Errors
I have written a PHP program which take user new and old password my code is running well but now I have to few lines of code in my PHP program.
This is my code of PHP which I written and I want to add few lines of code in it but when I write new code in it works but it shows new errors, that code which I have to written is warning to user that user "new password should be different with old password". This code warns user when user enter on submit button of new password same as old password webpage.
This is my PHP program:
<?php
session_start();
// if ($_SESSION['user_name'] != "")
// {
// header("location:account.php");
// }
include('connection.php');
// header("Refresh: 20; URL=welcome.php");
// header("Refresh: 20; URL=http://www.stackoverflow.com/");
if(isset($_POST['submit']))
{
$old_password = $_POST['old_password'];
$new_password = $_POST['new_password'];
$query = $con->prepare("select password from tbl_users WHERE id = :user_id");
$query->bindParam(':user_id', $_SESSION['id']);
$query->setFetchMode(PDO::FETCH_ASSOC);
$query->execute();
$fetch = $query->fetch();
$old_pass = $fetch['password'];
if($old_password == $old_pass){
$stmt = $con->prepare("UPDATE tbl_users SET password = (:pass) WHERE id = :user_id");
$stmt->bindParam(':pass', $new_password, PDO::PARAM_STR);
$stmt->bindParam(':user_id', $_SESSION['id']);
// $stmt->execute();
$stmt->execute();
header("location:account.php");
}
else
{
echo "<script>alert('Wrong password! Enter your valid old password')</script>";
}
}
?>
HTML Code:
<!DOCTYPE html>
<html>
<head>
<title>project</title>
<link rel="stylesheet" type="text/css" href="css/bootstrap.min.css">
<link rel="stylesheet" type="text/css" href="registration.css">
<script type="text/javascript" src="js/bootstrap.min.js"></script>
<script type="text/javascript" src="js/jquery-3.2.1.min.js"></script>
</head>
<body>
<header><h1>Change Password</h1></header>
<form method="post" action="renew.php">
<br />
<input type="password" id="pwd2" placeholder="Enter your old password" name="old_password" required />
<br />
<input type="password" id="pwd1" placeholder="Enter your new password" name="new_password" required />
<center>
<!-- <div class="form-group"> -->
<div id="setPasswordMessage" style="display: none;"></div>
<!-- </div> -->
</center>
<br />
<div class="buttons">
<input type="submit" disabled="submit" class="btn" name="submit" value="Save">
</div>
<br />
</form>
<footer><h3>Copyright © vu.edu.pk (S1701F607E)</h3></footer>
<script type="text/javascript">
$(document).ready(function() {
var pwd1 = $('#pwd1'); //id of first password field
var pwd2 = $('#pwd2'); //id of second password field
var pwdIdSet = $('#setPasswordMessage'); //id of indicator element
setCheckPasswordStrength(pwd1,pwd2,pwdIdSet); //call password check function
});
function setCheckPasswordStrength(pwd1, pwd2, pwdIdSet)
{
/*=========== Start: Set Password Cretria Regular Expression ===================*/
//Password must contain 5 or more characters
var lowPassword = /(?=.{5,}).*/;
//Password must contain at least one digit and lower case letters .
var mediumPassword = /^(?=\S*?[a-z])(?=\S*?[0-9])\S{5,}$/;
//Password must contain at least one digit, one upper case letter and one lower case letter.
var averagePassword = /^(?=\S*?[A-Z])(?=\S*?[a-z])(?=\S*?[0-9])\S{5,}$/;
//Password must contain at least one digit, one upper case letter and one lower case letter.
var strongPassword = /^(?=\S*?[A-Z])(?=\S*?[a-z])(?=\S*?[0-9])(?=\S*?[^\w\*])\S{5,}$/;
/*=========== End: Set Password Cretria Regular Expression ===================*/
// test() method is used to test match in a string whether the value is matched in a string or not.
