update password with password_hash error

[LisaDee]

Hi

I'm quite newbie with php. Im trying to add password change to existing login script and stuck on a problem with password change code. May be someone could help me out here please.
Can't figure out where is the problem, why it doesn't insert the hashed password - getting some error after submit ( blank page).

 

i noticed problem is between lines 32 and 47

 

I've tried with md5 and it worked (inserted md5 pwd into DB) but my login don't recognise md5 as it reads password_hash passwords.

<?php
session_start();
include('menu.php');
require_once('../config/db.php');

//strip and trim slashes
function clear($message)
{
	if(!get_magic_quotes_gpc())
		$message = addslashes($message);
	$message = strip_tags($message);
	$message = htmlentities($message);
	return trim($message);
}
// include the configs / constants for the database connection
$con = mysql_connect(DB_HOST, DB_USER, DB_PASS) or
die("Could not connect: " . mysql_error());
mysql_select_db(DB_NAME);
if(!$_GET['user_id'])
{
	$query = mysql_query("SELECT * FROM users ORDER BY user_id DESC") or die(mysql_error());
}
	else
		{
		if ($_POST['submit'])
			{			
			$user_name = clear($_POST['user_name']);
			$user_fname = clear($_POST['user_fname']);
			$user_lname = clear($_POST['user_lname']);
			$user_id = $_GET['user_id'];
					
			$user_password = $_POST['newpassword'];			
			$newpassword = $_POST['newpassword'];
			$repeatnewpassword = $_POST['repeatnewpassword'];						
			
                // crypt the user's password with PHP 5.5's password_hash() function, results in a 60 character
                // hash string. the PASSWORD_DEFAULT constant is defined by the PHP 5.5, or if you are using
                // PHP 5.3/5.4, by the password hashing compatibility library
                $user_password_hash = password_hash($newpassword, PASSWORD_DEFAULT);
				
			//check two new passwords
			if ($newpassword==$repeatnewpassword)
				{
				//successs
				//change password in db

				mysql_query("UPDATE users SET user_password_hash='$newpassword', user_name='$user_name', user_fname='$user_fname', user_lname='$user_lname' WHERE user_id='$user_id'");
				mysql_close();
				die("Your password has been changed. <a href='index.php'> Return</a>");
					}
					else die("New password doesn't match!");
                    }
			else
				{
				$user_id = $_GET['user_id'];
				$query = mysql_query("SELECT * FROM users WHERE user_id='$user_id'");
				$row = mysql_fetch_assoc($query);
?>
<form action="?user_id=<?php echo $row['user_id']; ?>" method="post">
<input type="hidden" name="ID" value="<?php echo $row['user_id']; ?>">
user ID: <input type="text" name="user_name" value="<?php echo $row['user_name']; ?>"><br>
First Name: <input type="text" name="user_fname" value="<?php echo $row['user_fname']; ?>"><br>
Last Name: <input type="text" name="user_lname" value="<?php echo $row['user_lname']; ?>"><br>
New Password: <input type='password' name='newpassword'><p>
Repeat New Password: <input type='password' name='repeatnewpassword'><p>
<input type="Submit" name="submit" value="Enter information">
</form>
<?php }} ?>

thanks!

[doddsey_65]

The avatar is a bit distracting but I'll try to get past it.

 

Try enabling error reporting to see what errors are outputted.

ini_set('display_errors', 'on');
error_reporting(E_ALL);

Add that to the top of the script.

 

Also you arent inserting the hashed password into the database. You are only inserting $newpassword which is the data that was posted. It also isnt sanitized which leaves you open to sql injection.

[jazzman1]

@off: Can you change your avatar when providing code next time. I can't concentrate into it

[LisaDee]

wow that was fast response i was about to go sleep. Cheers!!! 

 

kk added error check to code and ive got an error: Call to undefined function password_hash() in edit_pwd.php on line 40

 

hmm ive got password_compatibility_library.php in ../library/ for that function, why it didn't recognised it?

And does the actual code looks ok?

 

 

@off i'll change it 2morrow

[doddsey_65]

is the file "password_compatibility_library.php" being included anywhere?

[LisaDee]

it doesn't use any tag 'include' for the function but i thought the function is in 'session'. The full login scrip is here . There u can see that /libraries/password_compatibility_library.php holds a function password_hash and in /classes/Registration.php uses same password_hash function without any 'includes'.

[LisaDee]

P.S. as per doddsey_65 suggestion I added line on top

require_once('../libraries/password_compatibility_library.php'); 

and now it is inserted password into DB w/o error but it is not hashed - plain password e.g. 123456

[LisaDee]

ye figured out, i had to change these lines as well to get it work.

$user_password = $_POST['newpassword'];			
$newpassword = $_POST['newpassword'];
$repeatnewpassword = $_POST['repeatnewpassword'];						
			
$user_password = password_hash($newpassword, PASSWORD_DEFAULT);
mysql_query("UPDATE users SET user_password_hash='$user_password', ... 

Just 1 more thing please how do i add checking for a empty password - e.g. if empty echo "please insert password"

[Ch0cu3r]

Only display error if $user_password, $newpassword, or $repeatnewpassword are empty

// check current password is  empty
if(trim($user_password) == '')
{
   echo 'Please enter your current password';
}
// check users new password is emtpty
elseif(trim($newpassword) == '' || trim($repeatnewpassword) == '')
{
    echo 'Please provide new password';
}
// confirm new password matches
elseif($newpassword != $repeatnewpassword)
{
   echo 'New passwords do not match';
}
else
{
    // code for resetting password
}

Edited February 14, 2014 by Ch0cu3r

[LisaDee]

ty all for ur help. looks like all is working.

[trq]

It makes me sad that the code within ircmaxell's password_compat library was literally copied and pasted into this "login script" project. PHP has moved beyond that kind of approach these days.

 

As described in the instructions here, they (and you) should be using composer to manage there (your) dependencies.

 

That would have also avoided the issue of having to include different files as everything autoloads via composer.

[doddsey_65]

Although sound advice @trq not everyone is comfortable with that kind of approach. From the looks of the code (and the question) it would seem OP is still learning PHP. Not sure if Composer was around when I started learning but stuff like that would have been over my head and un-comprehensible while I was learning.

[LisaDee]

It makes me sad that the code within ircmaxell's password_compat library was literally copied and pasted into this "login script" project.

I don't use ircmaxell's lib. I use http://www.php-login.net and  he uses ircmaxell lib . License says: "Licensed under MIT. You can use this script for free for any private or commercial projects.". Any ways I it use for non commercial, for training purpose only.

And like I said I'm new to PHP it's easier for me to get bits of code and modify them to see how they work then learn from them.

[trq]

I don't use ircmaxell's lib. I use http://www.php-login.net and he uses ircmaxell lib . License says: "Licensed under MIT. You can use this script for free for any private or commercial projects.".

Your using it.

 

But, I'm not having a go about the licensing stuff, thats fine. It's how it was installed.

 

PHP has moved on from copy and paste.

[doddsey_65]

PHP has moved on but the practice of learning by browsing code and modifying it to learn hasn't. People will eventually move on to things like package control when they are competent enough with the source language. Better to learn one thing at a time than to learn several just to stick to best practices, those practices come with time.

[trq]

PHP has moved on but the practice of learning by browsing code and modifying it to learn hasn't.

That is indeed what is making me sad. The op is learning from code that is not using "current best practice".

[doddsey_65]

When you learnt to speak, did you learn by forming coherent sentences, or did you learn word by word? You start from the beginning and then learn the best way to go about things.