-2

connection files (dbConnection.php)

<?php 
    $_SESSION["conn"]=mysqli_connect("localhost","root","","club_managing_system","3306");

    $con=mysqli_connect("localhost","root","","club_managing_system","3306");


    //Check connection
    if(mysqli_connect_errno())
    {
    echo "Failed to connect to database:".mysqli_connect_error();
    }
    ?>

html files (forgotPass.php)

<?php
include '../api/crudHandler.php';
?>
<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
<meta charset="utf-8">
<title>forgot password page</title>
<link rel="stylesheet" href="../css/loginPage.css">
</head>
<body>
<div class="center" style="top:50%">
    <h1>Forgot Password</h1>
    <form method="post" onsubmit="return checkPass()">
    <div>
    <a style="font-size:12px">Please insert your email to reset the password</a>
    </div> 
    <div class="txt_field">
        <input type="email" name="email" id="email">
        <span></span>
        <label>Email</label>
    </div>
    <div>
    <a style="font-size:12px">Please enter your new password</a>
    </div>  
    <div class="txt_field">
        <input type="password" name="new_password" id="password">
        <span></span>
        <label>New Password</label>
    </div>  
    <div>
    <a style="font-size:12px">Please confirm your new password</a>
    </div>  
    <div class="txt_field">
        <input type="password" name="confirm_password" id="password2">
        <span></span>
        <label>Confirm Password</label>
    </div>  
    <input type="submit" value="Submit" >
    <div class="signup_link">
        Still remember your password? <a href="loginPage.php">Log In</a>
        <span id = "message" style="color:red"> </span>
    </div>
    </form>
</div>

</body>
<script type = "text/javascript">
function checkPass() {
var emailTF = document.getElementById('email').value;
var pass1 = document.getElementById('password').value;
var pass2 = document.getElementById('password2').value;

if (emailTF != ""){
    if(pass1 != "" && pass2 != ""){
    if(pass1 == pass2){
        <?php
        if (isset($_POST['email']) && isset($_POST['confirm_password'])) {
            echo studentChangeCred($_POST['email'], $_POST['confirm_password']);
            return;
        }
        ?>
    }else{
        document.getElementById("message").innerHTML = "Password confirmation invalid!";
        return false
    }
    }else{
    document.getElementById("message").innerHTML = "Fill the password please!";  
    return false;
    }
}else{
    document.getElementById("message").innerHTML = "Fill your email please!";
    return false
}
}
</script>
</html>

a file to call the functions out (crudHandler.php)

  <?php
    include_once("dbConnection.php");

function studentChangeCred($email,$pwd){
    $studentDataSql = "SELECT * FROM 'student' WHERE 'student_email'= '" .$email. "'";
    $result = ($_SESSION["conn"]->query($studentDataSql));

    $_SESSION['validEmail'] = false;
    if (!empty($result) && $result->num_rows > 0){
        while($row = $result->fetch_assoc()){
            if($row["student_email"] === $email){
                $_SESSION['validEmail'] = true;
                break;
            }else{
                $_SESSION['validEmail'] = false;
            }
        }
    }else{
        $_SESSION['validEmail'] = false;
    }

    $studentChangeCredSql = "UPDATE `student` SET `student_password` = '" .$pwd. "' WHERE 'student_email' = '" .$email. "'";
    while($_SESSION['validEmail'] = true){
        if($_SESSION["conn"]->query($studentChangeCredSql) === TRUE){
            echo '<script type="text/javascript">
    
            alert("Password changed successfully! Directing to login page!");
    
            </script>';
            echo "Error: " . $studentChangeCredSql . ":-" . mysqli_error($_SESSION['conn']);
            header('Refresh:0.1,URL=loginPage.php');
            break;
        }else{
            echo "Error: " . $studentChangeCredSql . ":-" . mysqli_error($_SESSION['conn']);
        }
    }
    while($_SESSION['validEmail'] = false){
        echo '<script type="text/javascript">

        alert("This email is not registered, please try again!");
    
        </script>';
        break;
}
}
?>

Database table of student database

The method that I'm using is almost the same for another part of this project, not sure why but I think it's the mysqli's code problem, however, I can't seem to find the problem. I'm a beginner btw :)

Fatty Poh
  • 1
  • 2
    There are many serious problems here. You're mixing JavaScript and PHP in a way that can't possibly work. JavaScript runs on the client, PHP runs on the server before the client has even received the page. You can't put PHP code inside the JavaScript form `onSubmit` event handler, that can't work. You also have glaring SQL injection vulnerabilities. I would suggest discarding this code and reading a tutorial on PDO. You should also look up password hashing, storing the user's password in the database in plain text is an extremely serious security problem. – user229044 May 19 '22 at 15:16
  • 2
    You're also using `while(condition)` instead of `if(condition)`, and then `break`ing out of the loop after the first iteration. Don't use `while` for this. Use `if`. You're missing `break` in at least one case, meaning the loop will run forever, and you're dumping error information out in the success branch. You're also using `$_SESSION` to store state that should not persist across requests, and will only cause problems on subsequent requests. There are too many problems here to try and solve any one specific problem. I would recommend finding a chat channel to seek interactive code review. – user229044 May 19 '22 at 15:23
  • Thanks for the suggestion, will redo later – Fatty Poh May 19 '22 at 15:32
  • You might consider using Ruby on Rails or another framework that handles most of this for you, rather than attempting to start from the basic building blocks PHP provides. – user229044 May 19 '22 at 15:33
  • 1
    **Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/32391315) – Dharman May 19 '22 at 15:39
  • 1
    **Never store passwords in clear text or using MD5/SHA1!** Only store password hashes created using PHP's [`password_hash()`](https://php.net/manual/en/function.password-hash.php), which you can then verify using [`password_verify()`](https://php.net/manual/en/function.password-verify.php). Take a look at this post: [How to use password_hash](https://stackoverflow.com/q/30279321/1839439) and learn more about [bcrypt & password hashing in PHP](https://stackoverflow.com/a/6337021/1839439) – Dharman May 19 '22 at 15:39
  • 1
    It looks like you are using some really bad tutorial. I highly encourage you to find something better. If you are only starting to learn PHP then you should learn PDO instead of mysqli. PDO is much easier and more suitable for beginners. Start here https://phpdelusions.net/pdo & https://websitebeaver.com/php-pdo-prepared-statements-to-prevent-sql-injection. Here are some good video tutorials https://youtu.be/2eebptXfEvw & https://www.youtube.com/watch?v=sVbEyFZKgqk&list=PLr3d3QYzkw2xabQRUpcZ_IBk9W50M9pe- – Dharman May 19 '22 at 15:39

0 Answers0