Hi all,
Im about ready to pull out my hair because ive been trying for days to fix this error without sucess. i have a password change script for my program and if you submit the form with all fields blank it should send you to an error page, but insted it ignores the if statement that controls that, and simply makes the password "".

Here is my code. the post info comes from an html form on another page


<?php

session_start();

$host="localhost"; // Host name

$username="xxxxxxxxxxxxxxxxxx"; // Mysql username

$password="xxxxxxxxxxxxxxxxxx"; // Mysql password

$db_name="xxxxxxxxxxxxxxxxxx"; // Database name

$tbl_name="users"; // Table name

// Connect to server and select databse.

mysql_connect("$host", "$username", "$password")or die("cannot connect");

mysql_select_db("$db_name")or die("cannot select DB");

$username = $_SESSION["username"];

$newpassword = $_POST['newpassword'];

$repeatnewpassword = $_POST['repeatnewpassword'];

if (empty($newpassword)){
header("location:admin.pwd-change2.php");
}
if (empty($repeatnewpassword)){
header("location:admin.pwd-change2.php");
}

$result = mysql_query("SELECT password FROM $tbl_name WHERE username='$username'");


if(!$result)
{
header("location:admin.pwd-change2.php");
}

if ($row = mysql_fetch_assoc($result))
{
header("location:admin.pwd-change2.php");
}

if($newpassword==$repeatnewpassword)

$sql=mysql_query("UPDATE $tbl_name SET password='$newpassword' where username='$username'");

if($sql)
{
header("location:admin.pwd-change1.php");
}
else
{
header("location:admin.pwd-change2.php");
}

?>

Any help would be appreciated,

server is apache2 and php5.

Thanks In Advance,

-JL Griffin

is this the line you're having issues with?


if (empty($newpassword)){
header("location:admin.pwd-change2.php");
}

if it's not "empty," check what it is:
if (empty($newpassword)){
header("location:admin.pwd-change2.php");
}else{ var_dump($newpassword); die(); }

@ggalan Yes that and the same line for $repeatnewpassword which is right below it.

@traq that had the same result, making the database field empty. was it supposed to clear the variable, or tell me what it was? i tried echoing the variables by commenting out everything after the assigning of $newpassword & $repeatnewpassword and just going
echo $newpassword;
echo $repeatnewpassword;
echo '<br>';
echo 'Page has displayed! there are no errors! if its blank thats because the fields are null!';


and i wound up with a blank page bearing only the text "Page has displayed! there are no errors! if its blank thats because the fields are null!"

I cannot figure this out!

the post info comes from an html form on another page

then are you passing in that variable? i dont see a $_SESSION variable in there

then are you passing in that variable? i dont see a $_SESSION variable in there

no its $_POST['field-name']
the only $_SESSION should be the session registered username, so that the script knows which account to change the password for. if i were to type '123456' into the newpassword and newpassword fields on my html form, it DOES make newpassword and repeatnewpassword = '123456' and it would change the password properly. I just cant get it to make an error if they press change password on the form and they dont type anything in! A lack of password is a security risk

Even Still though, if i wasnt passing a variable, the field should come up empty and redirect to the error page instead of changing the password to blank.

1) Whenever you redirect to a new page, you need to kill the rest of the script. Most of the time, script execution stops after you redirect using header(), but there's nothing that says it must stop, and sometimes the script will continue to run.
if( $whatever ){
header("Location: otherpage.php");
exit();
}

2) did you try var_dump($newpassword)? what was the output?



Sorry, I caught it:

// incorrect
// header("location:admin.pwd-change2.php");
// should be
header("Location: admin.pwd-change2.php");
note the capitalization and spacing.
that's assuming the url is correct, of course.

you should still exit() after redirecting via header(). That way, nothing else unintended will happen.
in addition, you should enable error reporting when you are developing your scripts (that way, you would've gotten an error about the header() command being malformed).

@traq Thanks, The caps and space did the trick. Its always the little things. lol.

Thanks,
-JL

no problem. my note about error messages stands, though; you probably would have solved this yourself (a few days ago) if you had error_reporting(-1);.

If your question has been answered, please mark your thread "resolved":
On your original post (post #1), click [edit], then click [go advanced]. In the "thread prefix" box, select "Resolved". Click [save changes].