Validate and change user password with PHP

1

I'm trying to make the code check if the passwords are identical and if they were, save it in the DB, but I do not know what's wrong regardless of whether it's identical or not.

 if (isset($_POST['salvar-senha'])) {

    $usr_id            = $_SESSION['usr_id'];
    $senha_atual       = md5(strip_tags($_POST['senha_atual']));
    $senha_nova        = md5(strip_tags($_POST['senha_nova']));
    $confirme_senha    = md5(strip_tags($_POST['confirme_senha']));

    $sql = mysql_query("SELECT usr_password FROM users WHERE usr_login = '$usr_id' ");
    $row = mysql_fetch_array($sql);
    $senha_banco = $row['usr_password'];

    if($senha_atual == "" && $senha_nova == "" && $confirme_senha == "") {
        echo "
            <script>
                alert('Os campos das senhas não podem ser nulos.');
                window.location='../configuracoes.php';
            </script>";
    } else {
        if (($senha_atual != $senha_banco) && ($senha_nova != $confirme_senha) ) {
            echo "
            <script>
                alert('As senhas não conhecidem.');
                window.location='../configuracoes.php';
            </script>";
        } else {
            if ($result=mysql_query("UPDATE users SET usr_password = '$confirme_senha' WHERE usr_id = '$usr_id' ")) {
                echo "
            <script>

                window.location='../configuracoes.php?success=yes';
            </script>";
            }
        }
    }
}
    
asked by anonymous 17.05.2014 / 04:18

2 answers

6

You have a logic error here:

if (($senha_atual != $senha_banco) && ($senha_nova != $confirme_senha) )

This is only true if the person misses both things, ie wrong current password + new password and confirmation do not match. In any other situation (except all blank), the password is saved.

You correct this by considering either error of both situations (not both), so using an or instead of E : p>

if (($senha_atual != $senha_banco) || ($senha_nova != $confirme_senha))

You can also think backwards: this is only for saving if the current password is E and the new ones match:

if (($senha_atual === $senha_banco) && ($senha_nova === $confirme_senha)) {
    // salva

Otherwise, give a generic error message (do not help anyone who is trying to circumvent the system)

} else {
    // erro: senha atual incorreta ou as novas não coincidem
}

Otherwise, the embedded JavaScript could be replaced with PHP's own redirects , recording the error messages in the session.

    
17.05.2014 / 04:29
0

Verify your logic, it seems to be using the logical operator && (E) with the intention of the || (OU)

Just change the operators on the first and second if

An observation without being coarse: the correct phrase is "passwords do not match."

    
17.05.2014 / 04:33