$(pwd1).on('keyup', function(e) {
var len = $('#pwd1').val().length;
document.getElementById("setPasswordMessage").style.display="block";
if(strongPassword.test(pwd1.val()))
{
pwdIdSet.removeClass().addClass('strongPassword').html("Strong! Please use this password!").css("display","block");
$(':input[type="submit"]').prop('disabled', false);
}
else if(averagePassword.test(pwd1.val()))
{
pwdIdSet.removeClass().addClass('averagePassword').html("Average! Tips: Enter special characters to make even stronger").css("display","block");
$(':input[type="submit"]').prop('disabled', true);
}
else if(mediumPassword.test(pwd1.val()))
{
pwdIdSet.removeClass().addClass('mediumPassword').html("Good! Tips: Enter uppercase letter to make strong").css("display","block");
$(':input[type="submit"]').prop('disabled', true);
}
else if(lowPassword.test(pwd1.val()))
{
pwdIdSet.removeClass().addClass('stilllowPassword').html("Still Weak! Tips: Enter digits to make good password").css("display","block");
$(':input[type="submit"]').prop('disabled', true);
}
else if(len < 1)
{
pwdIdSet.removeClass('lowPassword');
$('#setPasswordMessage').css("display","none");
$(':input[type="submit"]').prop('disabled', true);
}
else
{
pwdIdSet.removeClass().addClass('lowPassword').html("Very Weak! Please use 5 or more chars password)").css("display","block");
$(':input[type="submit"]').prop('disabled', true);
}
});
// $(pwd2).on('keyup', function(e) {
// if(pwd1.val() !== pwd2.val())
// {
// pwdIdSet.removeClass().addClass('lowPassword').html("Passwords do not match!");
// }else{
// pwdIdSet.removeClass().addClass('goodpass').html("Passwords match!");
// }
// });
}
</script>
</body>
</html>
I have to add this code in PHP code but in which place and how.
if($old_password == $new_password)
{
echo "<script>alert('New password should be different with old password')</script>";
}
Put the check right before you do the query.
<?php
session_start();
// if ($_SESSION['user_name'] != "")
// {
// header("location:account.php");
// }
include('connection.php');
// header("Refresh: 20; URL=welcome.php");
// header("Refresh: 20; URL=http://www.stackoverflow.com/");
if(isset($_POST['submit']))
{
$old_password = $_POST['old_password'];
$new_password = $_POST['new_password'];
if ($old_password == $new_password) {
echo "<script>alert('New password should be different with old password')</script>";
} else {
$query = $con->prepare("select password from tbl_users WHERE id = :user_id");
$query->bindParam(':user_id', $_SESSION['id']);
$query->setFetchMode(PDO::FETCH_ASSOC);
$query->execute();
$fetch = $query->fetch();
$old_pass = $fetch['password'];
if($old_password == $old_pass){
$stmt = $con->prepare("UPDATE tbl_users SET password = (:pass) WHERE id = :user_id");
$stmt->bindParam(':pass', $new_password, PDO::PARAM_STR);
$stmt->bindParam(':user_id', $_SESSION['id']);
// $stmt->execute();
$stmt->execute();
header("location:account.php");
}
else
{
echo "<script>alert('Wrong password! Enter your valid old password')</script>";
}
}
}
?>
PHP throws error if header is sent after any output. Thus, if you have any output before header("location:account.php");, an error will occur. Try setting new location via JS instead:
// header("location:account.php");
echo "<script>document.location.href = 'account.php';</script>";
the full code will look something like this:
if($old_password == $old_pass){
if($old_password == $new_password)
{
echo "<script>alert('New password should be different with old password')</script>";
} else {
$stmt = $con->prepare("UPDATE tbl_users SET password = (:pass) WHERE id = :user_id");
$stmt->bindParam(':pass', $new_password, PDO::PARAM_STR);
$stmt->bindParam(':user_id', $_SESSION['id']);
// $stmt->execute();
$stmt->execute();
// header("location:account.php");
echo "<script>document.location.href = 'account.php';</script>";
}
}
else....
You should put this check after you set the variables $old_password and $new_password and before you execute any database queries (you don't want to execute these if old and new password are the same):
if(isset($_POST['submit']))
{
$old_password = $_POST['old_password'];
$new_password = $_POST['new_password'];
if($old_password == $new_password)
{
echo "<script>alert('New password should be different with old password')</script>";
}
else
{
$query = $con->prepare("select password from tbl_users WHERE id = :user_id");
$query->bindParam(':user_id', $_SESSION['id']);
$query->setFetchMode(PDO::FETCH_ASSOC);
$query->execute();
$fetch = $query->fetch();
$old_pass = $fetch['password'];
if($old_password == $old_pass){
$stmt = $con->prepare("UPDATE tbl_users SET password = (:pass) WHERE id = :user_id");
$stmt->bindParam(':pass', $new_password, PDO::PARAM_STR);
$stmt->bindParam(':user_id', $_SESSION['id']);
// $stmt->execute();
$stmt->execute();
header("location:account.php");
}
else
{
echo "<script>alert('Wrong password! Enter your valid old password')</script>";
}
}
}
And while it has nothing to do with coding, I just wanted to note that your error message is not correct English. Something is "different from" something else, not "different with". Use this:
Your new password must be different from your old password
Related
I've created a register and email verification system on my website. The process is as follows:
User submits email and password
Verification link is emailed
User info is swapped from unverified to verified DB if link is visited
However, I've noticed an interesting "bug" if you'd even call it that.
