6 replies to this topic

[fmdataweb]

I have a site which uses FileMaker accounts to access the site and everything is working well. I now need to give users the ability to be able to change their passwords via the site. I know there's no native method for this and FileMaker Inc recommend that "By default, web users cannot change their account passwords from a web browser. You can enable this feature for a database using the Change Password script step, which allows web users to change their passwords from browser.".

I can use newPerformScriptCommand to perform a script that has the Change Password script step - I'm just not sure how to pass the value for the "current password" and "new password" which will be entered by the user in a form. Can you pass multiple parameters to the FileMaker script using newPerformScriptCommand - as far as I can tell you can only pass one parameter.

If anyone can point out how to perform a FileMaker script that has the Change Password script step with the values for the current/new password that would be great. FileMaker Inc obviously support it as they mention this in the PHP API PDF docs but don't give anymore details about how to construct this.

Thanks,
Steve

[doughemi]

One way to pass multiple parameters is to create a calculated parameter with a delimiter between individual values. I use the pipe character ( | ).

Here is the php:

If(isset ($_POST['action']) and $_POST['action']='Change') {
	if(!isset($_POST['oldpw'])) {$errmsg='Old Password must be entered';}
	elseif($_POST['oldpw'] != $_SESSION['account_password']) {
		$errmsg='That is not the password for this account';
		}
	elseif($_POST['pw1'] != $_POST['pw2']) {
		$errmsg='New passwords do not match';
		}
	elseif(is_null($_POST['pw1'])) {
		$errmsg='You cannot use a blank password';
		}
	elseif($_POST['pw1']==$_SESSION['account_user']) {
		$errmsg='You cannot use your username as a password';
		}
	elseif(strlen($_POST['pw1'])<5) {
		$errmsg='Password is too short';
		}
	else {
			$oldpw = $_POST['oldpw'];
			$newpw = $_POST['pw1'];
			$scriptparam=$oldpw.'|'.$newpw;
			$fmscript=$fm->newPerformScriptCommand('MembersChangeHold','php_changePW',$scriptparam);
			$doscript=$fmscript->execute();
			if (FileMaker::isError($doscript)) {
				echo '<p>Database error: ' . $doscript->getMessage() .'</p>';
				exit;
			}
			$errmsg='Your password has been changed';	
		}
	
}

and here is the FM script:

   Set Variable [ $param; Value:Get ( ScriptParameter ) ]
   Go to Layout [ “php_changePW” (PWChange) ]
   New Record/Request
   Set Field [ PWChange::ScriptParams; $param ]
   Set Variable [ $opw; Value:Let( [pipepos=Position ( $param ; "|" ; 1;1 )]; Left($param;pipepos-1) ) ]
   Set Variable [ $npw; Value:Let( [pipepos=Position ( $param ; "|" ; 1;1 )]; Right($param;Length($param) - pipepos) ) ]
   Set Field [ PWChange::oldpw; $opw ]
   Set Field [ PWChange::newpw; $npw ]
   Commit Records/Requests
   Change Password [ Old Password: $opw; New Password: $npw ]

[fmdataweb]

Thanks very much that looks like it should work if you're already doing something similar - I'll give it a go tonight.

One way to pass multiple parameters is to create a calculated parameter with a delimiter between individual values. I use the pipe character ( | ).

Here is the php:

If(isset ($_POST['action']) and $_POST['action']='Change') {
	if(!isset($_POST['oldpw'])) {$errmsg='Old Password must be entered';}
	elseif($_POST['oldpw'] != $_SESSION['account_password']) {
		$errmsg='That is not the password for this account';
		}
	elseif($_POST['pw1'] != $_POST['pw2']) {
		$errmsg='New passwords do not match';
		}
	elseif(is_null($_POST['pw1'])) {
		$errmsg='You cannot use a blank password';
		}
	elseif($_POST['pw1']==$_SESSION['account_user']) {
		$errmsg='You cannot use your username as a password';
		}
	elseif(strlen($_POST['pw1'])<5) {
		$errmsg='Password is too short';
		}
	else {
			$oldpw = $_POST['oldpw'];
			$newpw = $_POST['pw1'];
			$scriptparam=$oldpw.'|'.$newpw;
			$fmscript=$fm->newPerformScriptCommand('MembersChangeHold','php_changePW',$scriptparam);
			$doscript=$fmscript->execute();
			if (FileMaker::isError($doscript)) {
				echo '<p>Database error: ' . $doscript->getMessage() .'</p>';
				exit;
			}
			$errmsg='Your password has been changed';	
		}
	
}

and here is the FM script:

   Set Variable [ $param; Value:Get ( ScriptParameter ) ]
   Go to Layout [ “php_changePW” (PWChange) ]
   New Record/Request
   Set Field [ PWChange::ScriptParams; $param ]
   Set Variable [ $opw; Value:Let( [pipepos=Position ( $param ; "|" ; 1;1 )]; Left($param;pipepos-1) ) ]
   Set Variable [ $npw; Value:Let( [pipepos=Position ( $param ; "|" ; 1;1 )]; Right($param;Length($param) - pipepos) ) ]
   Set Field [ PWChange::oldpw; $opw ]
   Set Field [ PWChange::newpw; $npw ]
   Commit Records/Requests
   Change Password [ Old Password: $opw; New Password: $npw ]

[doughemi]

It's been in use for over two years.

[webko]

Also:
Some searching shows that using a new line creates a new script parameter, supposedly... so

Code:

$script_param = $_POST['pwd1']."\n".$_
POST['pwd2'];


Should be able to be interpreted by the script by
Code:

Set Variable [$oldpwd; Value: GetValue ( Get (ScriptParamter( ; 1)]
Set Variable [$newpwd; Value: GetValue ( Get (ScriptParamter( ; 2)]


Not tested, taken from https://docs.google...._v7ic_UZ0wJpU1A

[fmdataweb]

Just confirming that the above works, i.e. you can simply use:

$scriptParam = $_POST['CurrentPassword']."\n".$_POST['NewPassword1'];

along with:

Set Variable [$oldpwd; Value: GetValue ( Get (ScriptParamter) ; 1)]
Set Variable [$newpwd; Value: GetValue ( Get (ScriptParamter) ; 2)]

to get the old and the new passwords for use with the Change Password script step.

I've been testing this and it's working well, however I've just been testing it with invalid current password values and it's not failing as expected. Looking at the Admin Console log viewer the script is generating an error as expected ("wpc1 Web Scripting Error: 213 Script: "Change Password Web", Script Step: "Change Password") but the script error isn't being captured.

The relevant part of the code looks like this:

$scriptObject = $fm->newPerformScriptCommand($layoutName, $scriptName, $scriptParam);
// Execute the script
$scriptResult = $scriptObject->execute();

 if(FileMaker::isError($scriptResult)) {
  $errorMessage = "Change My Password Error: " . $scriptResult->getMessage() . ' (' . $scriptResult->code . ')';
  } else {
  // Update Session Password
  $_SESSION['password'] = $_POST['NewPassword1'];
  $errorMessage = 'Your Password has been changed successfully';
  }

Anyone know how to capture if there has been an error performing the "Change Password" script step?

[doughemi]

This part of the code traps for incorrect old password before even applying it to the change password script step:

		elseif($_POST['oldpw'] != $_SESSION['account_password']) {
				$errmsg='That is not the password for this account';
				}

The session variable is set by your login authentication (I used the code in the book FileMaker Web Publishing by Olm, Knight, and Petrov.
This is a very robust method that protects any pages you wish in the website.)