I am having trouble my change password script for my website. I am using an AJAX connection to my php. My database connection is solid, and it is sending the correct variables (according to firebug), but they get lost in translation I guess. I am having trouble printing out error reports because my theme is covering them all up. I realize the code isn't very secure, and I intend on changing that. But for right now, I just need some help getting this code to work. I have been working on it for the past two days now, and I can't seem to find the niche.
Here is my login page with code included.
<?php
include_once("php_includes/check_login_status.php");
ob_start();
error_reporting(E_ALL);
ini_set('display_error', 'on');
$isOwner = "no";
if($user_ok == true){
$isOwner = "yes";
$u = $_SESSION['username'];
} else {
header("location: http://www.ibnwmo.com");
}
?>
<?php
// AJAX CALLS THIS CODE TO EXECUTE
if(isset($_POST['u'])) {
include_once("php_includes/db_conx.php");
$username = '';
$oldpasshash = '';
$newpasshash = '';
$username = preg_replace('#[^a-z0-9]#i', '', $_POST['u']);
var_dump($username);
$oldpasshash = md5($_POST["cp"]);
$newpasshash = md5($_POST["cnp"]);
$sql = "SELECT id, username, password FROM users WHERE username='$username' LIMIT 1";
$query = mysqli_query($db_conx, $sql);
$row = mysqli_fetch_row($query);
$db_id = $row["0"];
$db_username = $row["1"];
$db_password = $row["2"];
$dump = var_dump($cnp);
$dump2 = var_dump($cp);
if($db_password != $oldpasshash){
echo "no_exist";
exit();
} else {
$sql = "UPDATE users SET password='$newpasshash', WHERE username='$db_username' LIMIT 1";
$query = mysqli_query($db_conx, $sql);
}
$sql = "SELECT id, username, password FROM users WHERE username='$db_username' LIMIT 1";
$query = mysqli_query($db_conx, $sql);
$row = mysqli_fetch_row($query);
$db_newpass = $row[3];
if($db_newpass == $newpasshash) {
echo "success";
exit();
} else {
echo "pass_failed";
exit();
}
}
?>
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>Forgot Password</title>
<link rel="icon" href="images/favicon.ico" type="image/x-icon">
<link rel="stylesheet" href="css/mainstyle.css">
<script src="js/main.js"></script>
<script src="js/ajax.js"></script>
<script>
function changepass() {
var u = _("username").value;
var cp = _("currentPass").value;
var np = _("newPass").value;
var cnp = _("confirmNewPass").value;
if(np != cnp) {
_("status").innerHTML = "The passwords given do not match!";
} else if (cp === "" || np === "" || cnp === "") {
_("status").innerHTML = "Please fill out all of the fields.";
} else {
_("changepassbtn").style.display = "none";
_("status").innerHTML = 'please wait ...';
var ajax = ajaxObj("POST", "change_password.php");
ajax.onreadystatechange = function() {
if(ajaxReturn(ajax) === true) {
var response = ajax.responseText;
if(response == "success") {
_("status").innerHTML = '<h3>Your password has been changed!</p>';
} else if (response == "no_exist") {
_("status").innerHTML = "Sorry, your current password was entered incorrectly.";
_("changepassbtn").style.display = "initial";
} else if (response == "pass_failed") {
_("status").innerHTML = "Sorry, the password change failed.";
_("changepassbtn").style.display = "initial";
} else {
_("status").innerHTML = "An unknown error occurred";
_("changepassbtn").style.display = "initial";
}
}
};
ajax.send("u="+u+"&cp="+cp+"&np="+np+"&cnp"+cnp);
}
}
</script>
