CODEWITHSUNDEEP
phpcodeignitersecurity
air
air

Reputation: 6264

codeigniter change password

i am new to codeigniter and trying to write a secure code to change user password. please help me

my Controller function are

public function change_password()
          {

            $data = array( "main_content" => 'includes/memberadmin/memberadmin_cpass'
                );
                $this->load->view('includes/memberadmin/template',$data);
          }

        public function change_password_process()
        {

        $this->load->library('form_validation');
        $this->form_validation->set_rules('old_password','Old Password','trim|required|min_length[4]|max_length[32]');
        $this->form_validation->set_rules('password','Password','trim|required|min_length[4]|max_length[32]');
        $this->form_validation->set_rules('password2','Reenter Password','trim|required|min_length[4]|max_length[32]|matches[password]');

        if ($this->form_validation->run() == FALSE)
        {
            $this->change_password();

        }else {
            $this->load->model('membership_model');
            $query=$this->membership_model->change_password();


                $data = array( "main_content" => 'includes/memberadmin/memberadmin_cpass_process',
                "query" => $query
                );
                $this->load->view('includes/memberadmin/template',$data);


        }

my model functions are

function Change_password()
        {   
        $this->db->select('id');
        $this->db->where('username',$this->session->userdata('uname'));
        $this->db->where('password',md5($this->input->post('old_password')));
        $query=$this->db->get('memberadmin');   

        if ($query->num_rows() > 0)
         {
                $row = $query->row();
                if($row->id==$this->session->userdata('uid'))
                {
                    $data = array(
                      'password' => md5($this->input->post('password'))
                     );
                  $this->db->where('username',$this->session->userdata('uname'));
                  $this->db->where('password',md5($this->input->post('old_password')));
                       if($this->db->update('memberadmin', $data)) 
                       {
                       return "Password Changed Successfully";
                       }else{
                        return "Something Went Wrong, Password Not Changed";
                       }
                }else{
                return "Something Went Wrong, Password Not Changed";
                }


         }else{
            return "Wrong Old Password";
         }

        }

Actually my userid and username is stored in session and i try to get username from table and again match the return userid with session userid for extra security and then change password.

Please let me know does my code is secure or i am doing something wrong.

Upvotes: 1

Views: 15145

Answers (2)

Venus Marks
Venus Marks

Reputation: 1

$this->db->where('username',$this->session->userdata('uname')); $this->db->where('id',$this->session->userdata('uid')); $this->db->where('password',md5($this->input->post('old_password')));

Upvotes: 0

M K Garwa
M K Garwa

Reputation: 495

first you can use === in place of == while matching user id

if($row->id===$this->session->userdata('uid'))

in plus for more security you can add one more line in where clause while updating the password

$this->db->where('username',$this->session->userdata('uname'));
$this->db->where('id',$this->session->userdata('uid'));
$this->db->where('password',md5($this->input->post('old_password')));

Upvotes: 1

Related Questions