I'm trying to create a php to change a users password but my php keeps getting hung up on something. I have my code successfully check to ensure you entered the old password correctly, which works fine, however now when I try to update the password with the new password the page changes to a blank screen.
<?php
require("common.php");
if(empty($_SESSION['email']))
{
header("Location: main.php");
die("Redirecting to Frontpage");
}
$fname = $_SESSION['fname']['fname'];
$lname = $_SESSION['lname']['lname'];
$email = $_SESSION['email']['email'];
$queryPost = "SELECT * FROM db WHERE email = :email";
$stmt = $db->prepare($queryPost);
$stmt->bindValue(':email', $email);
$stmt->execute();
$row = $stmt->fetch();
$pass_correct = false;
if($row)
{
$check_password = hash('sha256', $_POST['oldpass'] . $row['salt']);
for($round = 0; $round < 65536; $round++)
{
$check_password = hash('sha256', $check_password . $row['salt']);
}
if($check_password === $row['pass'])
{
$pass_correct = true;
}
else
{
header("refresh:2; url=accountsettings.php");
die("Old Password incorrect....turning around");
}
}
if($pass_correct)
{
$salt = dechex(mt_rand(0, 2147483647)) . dechex(mt_rand(0, 2147483647));
$password = hash('sha256', $_POST['newpass'] . $salt);
for($round = 0; $round < 65536; $round++)
{
$password = hash('sha256', $password . $salt);
}
$query = "UPDATE db SET pass=':pass', salt=':salt' WHERE email = :email";
$query_params = array(':pass' => $password, ':salt' => $salt);
$stmt = $db->prepare($query);
$result = $stmt->execute($query_params);
header("refresh:2; url=accountsettings.php");
die("Password changed....turning around");
}
?>
I feel its getting caught up at the if($pass_correct) statement
Related
Register.php
$query = "
INSERT INTO users(
email,
pass,
salt
) VALUES (
:email,
:password,
:salt
)
";
$salt = dechex(mt_rand(0, 2147483647)) . dechex(mt_rand(0, 2147483647));
$password = hash('sha256', $_POST['password'] . $salt);
for($round = 0; $round < 65536; $round++)
{
$password = hash('sha256', $password . $salt);
}
$query_params = array(
':email' => $_POST['email'],
':password' => $password,
':salt' => $salt
);
Login.php
if($row)
{
$check_password = hash('sha256', $_POST['password'] . $row['salt']);
for($round = 0; $round < 65536; $round++)
{
$check_password = hash('sha256', $check_password . $row['salt']);
}
if($check_password === $row['pass'])
{
// If they do, then we flip this to true
$login_ok = true;
}
}
Passwords/usernames are correct so can't figure out why this isn't working. In the database the hashed pass length is the same as the salt password which I am not sure is correct
Check if your pass column is varchar with length greater or equal of hashed password. I think your stored password has been truncated during saving.
Can anyone tell me where I am going wrong with this? Every time it returns with 'login failed' and won't let me pass to the next screen. I'm starting to tare my hair out!!
if(!empty($_POST)) {
$query = "SELECT id, username, password, salt FROM User WHERE username = ?";
$sql = $db->prepare($query);
$sql->bind_param('s', $user);
$user = $_POST['username'];
$sql->execute();
if(!$row = $sql->affected_rows) {
print('There was an error running the query [' . $db->error . ']' . gettype($user));
}
$login_ok = false;
if($row) {
$check_password = hash('sha256', $_POST['password'] . $row['salt']);
for($round = 0; $round < 65536; $round++) {
$check_password = hash('sha256', $check_password . $row['salt']);
}
if($check_password === $row['password']) {
$login_ok = true;
}
}
if($login_ok) {
unset($row['salt']);
unset($row['password']);
$_SESSION['user'] = $row;
header("Location: home.php");
die("Redirecting to: home.php");
} else {
$submitted_username = htmlentities($_POST['username'], ENT_QUOTES, 'UTF-8');
print("Login Failed. " . $submitted_username);
}
}
Update after Comments and Barmars answer
include '../private/conn.php';
$submitted_username = '';
if(!empty($_POST)) {
$query = "SELECT id, username, password, salt FROM User WHERE username = ?";
$sql = $db->prepare($query);
$sql->bind_param('s', $user);
$user = $_POST['username'];
$sql->execute();
$login_ok = false;
$sql->bind_result($id, $username, $password, $salt);
if ($sql->fetch()) {
$check_password = hash('sha256', $_POST['password'] . $salt);
for($round = 0; $round < 65536; $round++) {
$check_password = hash('sha256', $check_password . $salt);
}
if($check_password === $password) {
$login_ok = true;
}
}
if($login_ok) {
unset($row['salt']);
unset($row['password']);
$_SESSION['user'] = $row;
header("Location: home.php");
die("Redirecting to: home.php");
} else {
$submitted_username = htmlentities($_POST['username'], ENT_QUOTES, 'UTF-8');
print("Login Failed. " . $submitted_username);
}
}
You're never calling $sql->fetch() to get the row. You're setting $row to $sql->affected_rows, which returns a number, then you're trying to use it as an associative array. If you had warnings enabled, you would have seen notices about this error.
