mysql_query not returning password

Question

Why do I not get my password put out on the page with this code?

I am trying to make a settings page so that I could change my password.

I don't get any errors; it just does nothing.

<html>
    <head>
        <title>Settings</title>
        <link rel="stylesheet" href="/static/bootstrap.css">
        <link rel="stylesheet" href="/static/firstindex.css">
        <meta name="viewport" content="width=device-width, initial-scale=1">
        <link href="favicon.png" rel="icon"/>
        </head>
    <?php 
    session_start(); //starts the session
    $user = $_SESSION['user'];
    $result = mysql_query("SELECT password FROM users WHERE user_id='$user'");
    if(isset($_SESSION['user']) && $_SESSION['user']){
        echo"
        <body>
        <h1>Edit Profile</h1>
        <p>Hello $user</p>
        <p>Password $result</p>
    <form action='settings.php' method='post' class='form1'>
        <input class='form-control' placeholder='Old Password' type='password' name='password' required='required' /> <br/>
      <input class='form-control' placeholder='New Password' type='password' name='newpassword' /> <br/>
      <input class='form-control' placeholder='New Password' type='password' name='confirmnewpassword' /> <br/>
      <input type='hidden' name='night' value='0'/>
      <p><input type='checkbox' name='night' value='1'/> Turn on night theme for account</p>
      <input type='submit' class='btn btn-info' value='Change Settings'/>
    </form>
    ";
    }
    else {
        Print '<script>window.location.assign("login.php");</script>';
    }
    ?>
    <?php
if($_SERVER["REQUEST_METHOD"] == "POST"){
  $password = mysql_real_escape_string($_POST['password']);
  $newPassword = mysql_real_escape_string($_POST['newpassword']);
  $confirmNewPassword = mysql_real_escape_string($_POST['confirmnewpassword']);
  $nightTheme =(int)mysql_real_escape_string($_POST['night']);
  mysql_connect("localhost", "root","") or die(mysql_error()); //Connect to server
  mysql_select_db("mvstudio") or die("Cannot connect to database"); //Connect to database
  $result = mysql_query("SELECT password FROM users WHERE user_id='$user'");
  $bool = true;
  echo "$result";
}
?>
    </body>
</html>

1) Stop using `mysql_*` functions, they deprecated since 8 years (and removed in PHP 7), switch to `mysqli_*` or PDO. 2) Where is your DB connection initiated? (hint: It's like 30 lines below your password query) — ccKep, May 11 '17 at 23:14
Potential case of [How do I get PHP errors to display?](http://stackoverflow.com/questions/1053424/how-do-i-get-php-errors-to-display) - If this is your whole page, PHP should've / would've told you on `mysql_query` that it's not having a connection. — ccKep, May 11 '17 at 23:15
You shouldn't be able to display the password anyway because it shouldn't be stored as plaintext — developerwjk, May 11 '17 at 23:18
**WARNING**: Writing your own access control layer is not easy and there are many opportunities to get it severely wrong. Please, do not write your own authentication system when any modern [development framework](http://codegeekz.com/best-php-frameworks-for-developers/) like [Laravel](http://laravel.com/) comes with a robust [authentication system](https://laravel.com/docs/5.4/authentication) built-in. At the absolute least follow [recommended security best practices](http://www.phptherightway.com/#security) and **never store passwords as plain-text**. — tadman, May 12 '17 at 00:10
`(int)mysql_real_escape_string($_POST['night'])` is some of the strangest stuff I've seen in a while. Where did you learn to do this? That source is leading you very, very astray. — tadman, May 12 '17 at 00:10
Also, you don't appear to be checking whether the password and the confirmation of the password are even the same...less of a security issue, but still. — Enstage, May 12 '17 at 02:03

Enstage · Answer 1 · 2017-05-11T23:25:02.003

Firstly, mysql_* is deprecated, switch to mysqli_* or PDO.

Secondly, you should NEVER be storing passwords in plaintext, this is a major security problem, they need to be securely hashed, even if you need to access them at some point (such as in a password management system) they should at least be encrypted.

Thirdly, $result contains a mysql response resource, not a string. You need to do this to convert it to an associative array:

$result = mysql_query("SELECT password FROM users WHERE user_id='$user'");
$password = mysql_fetch_assoc($result);
$password = $password['password'];

$password now contains the password.

Finally, the previous won't work unless you make your MySQL connection before you perform the query, currently your connection is made after you perform the query.

Expanding on your note about passwords, [`password_hash()`](http://php.net/manual/en/function.password-hash.php) is the proper way of hashing passwords in PHP (verify them with [`password_verify()`](http://php.net/manual/en/function.password-verify.php)). And once OP realizes that `mysqli_*` or PDO is the way to go - use prepared statements from the get-go ;-) — Qirel, May 11 '17 at 23:28

score 1 · Answer 2 · answered May 11 '17 at 23:30

session_start() should be before any output, usually in the first line of your php file like:

<?php session_start(); //starts the session ?>
<html>
    <head>
        <title>Settings</title>
        <link rel="stylesheet" href="/static/bootstrap.css">
        <link rel="stylesheet" href="/static/firstindex.css">
        <meta name="viewport" content="width=device-width, initial-scale=1">
        <link href="favicon.png" rel="icon"/>
        </head>
    <?php /* your remaining php code */

And like @Enstage suggested, use at least mysqli_starting now.

mysql_query not returning password

2 Answers2