Reputation: 89
Php 5.5 change password
EDIT: Inside the config.php I create and maintain the session. As well as through that connect to MySQL.
I am trying to learn how to use PHP 5.5 Password_hash and password_verify as more of a learning experience then anything else, I havent been doing this too long and this is the first time I have had to ask a question here (usually someone has already asked my question)
So here is my problem.
I can get password_hash and password_verify to work fine when I register and log in. But for some reason when I use a script for changing passwords, I can no longer log in.
Relavent code snippets:
Register:
<?php
include('config.php');
$password = mysql_real_escape_string($_POST['password']);
$username = mysql_real_escape_string($_POST['username']);
$hashed_password = password_hash($password, PASSWORD_DEFAULT);
$sql = 'INSERT INTO Staff (username, password) ' .
"VALUES ('$username', '$hashed_password')";
mysql_query($sql) or die( mysql_error() );
?>
RegisterHTML:
<div id="login-content">
<form action="register.php" method="post">
<fieldset id="inputs">
<div class="label"></div><input type="text" name="username"/><br />
<div class="label"></div><input type="password" name="password"/><br />
</fieldset>
<input class="button" type="submit" value="Register" />
</form>
</div>
ChangePwd:
<?php
include('config.php');
$password = mysql_real_escape_string($_POST['newPassword']);
$password2 = mysql_real_escape_string($_POST['confirmPassword']);
$username = ($_SESSION['username']);
if ($password <> $password2) {
echo "Your passwords do not match.";
}
else if ($password === $password2){
$hashed_password = password_hash($password, PASSWORD_DEFAULT);
$sql = "UPDATE Staff SET password='$hashed_password' WHERE username='$username'";
mysql_query($sql) or die( mysql_error() );
}
else { mysqli_error($con); }
mysqli_close($con);
?>
ChangePwdHTML:
<?php
include('config.php');
?>
<div id="login-content">
<form action="changePassword.php" method="post">
<fieldset id="inputs">
<div class="label"></div><input type="password" name="passwordNew"/><br />
<div class="label"></div><input type="password" name="passwordConfirm"/><br />
</fieldset>
<input class="button" type="submit" value="Change Password" />
</form>
</div>
Connect:
<?php
include('config.php');
$username = mysql_real_escape_string(stripslashes($_POST['username']));
$password = stripslashes($_POST['password']);
$sql = ('SELECT password,id,rank FROM Staff WHERE username="'.$username.'"');
$req = mysql_query($sql) or die( mysql_error() );
$dn = mysql_fetch_assoc($req);
$hash = $dn['password'];
if(password_verify($password, $hash))
{
$_SESSION['username'] = $_POST['username'];
$_SESSION['userid'] = $dn['id'];
$_SESSION['rank'] = $dn['rank'];
$username = mysql_real_escape_string(stripslashes($_POST['username']));
$password = stripslashes($_POST['password']);
?>
I am sure my code is pretty messy, and some of it is dated... its kind of... franken-code at this point, built from various examples and tutorials I found.
Upvotes: 2
Views: 147
Answers (1)
Reputation: 91744
It is hard to see what the exact problem is but a potential problem is that you are processing the passwords in different ways when you register / change your password and when you check: You use mysql_real_escape_string when you set it but strip_slashes when you compare it.
That would cause passwords that contain quotes or slashes not to match when you try to login.
You should not touch the user's password at all because a password can contain slashes, quotes, etc.
Instead, you should switch to PDO or mysqli and use prepared statements and don't change the user's input except when you validate for example a new user-name.
name="passwordConfirm" and $_POST['confirmPassword'] that's one of the problems, and the same for the other one also name="passwordNew" and $_POST['newPassword'] you inverted the words.
Having used error reporting http://php.net/manual/en/function.error-reporting.php would have signaled "Undefined index...." for both.
Upvotes: 1