variable in PHP not parsing in SQL but ok in echo
Question
I am trying to make a page for the user to change their password when they want, not had any issues with this until now.
I have set the $Username variable, and call it in the SQL Statement along with $oldpw variable.
When I echo the query, the username is always missing. if I reverse Password & Username, Username is still missing. if I echo the variable on its own, it's there.
Regarding Password Security:
I realize the passwords are not fully protected, but they don't need to be as this is being run on an internal system, which has all the required encryption to get in to it in the first place.
Below is the code & results from a test account with U: Admin & P: Admin
<?php
include('SQLFunctions.php');
include('session.php');
session_start();
$link = f_sqlConnect();
$oldpw = ($_POST['oldpw']);
$newpw = ($_POST['newpw']);
if(!isset( $_POST['oldpw']))
{
$message = 'Please enter a your old password';
}
elseif (strlen( $_POST['newpw']) > 20 || strlen($_POST['newpw']) < 4)
{
$message = 'incorrect length for new password';
}
elseif (ctype_alnum($_POST['newpw']) != true)
{
$message = "New password must be alpha numeric";
}
elseif ($_POST['newpw'] <> $_POST['conpw'])
{
$message = "Your new passwords do not match";
}
elseif(!empty($_POST)) {
$UserID = $_POST['q'];
$oldpwd = filter_var($_POST['oldpwd'], FILTER_SANITIZE_STRING);
$newpwd = filter_var($_POST['newpwd'], FILTER_SANITIZE_STRING);
try {
$Username = $_SESSION['Username'];
$oldpw = Sha1($oldpw);
$newps = Sha1($newpw);
// check whether username exists and check that $oldpass is correct
$query = "SELECT Password FROM Users WHERE Password='".$oldpw."' AND Username='".$Username."'";
$result = mysqli_query($link, $query);
if(!$result){
$message = "<p class='message'>Error: Your username and or password are incorrect.</p>" ;
}else{
// Test with mysqli_num_rows()
if (mysqli_num_rows($result) > 0) {
$query = "
UPDATE
Users
SET
Password = '$newpw'
,Updated_by = '$Username'
,LastUpdated = NOW()
WHERE
Username = '$Username'";
mysqli_query($link, $query) or
die("Insert failed. " . mysqli_error($link));
$message = "<p class='message'>Your password has been changed</p>";
mysqli_free_result($result);
}
else {
// Username or password is incorrect
$message = "<p class='message'>Error: Your username and password do not match.</p>" ;
}
}
} catch(Exception $e) { $message = "Unable to process request";
}
}
?>
<html>
<head>
<title>
SVBX - Update Password
</title>
<link rel="stylesheet" href="styles.css" type="text/css"/>
</head>
<body>
<?php include('filestart.php') ?>
<p><?php echo $message;
echo "<br>Query: ".$query;
echo "<br>Username :" .$Username;
echo "<br>UserID :" .$UserID;?></p>
<?php include('fileend.php') ?>
</body>
</html>
So when I run this I get the following echos:
Error: Your username and password do not match.
Query: SELECT Password FROM Users WHERE
Password='4e7afebcfbae000b22c7c85e5560f89a2a0280b4' AND Username=''
Username :Admin
UserID :18
I just can't see what the issue is, appreciate someone pointing out the obvious for me.
Thank you all.
2 answers
solution1
0 2018-03-07 17:51:04
However there are a session related issue. You've included session.php which might contain some session related task. Again you've started session in the next line.
I think $Username received null from $_SESSION . But before you print the username you've included filestart.php . However the variable $Username has been initialized inside that file.
solution2
0 2018-03-07 18:22:30
So I managed to get the script to work, but it doesn't resolve the issue of why I am losing the $_SESSION Info.
I amended the previous pages form, where I know the session information was working, and sent the username to this page using $_POST .
It all worked and the password can be changed.
A work around more than a solution. Thank you everyone for your efforts to help.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.