angel1987 Posted March 3, 2013 Share Posted March 3, 2013 Hello all, i have a change your password feature on one of my websites. It works perfectly in FF and Chrome but it is not working in IE 8. I have used MySQLi prepared statements and the script is fairly straight forward. In IE 8 when i click on submit button, it kills the session and gives "you are not authorized to view this page message". So I need some help in solving it. Below is the HTML form. <form name="frmcp" method="post" action="#"> <table border="0" cellpadding="5" cellspacing="5"> <tr><td>Old Password</td></tr> <tr><td><input type="password" name="password" id="password" /></td></tr> <tr><td>New Password</td></tr> <tr><td><input type="password" name="txtpass1" /></td></tr> <tr><td>Confirm Password</td></tr> <tr><td><input type="password" name="txtpass2" /></td></tr> <tr><td><input type="submit" name="btncp" value="Change Password" class="button" onclick="formhash(this.form, this.form.password);" /></td></tr> </table> </form> Below is the PHP Script which is on the same page above the html open tag. <?php // Include database connection and functions here. include '../php/config.php'; include 'php/functions.php'; //Securely Start Session sec_session_start(); //Check if user is logged in or not if((login_check($mysqli) == true) && $_SESSION['usertype'] == 0) { $userid = $_SESSION['user_id']; // Check if the button was clicked or not. if(isset($_POST['btncp'])){ //Check if all fields are filled. if(isset($_POST['txtpass1']) && !empty($_POST['txtpass1']) AND isset($_POST['txtpass2']) && !empty($_POST['txtpass2'])){ $newpass = htmlspecialchars(strip_tags($_POST['txtpass1'])); $newpass = hash('sha512', $newpass); $newcpass = htmlspecialchars(strip_tags($_POST['txtpass2'])); $newcpass = hash('sha512', $newcpass); //Check if new password matches the confirm password or not. if($newpass == $newcpass){ $password = $_POST['p']; //Check if the old password entered is correct or not. if ($stmt = $mysqli->prepare("SELECT username, password, usertype, salt FROM active_users WHERE user_id = ? LIMIT 1")) { $stmt->bind_param('i', $userid); // Bind "$email" to parameter. $stmt->execute(); // Execute the prepared query. $stmt->store_result(); $stmt->bind_result($username, $db_password, $usertype, $salt); // get variables from result. $stmt->fetch(); $password = hash('sha512', $password.$salt); // hash the password with the unique salt. if($stmt->num_rows == 1) { if($db_password == $password) { //Hash the new password with a new randomly created salt. $new_random_salt = hash('sha512', uniqid(mt_rand(1, mt_getrandmax()), true)); $new_db_password = hash('sha512', $newcpass.$new_random_salt); //Update new password in the table. if ($stmt = $mysqli->prepare("UPDATE active_users SET password = ?, salt = ? WHERE user_id = ?")) { // Bind the variables to the parameter as strings. $stmt->bind_param("ssi", $new_db_password, $new_random_salt, $userid); // Execute the statement. $stmt->execute(); // Close the prepared statement. $stmt->close(); } //Redirect if password was changed and ask the user to login again using new password. header('Location: error.php?error=5'); } else { $msg = 'Old password entered is incorrect.'; } } else { $msg = 'User Does Not Exist.'; } } } else { $msg = 'New Password and Confirm Password does not match.'; } } else { $msg = 'All fields are mandatory.'; } } ?> The problem appears to be in the line where PHP checks if the button was clicked or not or in the line where it checks if user is logged in or not. But it works in FF and Chrome, just not in IE 8. Quote Link to comment Share on other sites More sharing options...
teynon Posted March 3, 2013 Share Posted March 3, 2013 (edited) The problem with checking a button on a post is that if the user submitted the form by means of an enter key, then the button won't be submitted. Try creating a hidden element in the form. <input type="hidden" name="formSubmitted" value="1"> Then, run your isset check on that variable. It's just a flag for your code to know that the form has been submitted. if (isset($_POST['formSubmitted')) Edited March 3, 2013 by teynon Quote Link to comment Share on other sites More sharing options...
teynon Posted March 3, 2013 Share Posted March 3, 2013 (edited) Additionally, it looks like your submitting your form from a javascript function. You should probably look through your javascript function because it is probably failing in IE. I also believe that in IE if a form is submitted by javascript and not the direct action of the submit button, that the submit button is not sent with the post variables. Adding my fix above will resolve that as well. Edited March 3, 2013 by teynon Quote Link to comment Share on other sites More sharing options...
Solution angel1987 Posted March 4, 2013 Author Solution Share Posted March 4, 2013 Thanks for the support teynon, i had already tried using your first fix but it didnt work but yes the problem was with the javascript. I was hashing the password by javascript before sending it to the PHP script but it seems that works only if your PHP processing script is on another file and not on the same page. So i removed onclick attribute from submit button and hashed the password using PHP and it worked perfectly. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.