If I simply open the email in Hotmail without even visiting the link, somehow the user info is swapped from unverified to verified as if the link was clicked.
I'm baffled...
How is this so? Why would this be occurring?
You can try it for yourself by visiting http://www.pillar.fyi/redflagreviews/signinup.php/
By default, the slider is in the "register" position, whereas the other position is for logging in.
PHP (it's messy, forgive me)
<?php
session_start();
session_regenerate_id();
if ($_SESSION["session"])
{
echo "<script type='text/javascript'> location.href = 'http://www.pillar.fyi/redflagreviews/index.php' </script>";
}
else
{
if (!empty($_SERVER["QUERY_STRING"])) # ... && regex to filter out junk
{
parse_str($_SERVER["QUERY_STRING"]);
include "include/connect.php";
# compare token
$statement = $connect->prepare("SELECT entry_time, account_email, account_password, token FROM users_unverified WHERE account_email = :account_email");
$statement->bindParam(":account_email", $email);
$statement->execute();
$result = $statement->fetch(PDO::FETCH_ASSOC);
if ($result["token"]
&& $result["token"] === $token
&& $result["entry_time"] > time() - 600) # token matches
{
# move info to users_verified
$statement = $connect->prepare("INSERT INTO users_verified (account_email, account_password, joined) VALUES (:account_email, :account_password, :joined)");
$statement->bindParam(":account_email", $result["account_email"]);
$statement->bindParam(":account_password", $result["account_password"]);
$statement->execute(array(
":account_email" => $result["account_email"],
":account_password" => $result["account_password"],
":joined" => date("Y-m-d")
));
# delete old entry
$statement = $connect->prepare("DELETE FROM users_unverified WHERE account_email = :account_email");
$statement->bindParam(":account_email", $email);
$statement->execute();
# now redirect to login screen (or update message)
echo "Your email address has been verified and is now active. Sign in below to begin sharing!";
$connection = null; # may be useless
}
else # being hacked or token has expired
{
if ($result["token"]) { echo 'true'.'<br><br>'; }
else { echo '1. false -- $result["token"] -- '.$result["token"].'<br><br>'; }
if ($result["token"] === $token) { echo 'true'.'<br><br>'; }
else { '2. false -- $result["token"] === $token -- ' . $result["token"]. ' === ' .$token.'<br><br>'; }
if ($result["entry_time"] > time() - 600) { echo 'true'.'<br><br>'; }
else { '3. false -- $result["entry_time"] > time() - 600 -- '. $result["entry_time"] . ' > ' . time() - 600 .'<br><br>'; }
echo "Your verification code has expired. Would you like us to send you a new verification link?";
# if yes, then... (add num_id? to SELECT query above)
#####################################################
#####################################################
}
}
else # might cause issues as ELSE
{
if ($_SERVER["QUERY_STRING"]) echo $_SERVER["QUERY_STRING"];
else echo 'query string is false<br><br>';
if ($_SERVER["REQUEST_METHOD"] === "POST")
{
include "include/connect.php";
if ($_POST["action"] === "0") # register
{
######################################
### ###
### prohibit certain domains ###
### such as spamgourmet.org ###
### ###
######################################
$statement = $connect->prepare("SELECT account_email FROM users_verified WHERE account_email = :account_email");
$statement->bindParam(":account_email", $_POST["email"]);
$statement->execute();
$result = $statement->fetch(PDO::FETCH_ASSOC);
if ($result["account_email"]) # email already in use
{
echo "The email account " . $result['account_email'] . " has been registered already.";
}
else # new account, unknown email address
{
# first, check users_unverified to see if verification process is active
$statement = $connect->prepare("SELECT entry_time FROM users_unverified WHERE account_email = :account_email");
$statement->bindParam(":account_email", $_POST["email"]);
