I've a problem when updating the old password with the new one password_hash, it always said Old password is wrong.
The table: pegawai
Field: nokom, nama, uol1
Here's my code:
<?php session_start();
require "config.php";
$nokom = $_POST['nokom'];
$pswlama = password_hash($_POST['pswlama'], PASSWORD_DEFAULT);
$pswbaru = password_hash($_POST['pswbaru'], PASSWORD_DEFAULT);
$cari = "SELECT * FROM pegawai WHERE nokom ='".$nokom."'";
$result = mysqli_query($conn,$cari);
if (mysqli_num_rows($result) > 0)
{
while ($data = mysqli_fetch_array($result))
{
if(password_verify($pswlama, $data['uol1']))
{
$perintah = "UPDATE pegawai SET uol1 = '$pswbaru' WHERE nokom = '$nokom' ";
if (mysqli_query($conn, $perintah))
{
echo "<script>alert('Success');location.replace('home.php')</script>";
}
else
{
echo "Error updating record: " . mysqli_error($conn);
}
}
else
{
echo "<li>Old password is wrong!</li>";
}
}
}
else
{
echo "Data not found";
}
?>
Any help will be great, thanks.
You are putting a hash in both arguments of password_verify. Read the manual of password_verify and you'll see that the first argument is not supposed to be a hash, but the password itself to compare against the hashed password (argument 2) that is stored in your database.
You are hashing the password before you pass it to password_verify here:
$pswlama = password_hash($_POST['pswlama'], PASSWORD_DEFAULT);
...
if(password_verify($pswlama, $data['uol1']))
You should be passing $_POST['pswlama'] directly to password_verify.
change this
$pswlama = password_hash($_POST['pswlama'], PASSWORD_DEFAULT);
to this. password_verify will handle the rest.
$pswlama = $_POST['pswlama'];
keep the rest of your code the same.
Related
I want use password_verify to login, and this is my code
$DB1->select('Idx,Email,Password');
$DB1->from('User');
$DB1->where('Email',$Email);
$result = $DB1->get()->result();
// get_where('4SUser',array('Email' => $Email))->result();
if(password_verify($this->input->post('Password'), $result[0]->Password)) {
$this->response("Login Success");
} else {
$this->response("Login Failed");
}
And then, this is when I join the member use password_hash
---update change
$hash = password_hash($this->input->post('Password'), PASSWORD_DEFAULT);
I don't know why it returns error;
use password tester1234 and in DB, $2y$10$FZ7WV5cn5OL58t5hgM3cBeb2NRfXk7IrxNzyBiBMYZA.HYtXSSDjS
this is DB value.
But when I test hash_password when I input the password,
"$2y$10$KP1MG1abyMBD/gR82WmKoONvW/VvblYix13We6MNeRKdbDg0ufRQC"
"$2y$10$2H7Lx340yXWBFXFgv2LUJuN.luODBmJtNwfrCVQh2A37O0Es9Ud/K"
"$2y$10$.xUl/0zKnt.m26MSVwUBDOFVx29Bd8XxNyI.t7RqonfP8pmwIIVRC"
Every Time changes
Is it cause the error of doesn't match the password?
please help me
---update question
$HashInputPassword = password_hash($this->input->post('Password'), PASSWORD_DEFAULT);
$UserPassword = $result[0]->Password;
if($HashInputPassword === $UserPassword) {
$this->response("Login Success");
} else {
$this->response("Login Failed");
}
I'm writing log in code for the only user in my db.
But the password_verify function doesn't seem to work. When I echo both the hash from the db and the password written in the form, I see them, so there's no problem with the query or the $_POST.
Here's my code:
the log in:
$passwordFromForm = htmlspecialchars($_POST['password']);
$nmbr = 12; // it's the user's id.
$sql = "SELECT * FROM user WHERE iduser = $nmbr";
$res = mysqli_query($conn, $sql);
// $row = mysqli_fetch_assoc($res);
while($row = $res->fetch_assoc()) {
$hashFromDB = $row['hash'];
}
if(password_verify($passwordFromForm, $hashFromDB)) {
echo "success";
header("Location: ../admin.php");
}
else {
echo "The hash is:" . $hashFromDB . "and the pass is:" . $passwordFromForm;
//this echoes the correct hash and string
}
Thanks in advance.
The function password_verify() is dependent with password_hash(), you can check the algorithm password_hash() used whether the same with password_verify(), check the res with password_get_info($hash)
You should not do any escaping of the password, before feeding it to the password_hash() / password_verify() function. So remove the call to htmlspecialchars() and make sure that your database field holding the hash, is of type varchar(255).
