> </tr> <tr> <td>New Password: </td><td><input type='text' name='newPass' /></td> </tr> <tr> <td></td><td><input type='submit' value='Change Password' name='changePass' /></td> </tr> </tbody> </table> </form>
$new = $_POST['newPass']; $cur = $_POST['curPass']; $user = $_SESSION['username']; if ($info['password'] == $cur) { $qq = mysqli_query($con, "UPDATE `users` SET `password`='$new' WHERE `username`='$user'") or die(mysql_error()); if ($qq) { echo 'Updated password!'; }else echo 'Failed to update your password.'; }else echo 'Your entered current password was not correct. Please try again.'; }else echo 'Your username was not found in our users database!'; }
<tr> <td>New Password (confirm): </td><td><input type='text' name='newPass2' /></td> </tr>
$new = $_POST['newPass']; $new2 = $_POST['newPass2']; if ($new == $new2) { $cur = $_POST['curPass']; $user = $_SESSION['username']; echo $info['password'].' : '.$cur; if ($info['password'] == $cur) { $qq = mysqli_query($con, "UPDATE `users` SET `password`='$new' WHERE `username`='$user'") or die(mysql_error()); if ($qq) { echo 'Updated password!'; }else echo 'Failed to update your password.'; }else echo 'Your entered current password was not correct. Please try again.'; }else echo 'Your username was not found in our users database!'; }else echo 'The two new passwords did not match. Please ensure they match and that the current password field is correct then try again.'; }