Jump to content

Password Lenght (Change password script)

Jibmar7312

By Jibmar7312
in PHP Coding Help

 Share
Go to solution Solved by Psycho,

Recommended Posts

Jibmar7312 Newbie

Jibmar7312

Posted
Posted (edited)

Hello, I'm creating a change password script and my problem is the lenght of the password (strlen). For example if the user add 1 character as his password i will be correct and then his password will be changed. I want to be the lenght of the password longer than 6 characters, here is my script:

<?php
session_start();
$username = @$_SESSION['username'];
$form = "<form action='changepass.php' method='POST'>
		Current password: <input type='text' name='c_password'><br />
		New password: <input type='password' name='n_password'><br />
		Re-enter new password: <input type='password' name='rn_password'><br />
		<input type='submit' name='submit' value='Change password'><br />
		</form>";
if($_SESSION['username']){
	if(isset($_POST['submit'])){
		$connect = mysql_connect("localhost", "**********", "**********");
		mysql_select_db("**********");
		
		$query = mysql_query("SELECT password FROM users2 WHERE username='".$username."'");
		$row = mysql_fetch_assoc($query);
		$c_password = sha1(@$_POST['c_password']);
		$n_password = sha1(@$_POST['n_password']);
		$rn_password = sha1(@$_POST['rn_password']);
		$c_password_db = $row['password'];
			if(isset($_POST['c_password']) && !empty($_POST['c_password'])&&isset($_POST['n_password']) && !empty($_POST['n_password'])&&isset($_POST['rn_password']) && !empty($_POST['rn_password'])){
				if($c_password==$c_password_db){
					if($n_password==$rn_password){
						if(strlen($n_password) < 6 || strlen($rn_password) < 6){
							die("The lengh of the new password must be longer than 6!");
						}else{
							
							$querychange = mysql_query("UPDATE users2 SET password='".$n_password."' WHERE username='".$username."'");
							session_destroy();
							die("Your password has been changed. <a href='member.php'>Return</a>");
						}
						
					}else{
						die("Your new password do not match!").mysql_error();
					}
				}else{
					echo "Your current password do not match!";
				}
		}else{
			die("Please fill in all the fields!");
		}
		}else{
			
			echo $form;
		}
		
	}else{
		
		die("You must be logged in to change your password!");
	}


?>

Any help will be appriciated :)

 

Thanks :)

Edited by Jibmar7312
Link to comment
Share on other sites
Psycho Prolific Member

Psycho

Posted
Posted

Well, first off, you need to have a COMMON process for validating password content. So, you should apply the same process when the users first creates their password as well as when they change their password.

 

Second, your logic appears to be haphazard. Why are you even running the first query before you check to see if the user submitted the necessary data? Change your conditions so the error message is not separated from the condition. How you have it now makes it difficult to see what errors line up with what conditions.

 

There is no need to verify the content of the new password AND the confirm password. Just verify they are both the same, then do verifications on the content of one.

 

But, the problem you are currently facing is that you are hashing the password BEFORE you check the length.

Link to comment
Share on other sites
  • Solution
Psycho Prolific Member

Psycho

Posted
  • Solution
Posted

This has a much more logical flow. Not tested, so there may be a few issues to address

 

<?php
session_start();

$username = isset($_SESSION['username']) ? $_SESSION['username'] : false;
$currentPassword = isset($_POST['c_password']) ? $_POST['c_password'] : false;
$newPassword = isset($_POST['n_password']) ? $_POST['n_password'] : false;
$confirmPassword = isset($_POST['rn_password']) ? $_POST['rn_password'] : false;

$errorMsg = false;
if(!$username)
{
    //Username not set in session
    $errorMsg = 'You must be logged in to change your password!';
}
elseif($_SERVER['REQUEST_METHOD'] == 'POST')
{
    //Form was posted
    if(!$currentPassword || !$newPassword || !$confirmPassword)
    {
        //All fields not posted
        $errorMsg = 'Please fill in all the fields!';
    }
    elseif($newPassword != $confirmPassword)
    {
        //Passwords do not match
        $errorMsg = 'Your new password and confirmation do not match!';
    }
    elseif(strlen($newPassword) < 6)
    {
        //Password too short
        $errorMsg = 'The lengh of the new password must be longer than 6 characters!';
    }
    else
    {
        //Check current password submitted
        $connect = mysql_connect("localhost", "**********", "**********");
        mysql_select_db("**********");
        //Create and run query to verify current password
        $usernameSQL = mysql_real_escape_string($username);
        $query = "SELECT password FROM users2 WHERE username='{$usernameSQL}' and password='{$currentPasswordSQL}'";
    
        $result = mysql_query($query);
        if(!$result)
        {
            //Error running query
            $errorMsg = "Error retrieving user info";
        }
        elseif(!mysql_num_rows($result))
        {
            //Username not in DB
            $errorMsg = "Username is not recognized";
        }
        else
        {
            //Extract and check password
            $currentPasswordCheck = mysql_result($result, 0);
            if(sha1($currentPassword) != $currentPasswordCheck)
            {
                //Password not correct
                $errorMsg = "Current Password is incorrect!";
            }
            else
            {
                //Password correct, save new PW
                $newPasswordSQL = sha1($newPassword);
                $query = "UPDATE users2 SET password='{$newPasswordSQL}' WHERE username='{$usernameSQL}'";
                $result = mysql_query($query);
                if(!$result)
                {
                    //Error running query
                    $errorMsg = "Error changing password";
                }
                else
                {
                    //Replace with a redirect (followed by an exit() statement) to a confirmation page with a valid HTML page
                    die("Your password has been changed. <a href='member.php'>Return</a>");
                }
            }            
        }
    }
} //End for post processes

?>
<html>
<body>
<?php echo $message; ?>
<form action='changepass.php' method='POST'>
Current password: <input type='text' name='c_password'><br />
New password: <input type='password' name='n_password'><br />
Re-enter new password: <input type='password' name='rn_password'><br />
<input type='submit' name='submit' value='Change password'><br />
</form>
</body>
</html>
Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.