I want to reset user password using php. i got user's current and new password from html form . here's php script to reset password. But it always executes else part even if user enters correct password. how?any solution? i know there might be a simple error but i'm new at this and couldnt find any error.
$uid = $_SESSION['uid'];
$current_pass = $_POST['org_pass'];
$new_pass = $_POST['new_pass'];
if(isset($_POST['submit']))
{
$act_pass = $db_con->prepare("SELECT password FROM user WHERE u_id= ?");
$act_pass->bindParam(1,$uid);
$act_pass->execute();
$actual_pass = $act_pass->fetchColumn();
define('SALT', 'flyingrabbit');
$typed_pass = md5(SALT.$actual_pass);
if ($typed_pass == $current_pass)
{
$new_pass1 = md5(SALT . $new_pass);
$res = $db_con->prepare("UPDATE user SET password= ? WHERE u_id=?");
$res->bindParam(1,$new_pass1);
$res->bindParam(2,$uid);
$res->execute();
header("Location: profile.php");
exit;
}
else
{
echo "<script type=\"text/javascript\">window.alert(\"You entered wrong password.\");window.location.href = 'profile.php';</script>";
}
}
This looks wrong:
$actual_pass = $act_pass->fetchColumn();
// ...
$typed_pass = md5(SALT.$actual_pass);
if ($typed_pass == $current_pass)
You are hashing the information you got from the database which - I assume - is already hashed.
You probably want:
$actual_pass = $act_pass->fetchColumn();
// ...
$typed_pass = md5(SALT.$current_pass);
if ($typed_pass == $actual_pass)
Note that md5 is not recommended to hash passwords.
You should compare hashed $current_pass and **$actual_pas**s.
Replace
$typed_pass = md5(SALT.$actual_pass); with $typed_pass = md5(SALT.$current_pass);
$typed_pass == $current_pass with $typed_pass == $actual_pass
It goes to the else statement because you compare $typed_pass == $current_pass but on the previous line you do this $typed_pass = md5(SALT.$actual_pass) you compare a hashed, salted password to a plain text password
I am new in PHP and need help with my below code. When I am entering wrong userid instead of giving the message "userid does not exist" it is showing "password/id mismatch. Please guide me where I am wrong.
<?php
session_start();
$id = $_POST['userid'];
$pwd = $_POST['paswd'];
$con = mysqli_connect("localhost", "????", "????", "??????");
if ($con) {
$result = mysqli_query($con, "SELECT * FROM users WHERE userid=$id");
if ($result) {
$row = mysql_fetch_array($result);
if ($row["userid"] == $id && $row["paswd"] == $pwd) {
echo "Welcome! You are a authenticate user";
if ($id == $pwd)
//my default login id and password are same
{
header("Location: changepwd.html");
} else {
header("Location: dataentry.html");
}
} else {
echo "ID/Password Mismatch";
}
} else {
echo "User does not Exist !!!";
}
} else {
echo "Connection failed - ".mysqli_error()." -- ".mysqli_errno();
}
?>
The main problem you have is that you're mixing up between the mysqli and mysql functions. These two libraries are not compatible with each other; you must only use one or the other.
In other words, the following line is wrong:
$row=mysql_fetch_array($result);
It needs to be changed to use mysqli_.
While I'm here, going off-topic for a moment I would also point out a few other mistakes you're making:
You aren't escaping your SQL input. It would be extremely easy to hack your code simply by posting a malicious value to $_POST['userid']. You must use proper escaping or parameter binding. (since you're using mysqli, I recommend the latter; it's a better technique).
Your password checking is poor -- you don't appear to be doing any kind of hashing, so I guess your passwords are stored as plain text in the database. If this is the case, then your database is extremely vulnerable. You should always hash your passwords, and never store the actual password value in the database.