WHen using a prepared statement, you need to use bind_result to get the results into variables, and then call fetch() to fetch a row.
$sql->bind_result($id, $username, $password, $salt);
if ($sql->fetch()) {
$check_password = hash('sha256', $_POST['password'] . $salt);
for($round = 0; $round < 65536; $round++) {
$check_password = hash('sha256', $check_password . $salt);
}
if($check_password === $password) {
$login_ok = true;
}
}
I have a login form and it works fine when users enter the correct username and password but nothing happens when the wrong information is entered. How would I get an error message to appear. I have "Login failed" as shown below but this doesnt work for some reason. Any help much appreciated.
<?php
require("config.php");
$submitted_username = '';
if(!empty($_POST)){
$query = "SELECT
id,
username,
password,
salt,
email
FROM users
WHERE
username = :username";
$query_params = array(
':username' => $_POST['username']
);
try{
$stmt = $db->prepare($query);
$result = $stmt->execute($query_params);
}
catch(PDOException $ex){ die("Failed to run query: " . $ex->getMessage()); }
$login_ok = false;
$row = $stmt->fetch();
if($row){
$check_password = hash('sha256', $_POST['password'] . $row['salt']);
for($round = 0; $round < 65536; $round++){
$check_password = hash('sha256', $check_password . $row['salt']);
}
if($check_password === $row['password']){
$login_ok = true;
}
}
if($login_ok){
unset($row['salt']);
unset($row['password']);
$_SESSION['user'] = $row;
header("Location: secret.php");
die("Redirecting to: secret.php");
}
else{
print("Login Failed.");
$submitted_username = htmlentities($_POST['username'], ENT_QUOTES, 'UTF-8');
}
}
?>
I am creating a website for a university assignment and i have run into a snag while writing some PHP for email address and password change and this error has come up and i can't for the life of me figure out what the issue is.
Error code:
Failed to run query3: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE username = chris' at line 1
<?php
// First we execute our common code to connection to the database and start the session
require("common.php");
// At the top of the page we check to see whether the user is logged in or not
if(empty($_SESSION['user']))
{
// If they are not, we redirect them to the login page.
header("Location: login.php");
// Remember that this die statement is absolutely critical. Without it,
// people can view your members-only content without logging in.