$statement->execute();
$result = $statement->fetch(PDO::FETCH_ASSOC);
if ($result["entry_time"]
&& $result["entry_time"] > time() - 600) # verification process is already active
{
echo "Your account is awaiting verification. The verification code will remain active for another "."###"." Would you like us to resend the verification code?";
}
else # initiate the verification process
{
# delete old entry
$statement = $connect->prepare("DELETE FROM users_unverified WHERE account_email = :account_email");
$statement->bindParam(":account_email", $_POST["email"]);
$statement->execute();
# send verification code
echo "An email with a verification link has been sent to your email address. Please verify your ownership of the email account by clicking the link in that email. The verification code will expire in 10 minutes!";
$password = password_hash($_POST["password"], PASSWORD_DEFAULT);
$token = md5($password, FALSE);
$statement = $connect->prepare("INSERT INTO users_unverified (entry_time, account_email, account_password, token) VALUES (:entry_time, :account_email, :account_password, :token)");
$statement->execute(array(
":entry_time" => time(),
":account_email" => $_POST["email"],
":account_password" => $password,
":token" => $token
));
# send verification email
include "include/sanitize.php";
$email = sanitize($_POST["email"]);
mail($_POST["email"],
"Account Verification",
"Please click the following link to activate your account: http://www.pillar.fyi/redflagreviews/signinup.php/?email=".$email."&token=".$token,
"From: aj#pillar.fyi",
"-f aj#pillar.fyi");
}
}
$connect = null;
}
else # sign in
{
$statement = $connect->prepare("SELECT account_password FROM users_verified WHERE account_email = :account_email");
$statement->bindParam(":account_email", $_POST["email"]);
$statement->execute();
$result = $statement->fetch(PDO::FETCH_ASSOC);
if ($result["account_password"]
&& password_verify($_POST["password"], $result["account_password"])) # successfully logged in, redirect to main page
{
$connect = null;
$_SESSION["session"] = $_POST["email"];
echo "<script type='text/javascript'> location.href = 'http://www.pillar.fyi/redflagreviews/index.php' </script>";
}
else if ($result["account_password"]) # failed login
{
echo "That is the wrong password.";
$idPersist = $_POST["email"]; # maybe sanitize?
}
else {
echo "That account does not exist.";
}
}
}
}
}
?>
<!DOCTYPE html>
<html>
<head>
<title></title>
<meta charset="UTF-8">
<!--link href="css/index.css" rel="stylesheet"-->
</head>
<body>
<form accept-charset="UTF-8" action="<?php echo htmlspecialchars($_SERVER['PHP_SELF']); ?>" enctype="application/x-www-form-urlencoded" method="POST">
<input type="range" name="action"
min="0" max="1" step="1" value="0" id="action"
> <!-- use PHP variable to set as register or sign in -->
<input type="text" name="email" placeholder="email" value="<?php echo $idPersist; ?>" <?php if (!$idPersist) echo "autofocus"; ?> required>
<input type="password" name="password" placeholder="password" <?php if ($idPersist) echo "autofocus"; ?> required autocomplete>
<input type="submit" value="➥">
</form>
<!--script type="text/javascript" src="js/index.js"></script-->
</body>
</html>
I have a login script and a functions.php script to check if the session username and cookie are set. When the user logs in, if they select the remember me, the cookie is supposed to set. But the problem is that, the script works, but the cookie doesn't set so the user is not being logged in. I've searched through so many topics on here and tried as many solutions as possible, but I still either get the same result or end up giving me more errors.
if (isset($_POST['rem']) && $_POST['rem'] == 'on') > {
setcookie('MCLatestUser', $token, 31622400, > '/');
session_regenerate_id(true);
}
This is the part of the code that should set the cookie if remember is checked.