I've gone off topic, so I won't go any further into explaining those points; if you need help with either of these points I suggest asking separate questions (or searching here; I'm sure there's plenty of existing advice available too).
else
{
echo "ID/Password Mismatch";
}
is connected with the
if($row["userid"]==$id && $row["paswd"]==$pwd)
{
So since you are giving a wrong id. It echo's: ID/Password Mismatch
Also the else at if ($result) { wont ever show since
$result = mysqli_query($con, "SELECT * FROM users WHERE userid=$id");
You need some additionnal checks:
select * return 1 row (not 0, and not more)
you need to protect the datas entered by the html form (for example someone could enter 1 or 1 to return all rows
<?php
session_start();
$con = mysqli_connect("localhost", "????", "????", "??????");
$id = mysqli_real_escape_string($_POST['userid']);
$pwd = mysqli_real_escape_string($_POST['paswd']);
if ($con) {
// don't even do the query if data are incomplete
if (empty($id) || empty($pwd)
$result = false;
else
{
// optionnal : if userid is supposed to be a number
// $id = (int)$id;
$result = mysqli_query($con, "SELECT * FROM users WHERE userid='$id'");
}
if (mysqli_num_rows($result) != 1)
$result = false;
if ($result) {
$row = mysqli_fetch_assoc($result);
if ($row["userid"] == $id && $row["paswd"] == $pwd) {
echo "Welcome! You are a authenticate user";
if ($id == $pwd)
//my default login id and password are same
{
header("Location: changepwd.html");
} else {
header("Location: dataentry.html");
}
} else {
echo "ID/Password Mismatch";
}
} else {
echo "User does not Exist, or incomplete input";
}
} else {
echo "Connection failed - " . mysqli_error() . " -- " . mysqli_errno();
}
?>
Try with isset() method while you are checking if $result empty or not.
that is in line
if ($result) {.......}
use
if (isset($result)) { .......}
$result is always true, because mysqli_query() only returns false if query failed.
You could check if $result has actual content with empty() for example.
You can use this sql compare password as well with userid
$sql= "SELECT * FROM users WHERE userid='".$id.", and password='".$pwd."'";
I create a function to edit user password here the function code.
function updateUser ()
{
$current = md5($_POST['cpassword']);
$new = md5($_POST['npassword']);
$newc = md5($_POST['npasswordc']);
$name = $_POST['username'];
connectDB();
$check = mysql_query("SELECT password FROM user WHERE user_name = '$name'")
or die(mysql_error());
if ($check != $current) {
?> <div id="error">
<?php die('Current password is wrong. Press back to try again.'); ?>
</div> <?php
}
if ($new == $newc) :
$sql = "UPDATE user SET password = '$new' WHERE user_name = '$name'";
execute($sql);
?> <div id="error">
<?php die('Password Successfully Updated. Back to dashboard');
?> </div> <?php
else : ?> <div id="error">
<?php die('New Password did not match. Press back to try again');
?> </div> <?php
endif;
}
the value will be pass by the form on different page, everything seem to work fine. When I try to change password, it say successful, and when I check in the database, the md5 value is changing that mean the password was change.
But when I try to change password of same username, I still need to enter the old password for current password, even though in database it already changed?
What seem to be the problem?
Thank you
$check is a mysql resource, not a value. You might do
if($check && (mysql_num_rows($check) > 0))
{
$res = mysql_fetch_assoc($check);
if($res['password'] != $current) {
Be careful of SQL injections, you should do at least
$name = mysql_real_escape_string($_POST['username']);
before entering it into the query.
Also, md5 is a week hashing algorithm, I strongly suggest you use a SALT, and better hash algos like at the very least sha1() or better go for the sha2 family (sha256, sha512, for ex) or bcrypt
I have changed your code... maybe it works. also watch the comments it explains something maybe it helps:
function updateUser ()
{
$current = md5($_POST['cpassword']);
$new = md5($_POST['npassword']);
$newc = md5($_POST['npasswordc']);
// first check if the passwords matches if not why waist the connection
if ($new == $newc) {
$name = $_POST['username'];
connectDB();
// why not checking your pass in the query
// when a result is zero it means there is no match found
$check = mysql_query("SELECT password FROM user WHERE user_name = '{$name}' AND password = '{$current}'") or die(mysql_error());
$result = mysql_fetch_assoc($check);
// You where checking a resource with a string(MD5)?
if (mysql_num_rows($check) == 0) {
?><div id="error">
<?php die('Current password is wrong. Press back to try again.'); ?>
</div><?php
return false;
} else {
// update the query with the ID you got from the check..
// why? because a ID is always unique
$sql = "UPDATE user SET password = '{$new}' WHERE user_id = '{$result['user_id']}'";
execute($sql);
?><div id="error">
<?php echo 'Password Successfully Updated. Back to dashboard';
?></div><?php
return true;
}
} else {
?><div id="error">
<?php echo 'New Password did not match. Press back to try again';
?></div><?php
return false;
}
}