Hexagon

First, thanks for your input, I have changed the code dramatically and reverted to md5 just so i can test everything because i have no experience with the password_hash. <?php $u=""; //stripping both strings of white spaces $newpass = preg_replace('#[^a-z0-9]#i', '', $_POST['newpass']); $repeatpass = preg_replace('#[^a-z0-9]#i', '', $_POST['repeatpass']); if(isset($_GET["u"])){ $u = preg_replace('#[^a-z0-9]#i', '', $_GET['u']); } else { header("location: settings.php?u=".$_SESSION["username"]); exit(); } // Select the member from the users table $sql = "SELECT * FROM users WHERE username='$u' AND activated='1' LIMIT 1"; $user_query = mysqli_query($db_conx, $sql); // Now make sure that user exists in the table $numrows = mysqli_num_rows($user_query); if($numrows < 1){ echo "That user does not exist or is not yet activated, press back"; exit(); } $isOwner = "no"; //check if user is logged in owner of account if($u == $log_username && $user_ok == true){ $isOwner = "yes"; } if (isset($_POST["submit"]) && ($isOwner == "yes") && ($user_ok == true) && ($newpass == $repeatpass)) { $newpass = md5($newpass); $sql = "UPDATE `users` SET `password`='$newpass' WHERE username='$u'"; if (mysqli_query($db_conx, $sql)) { echo "Record updated successfully with $newpass"; } else { echo "Error updating record: " . mysqli_error($conn); } } ?> <pre> <?php var_dump($_SESSION); var_dump($newpass); var_dump($repeatpass); ?> </pre> Thats the new code, I will try to implement a better encryption later. But i am still trying to figure out how to replace the get['u'] logic.

Hi guys, i am creating my change password site for my website and i have some problems with the code... For some reason i have difficulties with the passwords being compared and replaced in the db after crypting them. I wanted this: Either get the current users password and compare it to the input value of $oldpass or compare the input value of $oldpass with the password stored in the database for the current user. After checking if the $oldpass and the password from the database match and IF they match then take the input value of $newpass and $repeatpass, compare them and if they match, then crypt() $newpass and update the database with the new password. I am not even sure if the passwords are even crypted. Also in the code i am comparing $oldpass with $_SESSION['password'] which is not the password from the db, i can't figure out how to call the password from the db. Thanks in advance! <?php include 'check_login_status.php'; $u=""; $oldpass=md5($_POST['oldpass']); //stripping both strings of white spaces $newpass = preg_replace('#[^a-z0-9]#i', '', $_POST['newpass']); $repeatpass = preg_replace('#[^a-z0-9]#i', '', $_POST['repeatpass']); //get the username from the header if(isset($_GET["u"])){ $u = preg_replace('#[^a-z0-9]#i', '', $_GET['u']); } else { header("location: compare_pass.php?u=".$_SESSION["username"]); exit(); } // Select the member from the users table $sql = "SELECT password FROM users WHERE username='$u' LIMIT 1"; mysqli_query($db_conx, $sql); $user_query = mysqli_query($db_conx, $sql); // Now make sure that user exists in the table $numrows = mysqli_num_rows($user_query); if($numrows < 1){ echo "That user does not exist or is not yet activated, press back"; exit(); } if ($oldpass == $_SESSION['password']) { echo "session and oldpass are matching"; } else { echo "Session and oldpass do not match!"; } $isOwner = "no"; //check if user is logged in owner of account if($u == $log_username && $user_ok == true){ $isOwner = "yes"; } $passhash = ""; if (isset($_POST["submit"]) && ($isOwner == "yes") && ($user_ok == true) && ($newpass == $repeatpass)) { $passhash = crypt_sha256("$newpass", "B-Pz=0%5mI~SAOcW0pMUdgKQh1_B7H6sbKAl+9~O98E9MBPrpGOtE65ro~8R"); $sql = "UPDATE users SET `password`='$passhash' WHERE username='$u' LIMIT 1"; } if (mysqli_query($db_conx, $sql)) { echo "Record updated successfully"; } else { echo "Error updating record: " . mysqli_error($db_conx); } ?> <h3>Create new password</h3> <form action="" method="post"> <div>Current Password</div> <input type="text" class="form-control" id="password" name="oldpass" > <div>New Password</div> <input type="text" class="form-control" id="password" name="newpass" > <div>Repeat Password</div> <input type="text" class="form-control" id="password" name="repeatpass" > <br /><br /> <input type="submit" name="submit" value="Submit"> <p id="status" ></p> </form><?php echo "{$oldpass}, {$_SESSION['password']}"; ?> <pre> <?php var_dump($_SESSION); var_dump($oldpass); var_dump($passhash); var_dump($newpass); var_dump($repeatpass); ?> </pre>