Log.php (Since I use an ajax login script, the url is set to this):
<?php
include_once 'db.php';
include_once 'functions.php';
error_reporting(-1);
if(isset($_POST['email'])) {
$email = filter_input(INPUT_POST, 'email', FILTER_SANITIZE_STRING);
$password = $mysqli->real_escape_string($_POST['password']);
try {
$check = mysqli_query($mysqli, "SELECT * FROM users WHERE email='$email'");
$res = mysqli_num_rows($check);
if($res > 0) {
while($run = mysqli_fetch_array($check, MYSQLI_ASSOC)) {
$blocked = $run['blocked'];
$deactivated = $run['deactivated'];
$paused = $run['paused'];
$verified = $run['verified'];
$rank = $run['rank'];
$token = $run['token'];
$pass = $run['password'];
$pbackup = $run['pbackup'];
if($verified == 'true') {
if($blocked == 'true') {
echo 'Looks like your account was blocked. If you think this is an error, please contact an admin via support#mclatest.com';
} else if($deactivated == 'true') {
echo 'Looks like your account has been deactivated. If you think this is an error, please contact an admin via support#mclatest.com';
} else if($paused == 'true') {
echo 'Looks like your account is frozen. If you think this is an error, please contact an admin via support#mclatest.com';
} else {
if(password_verify($password, $pass)) {
$timestamp = time();
// Authenticated, set session variables
$_SESSION['username'] = $run['username'];
if (isset($_POST['rem']) && $_POST['rem'] == 'on') {
setcookie('MCLatestUser', $token, 31622400, '/');
session_regenerate_id(true);
}
$sql = mysqli_query($mysqli, "UPDATE users SET Ip = '$ipaddress', login_ip = '$ipaddress', latest_login_date = '$now', login_date = '$date', login_time = '$time', login_day = '$day', login_month = '$month', login_year = '$year', status = '$timestamp' WHERE email = '$email'");
if($sql) {
echo "Success!";
} else {
echo "Error login in";
}
// do stuffs
} else if(password_verify($password, $pbackup)) {
$timestamp = time();
// Authenticated, set session variables
$_SESSION['username'] = $run['username'];
if (isset($_POST['rem']) && $_POST['rem'] == 'on') {
setcookie('MCLatestUser', $token, 31622400, '/');
session_regenerate_id(true);
}
$sql = mysqli_query($mysqli, "UPDATE users SET Ip = '$ipaddress', login_ip = '$ipaddress', latest_login_date = '$now', login_date = '$date', login_time = '$time', login_day = '$day', login_month = '$month', login_year = '$year', status = '$timestamp' WHERE email = '$email'");
if($sql) {
echo "Success!";
} else {
echo "Error login in";
}
// do stuffs
} else {
echo "<h4 style='font-weight:bold;font-family:arial;margin:8px'>Your password is incorrect, please try again. If you still get this error after using your backup password, please <a href='https://mclatest.com/community/reset.php?r=password'>reset</a> your password</h4>";
}
}
} else {
echo "<h4 style='font-weight:bold;font-family:arial;margin:8px'>You need to verify your account. Please click this link to <a href='https://mclatest.com/community/confirm.php?email=".$email."&token=".$token."'>verify your account</a></h4>";
}
}
} else {
echo 'No records of that user have been found!';
}
} catch(PDOException $e){
echo $e->getMessage();
}
} else {
echo "Invalid email";
}
Login.php (the html and ajax form):
<form id="login_form" style="text-align:center" method="post">
<script>
$(document).ready(function() {
$("#login").click(function(e) {
e.preventDefault();
var email = $("#email").val();
if (email = "") {
$("#error_msg").html("<h4>Email cannot be empty</h4>");
} else {
var data = $("#login_form").serialize();
$.ajax({
type: "POST",
url: "../inc/log.php",
data: data,
beforeSend: function() {
$("#error_msg").fadeOut();
$("#login").val('sending ...');
},
success: function(data) {
if (data == "Success!") {
// alert("Works"); //for testing purposes
window.location.href = "index.php";
} else {
$("#error_msg").fadeIn(1000, function() {
$("#error_msg").html('<div style="border:1px solid: red; background:rgba(255,0,0,0.9;)">'+data+'!</div>');
$("#login").val('Login');
});
}
},
error: function(data) {
alert("Process Failed!");
}
});
return false;
}
});
});
</script>
<div class="mdl-textfield mdl-js-textfield mdl-textfield--floating-label ">
<label for="input_email" class="mdl-textfield__label">Email</label>
<input type="email" name="email" class="mdl-textfield__input" maxlength="255" id="input_email" />
</div>
<br>
<div class="mdl-textfield mdl-js-textfield mdl-textfield--floating-label">
<label for="input_password" class="mdl-textfield__label">Password</label>
<input type="password" name="password" class="mdl-textfield__input" maxlength="255" id="input_password" />
</div>
<br>
<label style="width:auto !important" for="remember_me" class="mdl-checkbox mdl-js-checkbox mdl-js-ripple-effect" >
<input name="rem" type="checkbox" id="remember_me" class="mdl-checkbox__input" checked />
<span class="mdl-checkbox__label">Stay logged in?</span>
</label>
<br>
<nav style="width:auto !important;display:-webkit-box;-webkit-box-pack:center" class="mdl-navigation">
<a class="mdl-navigation__link" href="forgot.php?ftype=password">Forgot Password?</a> |
<a class="mdl-navigation__link" href="register.php">Register?</a>
</nav>
<br>
<input type="submit" id="login" class="mdl-button mdl-js-button mdl-button--raised mdl-js-ripple-effect" name="login" value="Login"/>
</form>
functions.php (this is the portion of the script to check the session and cookie variables):
function loggedIn() {
if (isset($_SESSION['username']) && !empty($_SESSION['username']) && isset($_COOKIE['MCLatestUser'])) {
return true;
} else {
return false;
}
}
Script works but cookies aren't being sent. I'm at my wits end here, been working on this for over 4-5 hours now, had over 35 chrome tabs open just to figure this out. I am probably overlooking a minor detail. Login Page Link
It works if i remove the && $_COOKIE['MCLatestUser'] from the function script
setcookie('MCLatestUser', $token, 31622400, '/');
This method has some problems in the third parameter.It should be based on the current time.
PHP: setcookie - Manual
I figured it out. It turns out it was the browser's fault. I tried it on Microsoft Edge and Mozilla Firefox and it worked. So I looked about for that issue and all I had to do was clear my cookies and site data on chrome. Thank you to those who helped and those who wanted to but couldn't/didn't.
i don't know where my problem is... i am trying to do a simple sign in form using ajax,jquery and PHP... the problem is that $result always returns false.
i am really new in this hope tou can all help me.
php code:
<?php
if(isset($_POST['user_name']) && isset($_POST['password']))
{
$user_name=mysql_real_escape_string($_POST['user_name']);
$password=$_POST['password'];
$sql = "SELECT * FROM users WHERE
userName = '$user_name' AND password = '$password'";
$result = mysql_query($sql);
if($result === true)
echo $user_name;
else
echo 'Error';
}
?>
the form it self:
<!DOCTYPE html>
<html>
<head>
<script src="jquery-2.1.1.js"></script>
<link rel="stylesheet" type="text/css" href="sign_in.css">
</head>
<body>
<div id="sign_in_wrapper">
<textarea id="user_name"></textarea>
<textarea id="password"></textarea>
<button id="sign_in_button">Sign In!</button>
</div>
<div id="error"></div>
<script>
$('#sign_in_button').click(function () {
var user_name = $('textarea#user_name').val();
var password = $('textarea#password').val();
signIn(user_name,password);
});
function signIn(user_name, password)
{
$.ajax({
type: "POST",
url: "sign_in.php",
data: "user_name="+user_name+"&password="+password,
success: function(result)
{
if(result = 'Error')
document.getElementById("error").innerHTML ='user name and password are not match';
else
document.getElementById("sign_in_wrapper").innerHTML ='Welcome back '+result;
}
})}
</script>
</body>
</html>
I changed my php code:
<?php
if(isset($_POST['user_name']) && isset($_POST['password']))
{
$user_name=mysql_real_escape_string($_POST['user_name']);
$password=$_POST['password'];
$sql = "SELECT * FROM users WHERE
userName = '$user_name' AND password = '$password'";
$result = mysql_query($sql);
$result_rows = mysql_num_rows($result); // <-- this is the way to check the result
if($result_rows)
// OK
echo $user_name;
else
// Bad login
echo 'Error';
}
?>
Now Im gettning a different Error:
"Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in C:\wamp\www\Project\sign_in.php on line 10"
Line 10 is: $result_rows = mysql_num_rows($result);
and thank you all for your quick answers!
This is because:
$result = mysql_query($sql);
will always return true (Resource# in your case if the SQL query is OK). There is no need to have such row with checked username/password.
You have to:
$result = mysql_query($sql);
$result_rows = mysql_num_rows($result); // <-- this is the way to check the result
if($result_rows)
// OK
echo $user_name;
else
// Bad login
echo 'Error';
check your line here
data: "user_name="+user_name+"&password="+password,
the proper format would be
data: {user_name:user_name,password:password},
also here
if(result = 'Error')
document.getElementById("error").innerHTML ='user name and password are not match';
else
document.getElementById("sign_in_wrapper").innerHTML ='Welcome back '+result;
your assigning in your if else statement to your result
try changing result == 'Error'
and yeah change this also
if($result === true)
echo $user_name;
else
echo 'Error';
with
if ($result) {
echo $user_name;
}else {
echo 'Error';
}
if($result === true)
The result will never be true. It will either be FALSE or a resource.
Use if ($result) instead and then test (with mysql_num_rows or (preferably) a modern equivalent) how many rows you got back (since a successful query with no matching rows will give you a result).
I have been struggling with this one for hours and hours and just cannot figure out what I'm missing.
I'm trying to build a cookie-less login form that also has no information in session variables that would harm the app if an attacker would be able to modify them.
All of my pages have the below code included.