die("Redirecting to login.php");
}
$username = $_SESSION['user']['username'];
if(!empty($_POST))
{
//check for valid email
if(!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL))
{
$emailInvalid = true;
$emailInvalidAmmount = 1;
goto here;
}
//Check if the new E-mail matches existing E-mail address, if it does no action is needed
if($_POST['email'] !=$_SESSION['user']['email'])
{
$query = "SELECT 1 FROM users WHERE email = :email";
$query_params = array (':email' => $_POST['email']);
try
{
$stmt = $db->prepare($query);
$result = $stmt->execute($query_params);
}
catch(PDOException $ex)
{
die("Failed to run query1: " . $ex->getMessage());
}
//retrieve results and check if new E-mail address exists in the database
$row = $stmt->fetch();
if($row)
{
$emailExists = true;
$emailExistsAmmount = 1;
}
}
$query ="SELECT password, salt FROM users WHERE username = :username";
$query_params = array(':username' => $username);
try
{
$stmt = $db->prepare($query);
$result = $stmt->execute($query_params);
}
catch(PDOException $ex)
{
die("Failed to run query2: " . $ex->getMessage());
}
$row = $stmt->fetch();
if($row)
{
$check_password = hash('sha256', $_POST['currentPassword'] . $row['salt']);
for($round = 0; $round < 65536; $round++)
{
$check_password = hash('sha256', $check_password . $row['salt']);
}
if($check_password == $row['password'])
{
$password_ok = true;
}
if($password_ok = true)
{
$newPassword = $_POST['newPassword'];
$confirmPassword = $_POST['confirmPassword'];
if($newPassword == $confirmPassword)
{
$salt = dechex(mt_rand(0, 2147483647)) . dechex(mt_rand(0, 2147483647));
$password = hash('sha256', $_newPassword . $salt);
for($round = 0; $round <65536; $round++)
{
$password = hash('sha256', $password . $salt);
}
$query ="INSERT INTO users (password, salt) VALUES (:password, :salt)";
$query .= "WHERE username = $username";
$query_params = array(':password' => $password, ':salt' => $salt);
try
{
$stmt = $db->prepare($query);
$result = $stmt->execute($query_params);
}
catch(PDOException $ex)
{
die("Failed to run query3: " . $ex->getMessage());
}
}
$passwordChanged = true;
}
}
}
?>
Any help would be much appreciated. Thanks
Since this is for an assignment, I'll be vague. Make sure you're properly parameterizing all of the variables you're including in all of your queries.
I'm trying to make a script that changes an encrypted password inside a MySQL table. I think the code is correct, but the script isnt changing the password. It does detect when the old password is wrong and when the new password doesnt match the conformation password. When everything checks out, it doesnt give an error and just redirects.
try
{
$db = new PDO("mysql:host={$host};dbname={$dbname};charset=utf8", $username, $password, $options);
}
catch(PDOException $ex)
{
die("Failed to connect to the database: " . $ex->getMessage());
}
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$db->setAttribute(PDO::ATTR_DEFAULT_FETCH_MODE, PDO::FETCH_ASSOC);
if(function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc())
{
function undo_magic_quotes_gpc(&$array)
{
foreach($array as &$value)
{
if(is_array($value))
{
undo_magic_quotes_gpc($value);
}
else
{
$value = stripslashes($value);
}
}
}
undo_magic_quotes_gpc($_POST);
undo_magic_quotes_gpc($_GET);
undo_magic_quotes_gpc($_COOKIE);
}
header('Content-Type: text/html; charset=utf-8');
session_start();
if(!empty($_SESSION['user']))
unset ($_SESSION['user']);
if(!empty($_POST))
{
$query = "
SELECT
username,
password,
salt
FROM users
WHERE
username = :username
";
$query_params = array(
':username' => $_POST['username']);
try
{
$stmt = $db->prepare($query);
$result = $stmt->execute($query_params);
}
catch(PDOException $ex)
{
die("Failed to run query: " . $ex->getMessage());
}
$pass = false;
$row = $stmt->fetch();
if($row)
{
$check_password = hash('sha256', $_POST['old'] . $row['salt']);
for($round = 0; $round < 65536; $round++)
{
$check_password = hash('sha256', $check_password . $row['salt']);
}
if($check_password !== $row['password'])
{
die("Incorrect old password!");
}
if($_POST['new'] !== $_POST['confirm'])
{
die("Password does not match!");
}
$pass = true;
}
if($pass)
{
$salt = dechex(mt_rand(0, 2147483647)) . dechex(mt_rand(0, 2147483647));
$password = hash('sha256', $_POST['new'] . $salt);
for($round = 0; $round < 65536; $round++)
{
$password = hash('sha256', $password . $salt);
}
$query1 = " UPDATE users SET password = ':password', salt = ':salt' WHERE username = ':username' ";
$query_params1 = array(
':username' => $_POST['username'],
':password' => $password,
':salt' => $salt
);
try
{
$stmt1 = $db->prepare($query1);
$result1 = $stmt1->execute($query_params1);
}
catch(PDOException $e)
{
die("Failed to run query: " . $e->getMessage());
}
header("Location: index.php");
die;
}
else
{
print("Password change failed.");
}
}
You don't quote bound variables:
$query1 = 'UPDATE users SET password = :password, salt = :salt WHERE username = :username";