JackTheRipper

Let me explain to you what I know. $2y = The password algorithm $09 = Is your cost. I would suggest sticking to the default which is 10. You're using 1 less than the default. Unless if you think it would save you resource and money then go for it. $D.47EPRqwcUEgKJnAWkl6 = Is the salt .o76kDqdFtotog649T6II3I73MDVRUQy = Is the hashed password. When using modern password hashes, it doesn't store passwords as plain text and it makes the password more secure. Using bcrypt already escapes all of the bad stuff. Here's an example of why you shouldn't be modifying user password inputs. One day, person A signs up on your website. We'll call person A (Fred). So when Fred signs up with the password Y2!@%&$;s325, your old version would do something like Y2s325 You see where that might be a problem? The user automatically thinks that their password was typed in wrong, they attempt many many hours and still no luck. They find out that their password was modified and all of the special characters that they had used was removed. Not only is this less secure, but that wasn't even the original user's password. That's why you shouldn't modify user passwords because they might actually think that their password was right, but in reality. It was actually wrong since you stripped out all of their special characters out of their password.

Holy crap. That was hard to read. <?php session_start(); mysqli_report(MYSQLI_REPORT_OFF); error_reporting(E_ALL); ini_set('display_errors', TRUE); error_reporting(-1); require_once(dirname(__FILE__) . DIRECTORY_SEPARATOR . 'password_compat-master/lib/password.php'); function test_input($data) { $data = trim($data); $data = stripslashes($data); $data = htmlspecialchars($data); return $data; } $servername = " "; $username = " "; $password = " "; $dbname = " "; $link = new mysqli($servername, $username, $password, $dbname); if($_SERVER['REQUEST_METHOD'] == 'POST') { $errors = array(); if(empty($_POST['resetcode'])) { $errors['resetcode'] = "error"; } else { $resetcode = test_input($_POST['resetcode']); } if(empty($_POST['newpassword'])) { $errors['newpassword'] = "error"; } else { $newpassword = $_POST['newpassword']; } if(empty($errors)) { $resetcode = test_input($_POST['resetcode']); $newpassword = $_POST['newpassword']; $hash = password_hash($newpassword, PASSWORD_BCRYPT, array("cost" => 9)); $stmt = $link->prepare('SELECT username FROM User WHERE prc = ?'); $stmt->bind_param('s', $resetcode); $stmt->execute(); $stmt->store_result(); // You need store result or nothing will be called and displayed if($stmt->num_rows) { $stmt->bind_result($username_from_db); if($stmt->fetch()) { $_SESSION['user'] = $username_from_db; $stmt2 = $link->prepare('UPDATE User SET hash = ? WHERE prc = ?'); $stmt2->bind_param('ss', $hash, $resetcode); // Why do you need these lines if you aren't going to use it?? $host = $_SERVER['HTTP_HOST']; $uri = $_SERVER['REQUEST_URI']; // the path/file?query string of the page $link->close(); // Close before you exit. If you exit, PHP will ignore everything after the exit which means you aren't manually closing your connection anymore header("Location: http://parsemebro.com/userpanel.php"); exit; } } } } ?> The inconsistency made it super hard to read. I highly highly highly highly suggest you start formating your code a little better. You're going to have a hard time reading your own code. Why make it harder for yourself if you're suppose to know what to do? I fixed a little bit for you. I haven't tested it so you'll have to do it yourself. Here's a huge question. Why are you modifying a user's password? You should NEVER ever modify a user's input password. What if they use special characters to make their password stronger? You're making a secure future like bcrypt less secure by not allowing users to use special characters. SQL Injection comes from code, not from user input. If your code is written wrong, SQL injection will most likely happen. If you don't escape or use prepared statments, you're likely to be a victim of SQL Injection. However, you should NEVER modify a user's input password. Are you saying that Rat123 is more secure than R@t123!#%^&)* I would assume not. The first password can easily be brute forced while the second one has multiple special characters including first cap a letter and 3 numbers. If that's the case then I would suggest re-writing your code. When you re-write your code, you should always and I can never stress this far enough. Always debug as you go a long. If you debug at the way end. You won't know what is really wrong with your code. If you debug as you go a long, you will know exactly where the script is not running. Also, I would suggest using 1 connection because if you keep making new connections, it's a little redundant.

You should also note that checking the file extensions like .png, .jpg, .gif won't help at all. Anyone can make a plain text file. Put executable commands into it. Change the file extension to .png, .jpg, or .gif and upload it to your server. That would make your server vulnerable to the max. What I suggest is to check for the mime type. Every file has it's own type. If it was originally created using a photo editor, it'll have the mime type of image/png, image/jpg, image/gif. If someone created a plain text file and changed the file extension, the mime type of that file will always and forever remain the same. So it would always have a mime type of text/plain even though it's file extension is .png, .jpg, or .gif. This helps prevent people from uploading the wrong files or the wrong file type if you only want a specific type of file.