I have 2 issues:
Every time I click on another page it acts like $_SESSION['token'] was empty and goes to the login page like if it was the first visit.
It returns $tokenid and $tokentype empty however I'm calling them both every time a page is loading (aiming to avoid having to put them into a session variable).
This is my current code:
<?php
define('TIMEOUTMIN', 15);
define('LOCKOUTMIN', 10);
define('LOCKOUTNUM', 3);
include("includes/pp/pbkdf2.php"); // this is basically calling the validate_password function
include ("includes/vars/vars_dbconn.php"); // this contains the db data and $pdo
$userid = $_POST['userid'];
$userpw = $_POST['password'];
$deltoq = "UPDATE LoginUser SET token = ?, online = ? WHERE online < ?";
$prepdeltoq = $pdo->prepare($deltoq);
$prepdeltoq->execute(array(NULL,NULL,time()));
$loginq = "SELECT * FROM LoginUser WHERE ID = ?";
$preplq = $pdo->prepare($loginq);
$preplq->execute(array($userid));
$getuser = $preplq->fetch(PDO::FETCH_ASSOC);
$dbid = $getuser['ID'];
$dbpass = $getuser['hash'];
$dbbp = $getuser['bp'];
$dbltime = $getuser['ltimeout'];
$logintoq = "SELECT * FROM LoginUser WHERE token = ?";
$prepltq = $pdo->prepare($logintoq);
$prepltq->execute(array($_SESSION['token']));
$getoken = $prepltq->fetch(PDO::FETCH_ASSOC);
$tokenid = $getoken['ID'];
$tokentype = $getoken['type'];
$totoken = $getoken['token'];
$prolonglock = $pdo->prepare("UPDATE LoginUser SET ltimeout = ? WHERE ID = ?");
$addbp = $pdo->prepare("UPDATE LoginUser SET bp = ? WHERE ID = ?");
$loginwhen = $pdo->prepare("UPDATE LoginUser SET lastlogin = ? WHERE ID = ?");
$loginlogq = $pdo->prepare("INSERT INTO LoginUserLog (ID, action)
VALUES(:ID, :action)");
$logintokenid = $pdo->prepare("UPDATE LoginUser SET token = ? WHERE ID = ?");
$loginonid = $pdo->prepare("UPDATE LoginUser SET online = ? WHERE ID = ?");
$loginontok = $pdo->prepare("UPDATE LoginUser SET online = ? WHERE token = ?");
if(!function_exists('LoginUser')) {
function LoginUser($pwmessage) {
if (session_name() <> 'MyWebApp') session_name('WesoftskyLogin');
if (!session_id()) session_start();
$_SESSION['token'] = '';
include ("includes/header.php"); ?>
<meta name="description" content="Login - MyWebApp"/>
<title>Login - MyWebApp</title>
<script type="text/javascript">
event.keyCode == '';
function enterTab() {
if (event.keyCode == 13) {
var passInput = document.getElementById("password");
passInput.focus();
}
}
</script>
</head>
<body onkeyup="enterTab()">
<div id="homewrap">
<div id="hometitle">MyWebApp</div>
</div>
<div id="id_formwrap">
<form action="<?php echo htmlspecialchars($_SERVER['REQUEST_URI'].$_SERVER['QUERY_STRING']); ?>" method="post">
<?php if (empty($pwmessage)) echo '<div>Please enter your login details</div>'; else echo '<div style="color:red">'.$pwmessage.'</div>'; ?><br />
Login ID<br />
<input type="text" name="userid" id="id" onKeyPress="return noenter(event)" /><br /><br />
<script>document.getElementById("id").focus()</script>
Password<br />
<input type="password" name="password" id="password" /><br /><br />
<input type="submit" name="login" id="Submit" value="Login" />
</form>
</div>
</body>
</html>
<?php exit();
}
}
if(!function_exists('ProlongTime')) {
function ProlongTime() {
global $userid;
global $logintokenid;
global $loginonid;
global $loginontok;
$timeoutodb = (time () + TIMEOUTMIN*60);
if (!empty($userid)) {
$_SESSION['token'] = bin2hex(mcrypt_create_iv(16, MCRYPT_DEV_URANDOM));
$logintokenid->execute(array($_SESSION['token'], $userid));
$loginonid->execute(array($timeoutodb, $userid));
} else {
$loginontok->execute(array($timeoutodb, $_SESSION['token']));
}
}
}
if ($dbltime > time()) {
$lockcheck = time() + LOCKOUTMIN*60;
$prolonglock->execute(array($lockcheck,$userid));
LoginUser('Your account is currently locked');
}
if(isset($_POST['logout'])) {
$action = "Logged OUT";
$loginlogq->execute(array(':ID' => $tokenid, ':action' => $action));
LoginUser('Logged out');
}
if (isset($_POST['login'])) {
if ($dbid AND validate_password($userpw, $dbpass)) { // Good login info
//session_regenerate_id(true);
$action = "Logged IN";
