Need help locating my mistake in a change password script

PHP
1

Everything is working down to the update query. I have the userid, I have the password, and then nothing happens.

if ($p) { // If everything's OK.
		 echo $u.'<br />'; echo $p.'<br />'; ?this echos the correct information

    // Make the query.
		$query = "UPDATE users_tbl SET pass = SHA('$p'+'salt') WHERE user_id='$u'";
		 echo $query; echo '<br />';
		 $result = mysql_query ($query) or trigger_error("Query: $query\
<br />MySQL Error: " . mysql_error());

    if (mysql_affected_rows() == 1) { // If it ran OK.
		    // Send an email, if desired.
				echo '<h3>Your password has been changed.</h3><br /><p>Return to <a href="/">home</a></p>';
				$query3 = "UPDATE users_tbl SET chng_pass=('no') WHERE user_id='$u'";
				$result3 = mysql_query ($query3) or trigger_error("Contact site administrator");
				} // end of the if it ran ok conditional
             	 } // end of the if ($p) conditional

I get the echo of userid and password. I get the echo of the query. The password does not change.

I suspect I have done something stupid, but I cannot see it.

2

try

$result = mysql_query ($query) or die(mysql_error());

and see what the error message is.

3

echo $query;

Similarly, copy and paste the output of that directly into your database and see what messages you get.

4

i’m going to guess that your problem is here –

SHA('$p'+'salt')

in mysql, you are not allowed to add two strings :smiley:

5

Thanks. I suspect I now have to go through all me code and locate every location that I did a $p+salt and modify that code.

I added a line of $ps=$p.‘salt’ and changed the MySQL to fit that and it worked.

6

Crikey, I bet you wish you had centralised that particular piece of code then …

7

or you could just do this –

SHA([COLOR="#0000FF"]CONCAT('$p','salt')[/COLOR])

:slight_smile:

8

Cups - Yes, but when I started this project, I didn’t know very much at all. This has been a major learning project and now that I am about finished, I will go through and centralize the code. I did know enough to do that with the database log-in information and a log-in verification.

r937 - cool. I will give that a test tonight when I get home to my computer.

9

@CSU-Bill the good lessons are the hard lessons.

10

@Cups ouch!!! :slight_smile:

You are so correct. But, the information gained this way is likely to stick for at least a day or two. :slight_smile:

11

Well, hopefully they stay with you all your working life!

I think a lot depends how quickly you find a dependable solution you should have adopted, and whether you take the time/trouble to refactor your code – well with me it does, but I am aware of my own shortcomings – many people just learn the lesson and move on, I have to really etch it on granite before it sticks.

12

I now have commented out all of my testing echo statements, and verified that it all works. Now I start learning how I should have been writing the code.

I used the SHA($p+‘salt’) three times in this project. Twice was changing the password and then once verifying the password during log-in.

How would I centralize this code?

13

Only 3 times? Don’t over-worry about that then.

The general rule I am aware of runs something like this:

If you write something you already wrote somewhere else, wince, but ignore it and carry on.

If you then write it again – seriously consider going back and writing a function/class/include that does this work.

From what you said I guess you are setting/resetting a password.

Not thoroughly sure, but perhaps you should be looking along the lines of accomplishing this in your user-land code.


<?php

include 'setpassword.php';

if( setPassword($u, $p) ){

// emailConfirmation(); //?

}
14

Thanks for pointing me in the correct direction. I should have me code cleaned up by the end of this weekend and move on to some of my wife’s honey do list. :slight_smile: