nikomou
12-16-2008, 03:50 PM
hey, I have the following code which seems to update the password, even if the old password is incorect, how can I fix this for extra security? Thanks
<?php
require_once "user.php";
echo ("<div class=\"padding\">");
echo ("Hello <strong>$USACCName</strong>, Welcome to your account page!<br>");
echo ("Here you'll be able to view all your reviews and recieve special offers from participating partners!");
echo ("</div>");
$con = mysql_connect("localhost", "xxx_xxx", "xxx") or die(mysql_error());
$db = mysql_select_db("xxx_xxx", $con);
if(!$_POST['submit']){
echo("<div class=\"reviewcss\">
<form method=\"post\" class=\"cssform\" action=\"account.html\">
<p>
<label for=\"currentpassword\">Current Password</label>
<input type=\"password\" name=\"oldpassword\">
</p>
<p>
<label for=\"password\">New Password</label>
<input type=\"password\" name=\"password\">
</p>
<p>
<label for=\"password\">Confirm</label>
<input type=\"password\" name=\"passconf\">
</p>
<div style=\"margin-left: 150px;\">
<input type=\"submit\" name=\"submit\" value=\"Update\">
</div>
</form>
");
} else {
echo("<div class=\"reviewcss\">");
$oldpassword = $_POST['oldpassword'];
$password = $_POST['password'];
$confirm = $_POST['passconf'];
$errors = array();
if(!$password){
$errors[] = "Your New Password has not been defined!";
}
if($password){
if(!$confirm){
$errors[] = "Confirmation password has not been defined!";
}
}
if($password && $confirm){
if($password != $confirm){
$errors[] = "Your Passwords do not match!";
}
}
if(count($errors) > 0){
foreach($errors AS $error){
echo $error . "<br>\n";
}
}else {
$sql4 = "UPDATE users SET password='".md5($password)."' WHERE id='$USACCID' AND password='".md5($oldpassword)."'";
$res4 = mysql_query($sql4) or die(mysql_error());
echo "You have successfully updated your password.</strong><br>";
}
echo("<br><br></div>");
}
?>
<?php
require_once "user.php";
echo ("<div class=\"padding\">");
echo ("Hello <strong>$USACCName</strong>, Welcome to your account page!<br>");
echo ("Here you'll be able to view all your reviews and recieve special offers from participating partners!");
echo ("</div>");
$con = mysql_connect("localhost", "xxx_xxx", "xxx") or die(mysql_error());
$db = mysql_select_db("xxx_xxx", $con);
if(!$_POST['submit']){
echo("<div class=\"reviewcss\">
<form method=\"post\" class=\"cssform\" action=\"account.html\">
<p>
<label for=\"currentpassword\">Current Password</label>
<input type=\"password\" name=\"oldpassword\">
</p>
<p>
<label for=\"password\">New Password</label>
<input type=\"password\" name=\"password\">
</p>
<p>
<label for=\"password\">Confirm</label>
<input type=\"password\" name=\"passconf\">
</p>
<div style=\"margin-left: 150px;\">
<input type=\"submit\" name=\"submit\" value=\"Update\">
</div>
</form>
");
} else {
echo("<div class=\"reviewcss\">");
$oldpassword = $_POST['oldpassword'];
$password = $_POST['password'];
$confirm = $_POST['passconf'];
$errors = array();
if(!$password){
$errors[] = "Your New Password has not been defined!";
}
if($password){
if(!$confirm){
$errors[] = "Confirmation password has not been defined!";
}
}
if($password && $confirm){
if($password != $confirm){
$errors[] = "Your Passwords do not match!";
}
}
if(count($errors) > 0){
foreach($errors AS $error){
echo $error . "<br>\n";
}
}else {
$sql4 = "UPDATE users SET password='".md5($password)."' WHERE id='$USACCID' AND password='".md5($oldpassword)."'";
$res4 = mysql_query($sql4) or die(mysql_error());
echo "You have successfully updated your password.</strong><br>";
}
echo("<br><br></div>");
}
?>