$loginlogq->execute(array(':ID' => $userid, ':action' => $action));
$loginwhen->execute(array(time(), $userid));
$addbp->execute(array(NULL, $userid));
ProlongTime();
} else { // Bad login info
if ($dbbp >= LOCKOUTNUM-1) {
$lockbp = time() + LOCKOUTMIN*60;
$prolonglock->execute(array($lockbp,$userid));
$action = "Locked (wrong password)";
$loginlogq->execute(array(':ID' => $userid, ':action' => $action));
LoginUser('Your account has been locked');
}
$addbp->execute(array($dbbp+1, $userid));
$action = "Failed login";
$loginlogq->execute(array(':ID' => $userid, ':action' => $action));
LoginUser('Username or password is incorrect');
}
} elseif (empty($_SESSION['token'])) { // Loading the page first time (new session)
LoginUser('');
} elseif ($_SESSION['token'] <> $totoken) { // Session timeout
$action = "Logged OUT (expired)";
$loginlogq->execute(array(':ID' => $tokenid, ':action' => $action));
echo 'tokenid: '.$tokenid;
} else ProlongTime(); // While using the app and still within time
$pdo = null;
?>
You need to put
session_start()
in the starting of the page.
I create a function to edit user password here the function code.
function updateUser ()
{
$current = md5($_POST['cpassword']);
$new = md5($_POST['npassword']);
$newc = md5($_POST['npasswordc']);
$name = $_POST['username'];
connectDB();
$check = mysql_query("SELECT password FROM user WHERE user_name = '$name'")
or die(mysql_error());
if ($check != $current) {
?> <div id="error">
<?php die('Current password is wrong. Press back to try again.'); ?>
</div> <?php
}
if ($new == $newc) :
$sql = "UPDATE user SET password = '$new' WHERE user_name = '$name'";
execute($sql);
?> <div id="error">
<?php die('Password Successfully Updated. Back to dashboard');
?> </div> <?php
else : ?> <div id="error">
<?php die('New Password did not match. Press back to try again');
?> </div> <?php
endif;
}
the value will be pass by the form on different page, everything seem to work fine. When I try to change password, it say successful, and when I check in the database, the md5 value is changing that mean the password was change.
But when I try to change password of same username, I still need to enter the old password for current password, even though in database it already changed?
What seem to be the problem?
Thank you
$check is a mysql resource, not a value. You might do
if($check && (mysql_num_rows($check) > 0))
{
$res = mysql_fetch_assoc($check);
if($res['password'] != $current) {
Be careful of SQL injections, you should do at least
$name = mysql_real_escape_string($_POST['username']);
before entering it into the query.
Also, md5 is a week hashing algorithm, I strongly suggest you use a SALT, and better hash algos like at the very least sha1() or better go for the sha2 family (sha256, sha512, for ex) or bcrypt
I have changed your code... maybe it works. also watch the comments it explains something maybe it helps:
function updateUser ()
{
$current = md5($_POST['cpassword']);
$new = md5($_POST['npassword']);
$newc = md5($_POST['npasswordc']);
// first check if the passwords matches if not why waist the connection
if ($new == $newc) {
$name = $_POST['username'];
connectDB();
// why not checking your pass in the query
// when a result is zero it means there is no match found
$check = mysql_query("SELECT password FROM user WHERE user_name = '{$name}' AND password = '{$current}'") or die(mysql_error());
$result = mysql_fetch_assoc($check);
// You where checking a resource with a string(MD5)?
if (mysql_num_rows($check) == 0) {
?><div id="error">
<?php die('Current password is wrong. Press back to try again.'); ?>
</div><?php
return false;
} else {
// update the query with the ID you got from the check..
// why? because a ID is always unique
$sql = "UPDATE user SET password = '{$new}' WHERE user_id = '{$result['user_id']}'";
execute($sql);
?><div id="error">
<?php echo 'Password Successfully Updated. Back to dashboard';
?></div><?php
return true;
}
} else {
?><div id="error">
<?php echo 'New Password did not match. Press back to try again';
?></div><?php
return false;
}
}