CODEWITHSUNDEEP
php
Kleorence
Kleorence

Reputation: 23

Change password in Android

I am having problem when trying to change the password in my application. It keep showing current password is invalid. It might be problem from my PHP coding. But I can't find the problem. This is my code for PHP.

<?php

require ("config1.php");

if (!empty($_POST)) {

    $lecID = $_GET['lecID'];
    $query = "UPDATE lecturer SET lecPass= :lec_Pass WHERE lecID = '$lecID' ";
    $query_params = array(':lec_Pass'=> $_POST['lecPass']);

    try {
        $stmt = $db->prepare($query);
        $result = $stmt->execute($query_params);
    }
    catch (PDOException $ex) {
        $response["success"] = 0;
        $response["message"] = "Database Error1. Please try again";
        die(json_encode($response));
    }

    $validate_info = false;
    // Fetching rows from query
    $row = $stmt->fetch();

    if ($row) {
        if ($_POST['lecPass'] === $row['lecPass']) {
            $changePass_ok = true;
        }
    }
    if ($changePass_ok) {
        // UserLogin
        $response['success'] = 1;
        $response['message'] = "Password changed successfully";
        die(json_encode($response));
    }
    else {
        $response["success"] = 0;
        $response["message"] = "Failure";
        die(json_encode($response));
    }
}

?>

Appreciate if someone can guide me. Thanks.

Upvotes: 0

Views: 87

Answers (1)

ADyson
ADyson

Reputation: 61984

$row = $stmt->fetch(); 
if ($row){ 
  if($_POST['lecPass'] === $row['lecPass']){ 
    $changePass_ok=true; 
  }
}

This isn't going to work. Doing a fetch() on an UPDATE statement is never going to return anything, because UPDATE statements don't return rows. There is nothing to compare.

You have two options:

1) Simply check that the UPDATE statement succeeded. This should really be sufficient evidence that the password was successfully updated, without having to select the row out again.

2) The lengthier way, more similar to what you're trying now is that, following the UPDATE, you run a separate SELECT statement to fetch the same row again from the database and compare the value returned against the $_POST value.

N.B. As others have pointed out in the comments, storing your passwords in plain text and transmitting them over unencrypted HTTP is incredibly insecure and asking for trouble. You should switch to HTTPS and also store the passwords in your database using a one-way hash, so that anyone with access to the DB cannot immediately steal the passwords. Then when the user logs in, you hash the password value they supply using the same algorithm, and compare that with the value in the DB in order to validate the login.

Upvotes: 1

Related Questions