Script 9.7 Update Password

This form allows a user to change their password. It performs an UPDATE after running a SELECT query to validate the registered user information. The new password cannot be the same as the current password and the user must enter a correct email/current password combination to continue.

Output

Change Your Password

Source
<?php # Script 9.7 - password.php
// This page lets a user change their password.

include (CHAPTER_PATH.'/'.$chapter.'/includes/9.1.php');

// Check for form submission:
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
	
	// connect to db
	require(CONNECT);

	// create error array 
	$errors = array();

	// check each field for validity, assign error message if fails
	// email
	if (empty($_POST['email'])) {
		$errors['e'] = 'You forgot to enter your email address.';
	} elseif (!(filter_var(trim($_POST['email']), FILTER_VALIDATE_EMAIL))) {
		$errors['e'] = 'Your email is not in a valid format.';
	} else {
		$e = mysqli_real_escape_string($link, trim($_POST['email']));
	}
	// pass
	if (empty($_POST['pass'])) {
		$errors['p'] = 'You forgot to enter your current password.';
	} else {
		$p = mysqli_real_escape_string($link, trim($_POST['pass']));
	}
	// npass1 = npass2 && npass1!=pass
	if (!empty($_POST['pass1'])) {
		if ($_POST['pass1'] != $_POST['pass2']) {
			$errors['p2'] = 'Your new passwords do not match.';
		} else {
			$np = mysqli_real_escape_string($link, trim($_POST['pass1']));
			if(isset($p) && $p==$np) {
				$errors['p1'] = 'Your new password must not be the same as your current password.';
			}
		}
	} else {
		$errors['p1'] = 'You forgot to enter your new password.';
	}

	if(empty($errors)) {
		// validate is registered user (current password & email match from database)
		$q = "SELECT user_id FROM site_users WHERE email='$e' AND pass = SHA1('$p')";
		if($r = @mysqli_query($link,$q)) {
			$num =  @mysqli_num_rows($r);
			if($num == 1 ) {
				//correct email/password combination
				//get user_id to apply update
				$row = mysqli_fetch_array($r, MYSQLI_ASSOC);

				//free result set
				mysqli_free_result($r);

				// Submit the UPDATE 
				$q = sprintf("UPDATE site_users SET pass=SHA1('%s') WHERE user_id=%d",$np,$row['user_id']);		
				//echo $q;
				$r = @mysqli_query($link, $q);

				if (mysqli_affected_rows($link) == 1) {
					// update successful
					$message = "<h2>Success!</h2><p>Your password has been updated!</p>";
				} else {
					// update failed
					$message = "<h2>System Error</h2><p class='error'>Your password was not updated.<br />We apologize for any inconvenience, please <a href='javascript:history.back()'>try again</a>.</p>";
					$message .= '<p><span class="content-caption">Debugging information</span>Error message: <br />'.mysqli_error($link).'<br /><br />Query: <br />'. $q .'</p>';
				}

				//disconnect from db
				require(DISCONNECT);
			
				// provide feedback from update
				echo '<div id="content" class="message">'.$message.'</div>';

				// include footer
				include (CHAPTER_PATH.'/'.$chapter.'/includes/9.2.php');
				
				// exit script - do not redisplay form
				exit();

			} else {
				//wrong email/password combination
				$errors['flag'] = "<div class='error-message error'><h2>Error</h2><p>The email address and password do not match those on file.<br />Please resubmit your data or <a href='index.php?chapter=9&amp;script=9.5'>register</a> as a new user.</p></div>";
			}	
		} else {
			// error with result retrieval
			$errors['flag'] = "<div class='error-message error'><h2>Error</h2><p>There was an error validating your status.<br />Please try again.</p></div>";
		}
	} else {
		// submission error 
		$errors['flag'] = "<div class='error-message error'><h2>Error</h2><p>Your information could not be updated. <br />Please resubmit your data after correcting the highlighted errors.</p></div>";
	}
	//disconnect from db
	require(DISCONNECT);
} //end form submission check

// begin form output. if submitted with errors - include original submission values with error messages
echo "<div id='content'>";
?>
<h1>Change Your Password</h1>
<?php echo (isset($errors['flag']))? $errors['flag'] : ''; ?>
<form action="" method="post">
	<p>
		<label for='e'>Email Address: </label>
		<input type="text" id='e' name="email" size="20" maxlength="60" value="<?php if (isset($_POST['email'])) echo $_POST['email']; ?>"  />
		<?php echo (isset($errors['e']))?'<span class="error">'.$errors['e'].'</span>' : ''; ?>
	</p>
	<p>
		<label for='p'>Current Password: </label>
		<input type="password" id='p' name="pass" size="10" maxlength="20" value="<?php if (isset($_POST['pass'])) echo $_POST['pass']; ?>"  />
		<?php echo (isset($errors['p']))?'<span class="error">'.$errors['p'].'</span>' : ''; ?>
	</p>
	<p>
		<label for='p1'>New Password: </label>
		<input type="password" id='p1' name="pass1" size="10" maxlength="20" value="<?php if (isset($_POST['pass1'])) echo $_POST['pass1']; ?>"  />
		<?php echo (isset($errors['p1']))?'<span class="error">'.$errors['p1'].'</span>' : ''; ?>
	</p>
	<p>
		<label for='p2'>Confirm New Password: </label>
		<input type="password" id='p2' name="pass2" size="10" maxlength="20" value="<?php if (isset($_POST['pass2'])) echo $_POST['pass2']; ?>"  />
		<?php echo (isset($errors['p2']))?'<span class="error">'.$errors['p2'].'</span>' : ''; ?>
	</p>
	<p>
		<input type="submit" name="submit" value="Change Password" />
	</p>
</form>
<?php
echo "</div>";
include (CHAPTER_PATH.'/'.$chapter.'/includes/9.2.php');
?>