Tycoon Talk
Become a Big fish!
The number 1 forum for online business!
Post topics, ask questions, share your knowledge.
Tycoon Talk is part of Freelancer.com - find skilled workers online at a fraction of the cost.

PHP Forum


You are currently viewing our PHP Forum as a guest. Please register to participate.
Login


Tycoon Talk > Web Development and Programming Support > PHP Forum > Changing someones details.

Freelance Jobs

Reply
Changing someones details.
Old 10-05-2004, 04:32 AM Changing someones details.
lothop's Avatar
Ultra Talker

Posts: 303
Trades: 0
Talkupation: lothop is on a distinguished road
Howdy yall?

I'm wondering how I would go about letting members change their password.

They are logged in, and I have stored their username in a session/cookie and can access it fine.

I have a page where they can fill in the fields current password,new password, and confirm their password.

I'm trying to create a function (to place in my functions page) to change their password.

In the form it posts their current password ($old_password) their desired password ($password) and their confirmed password ($password_confirm)

It then passes the information to a page, which then loads the function.

PHP Code:
if ($functions->changepassword($old_password$password$password_confirm)) { 
(that is how it calls the function)

So. When it's at the function.

PHP Code:
function changepassword($old_password$password$password_confirm) {
              if ($this->sql->Select("SELECT COUNT(*) FROM ".$this->TABLES['users']." WHERE username = ".$_COOKIE['usernamecookie']." AND  password = '".md5(strtolower($old_password))."'")) {
      if ($this->isValidPassword($new_password$confirm_password)) {
        if ($this->sql->Update("UPDATE ".$this->TABLES['users']." SET password = '".md5(strtolower($new_password))."' WHERE username = $_COOKIE['usernamecookie']")) {
          return true;
        } else {
          $this->appendError("Unable to change password!");
          return false;
        }
      } else {
        return false;
      }
    } else {
      return false;
    }
  } 
(this was just me thinking, I think most will be wrong. I don't wanna try it on a limb just incase I break something again

Looking through it, it looks ok. But I would value any input on this matter.
Thanks,
Lothop
lothop is offline
Reply With Quote
View Public Profile
 
 
Register now for full access!
Old 10-05-2004, 10:35 AM
ibbo's Avatar
Super Spam Talker

Posts: 880
Location: Leeds UK
Trades: 0
Talkupation: ibbo will become famous soon enoughibbo will become famous soon enough
It looks fine.

I go about it differently though.

We use security questions like (pets name), when they pass this test they can then add the old and new passwords, if old matches ok then update it with the new. I then mail the user the new password with text in it like (your account password has been changed, your new passwd is %^&*£)

You should make a dummy user and test it out. Alternatively have a dev area on the site where you can tinker with stuff and get things working without been live. Then you reduce the risk of making a mess of things.

Ibbo
__________________

Please login or register to view this content. Registration is FREE

Please login or register to view this content. Registration is FREE

Please login or register to view this content. Registration is FREE

Please login or register to view this content. Registration is FREE

Linux user #349545 :
(GNU/Linux)iD8DBQBAzWjX+MZAIjBWXGURAmflAKCntuBbuKCWenpm XoA7LNydllVQOwCf
ibbo is offline
Reply With Quote
View Public Profile Visit ibbo's homepage!
 
Old 10-05-2004, 09:55 PM
Gaffer Sports's Avatar
Ultra Talker

Posts: 397
Name: Steve
Location: Scotland
Trades: 1
Talkupation: Gaffer Sports is on a distinguished road
Why are you using cookies in a change password environment?

There should be no need to match a cookie as you are asking the previous password before accepting the new password. Ibbo has also mentioned the functionality of a security question, which gives a second layer of security.

Without going into the full code, you should have pseudo of this or similar:

If user is logged in Then ask for old password
Check database for username and password
If password is confirmed Then extract security question
Ask security question
If Security question is confirmed Then
Ask for new password Input
If new password is present Then
Ask for a second entry
If second entry is a match Then
Send info to database and update for user

This is a basic password change function, but a secure one. No need for cookies, aslong as the user is logged in.

If you need a code explanation, then I can give it, but it is always easier to work on pseudo first.

Steve.
__________________

Please login or register to view this content. Registration is FREE
-
Please login or register to view this content. Registration is FREE
Last edited by Gaffer Sports; 10-05-2004 at 10:01 PM..
Gaffer Sports is offline
Reply With Quote
View Public Profile Visit Gaffer Sports's homepage!
 
Old 10-06-2004, 01:26 AM
lothop's Avatar
Ultra Talker

Posts: 303
Trades: 0
Talkupation: lothop is on a distinguished road
With sessions, if someone closes down their browser, it forgets them, so they have to log in again. With cookies you can set a expiry date and it saves people the hassle of logging in, again and again. I store the persons username in the cookie. So if they close down the browser, then load it back up in 2 days time, and wanna change their password. They can do it if they want to.

I hear you thinking, *security risk*?

The user can always logout (expires cookie). And they must know their old password to change to a new one.

Security Question = They have to know their current password to change it. So its kinda like a security question.

To enter in a security question field, every member will have to change their details etc. So that they actually have one, due to the fact that members have signed up already without a secuity question. Testing their current password should fix that problem.

Thanks for your advice, and I appreciate you guys taking a look at the code and suggest what you might change.

ibbo, I'm gonna setup that email thingy you suggest It's a good idea.

I hope I have gone into everything,
Thnx,
Lothop
lothop is offline
Reply With Quote
View Public Profile
 
Reply     « Reply to Changing someones details.
 
Previous Thread | Next Thread Tycoon Talk > Web Development and Programming Support > PHP Forum > Changing someones details.

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off




   
RSS Feed  Feeds: RSS   JS   XML
RSS Feed  Feeds for this forum: RSS   JS   XML



Page generated in 0.16910 seconds with 12 queries