Jump to content

Recommended Posts

I am new at coding, and at PHP.  I am attempting to update a password.  I have inserted my code, including comments and mark throughs.  I am at the point where the database updates, however, it does not product a new $salt variable, and it does not encrypt using sha1 again, either.  It is just putting $salt = 0  and $pwd = the literal new password.  Also, the code has been changed SO many times to try to force the new encryption, it is probably very messy, I apologize ahead of time!  Again, any help is appreciated!

 

<?php
require('includes/connection.inc.php');
$OK = false;
$done = false;
//db connection
$conn = dbConnect('write', 'pdo');
if (isset($_GET['user_id']) && !$_POST) {
//prepare query
$sql = 'SELECT user_id, salt, pwd FROM lr1
WHERE user_id=?';
$stmt = $conn->prepare($sql);
//bind the results
$stmt->bindColumn(1, $user_id);
$stmt->bindColumn(3, $salt);
$stmt->bindColumn(4, $password);
//execute
$OK = $stmt->execute(array($_GET['user_id']));
$stmt->fetch();
}
//if form is submitted, update record
if (isset($_POST['update'])) {
$password = trim($_POST['pwd']);
$retyped = trim($_POST['conf_pwd']);
require_once('classes/CheckPassword.php');
 
$errors = array();
//min password length set below
$checkPwd = new Ps2_CheckPassword($password, 10);
$checkPwd->requireMixedCase();
$checkPwd->requireNumbers(2);
$checkPwd->requireSymbols();
$passwordOK = $checkPwd->check();
if (!$passwordOK) {
$errors = array_merge($errors, $checkPwd->getErrors());
}
if ($password != $retyped) {
$errors[] = "Your passwords don't match.";
}
if (!$errors) {
 
  // encrypt the password and salt with SHA1
 
//include the connection file
$conn=dbConnect('write', 'pdo');
//create a salt using the current timestamp
//encrypt pwd and salt
$salt = time();
 $pwd = sha1($password . $salt);
//original had salt=?, pwd=?
$sql ='UPDATE lr1 SET salt=?,pwd=? WHERE user_id=?';
$stmt = $conn->prepare($sql);
//$stmt->bindColumn(3, $salt);
//$stmt->bindColumn(4, $pwd);
//$stmt->bindParam(':user_id', $user_id);
$done = $stmt->execute(array($_POST['salt'], $_POST['pwd'], $_POST['user_id']));
 
// execute query by passing array of variables
if($stmt->rowCount() == 1) {
$success = "The username has been updated.  You may now log in.";
} else {
$errors[] = 'Sorry, there was a problem with the database.';
 
}
 
}
}
?>
 
 
 
<!doctype html>
<html>
<head>
<meta charset="utf-8">
<title>Update Password</title>
<link href="portal.css" rel="stylesheet" type="text/css">
</head>
 
<body>
<img src="images/dcanew.jpg" alt="dca header image"  class="imgheader" />
<div id="wrapper">
<br><br>
 
<form id="form1" method="post" action="">
<?php
if (isset($success)){
echo "<p>$success</p>";
} elseif (isset($errors) && !empty($errors)) {
echo '<ul>';
foreach ($errors as $error) {
echo "<li>$error</li>";
}
echo '</ul>';
}
?>
<input name="user_id" type="hidden" value="<?php echo $user_id; ?>">
      <p>
    <label for="pwd">New Password:  </label>
    <input type="password"  name="pwd" id="pwd" />
    </p>
    <p>
    <label for="conf_pwd">Re-enter New Password:</label>
    <input type="password"  name="conf_pwd" id="conf_pwd">
    </p>
    <p>
    <input name="update" type="submit" id="update" value="Update Password" />
    </p>
 
 </form>
 
{more on page, but not included here}
  
 
 
Link to comment
https://forums.phpfreaks.com/topic/281650-updating-a-password-with-php-pdo/
Share on other sites

For the bindColumn - I was using bindParam - and received the same issue. As to why - I am unsure.

The Salt is part of the login parameters, so the encoded salt would be compared with the password and encoding to login to the page.

I am using sha1 because I have not worked up to md5 yet, although that would be more secure. 

 

Thank you for looking at it.

both sha1 and md5 are outdated.  using a blowfish crypt with self generating salt, similar to the one in my signature, would be the way to go.  you shouldn't store hash salts in the database except in very rare occasions, doing so unwittingly can open you up to packet attacks as you are forced to pull the hash and the salt back out of the database to perform the check. 

 

stick to using either bindParam or bindValue when attaching values to parameters for prepared statements.

i see an amount of code/data that isn't doing anything and isn't needed. i recommend you start by defining what the posted code is supposed to do - allow the currently logged in user to update his password.

 

you would typically require the old password to be entered (in case a session has been hijacked), along with the new one, plus the new one retyped. all the posted code (form processing and the form) should be inside a conditional statement that has checked if the current visitor is logged in (in which case you would know the user_id from the login/authentication code, and not need to pass it as a get variable or as a hidden form field, which is insecure for this operation anyway since that would let anyone try to update/screw-up someone else's password.)

 

bindColumn is for binding the columns you have SELECT'ed and it's generally not needed. you can just fetch the resultant row(s).also, the numerical parameter is the column number in the SELECT term, it's not the actual column numbers in your table.

 

you are suppling the input data in your $stmt->execute() statement. there's no need to bind the inputs in this case, though you get more control/checking if you do bind the inputs.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.