LisaDee Posted February 14, 2014 Share Posted February 14, 2014 Hi I'm quite newbie with php. Im trying to add password change to existing login script and stuck on a problem with password change code. May be someone could help me out here please.Can't figure out where is the problem, why it doesn't insert the hashed password - getting some error after submit ( blank page). i noticed problem is between lines 32 and 47 I've tried with md5 and it worked (inserted md5 pwd into DB) but my login don't recognise md5 as it reads password_hash passwords. <?php session_start(); include('menu.php'); require_once('../config/db.php'); //strip and trim slashes function clear($message) { if(!get_magic_quotes_gpc()) $message = addslashes($message); $message = strip_tags($message); $message = htmlentities($message); return trim($message); } // include the configs / constants for the database connection $con = mysql_connect(DB_HOST, DB_USER, DB_PASS) or die("Could not connect: " . mysql_error()); mysql_select_db(DB_NAME); if(!$_GET['user_id']) { $query = mysql_query("SELECT * FROM users ORDER BY user_id DESC") or die(mysql_error()); } else { if ($_POST['submit']) { $user_name = clear($_POST['user_name']); $user_fname = clear($_POST['user_fname']); $user_lname = clear($_POST['user_lname']); $user_id = $_GET['user_id']; $user_password = $_POST['newpassword']; $newpassword = $_POST['newpassword']; $repeatnewpassword = $_POST['repeatnewpassword']; // crypt the user's password with PHP 5.5's password_hash() function, results in a 60 character // hash string. the PASSWORD_DEFAULT constant is defined by the PHP 5.5, or if you are using // PHP 5.3/5.4, by the password hashing compatibility library $user_password_hash = password_hash($newpassword, PASSWORD_DEFAULT); //check two new passwords if ($newpassword==$repeatnewpassword) { //successs //change password in db mysql_query("UPDATE users SET user_password_hash='$newpassword', user_name='$user_name', user_fname='$user_fname', user_lname='$user_lname' WHERE user_id='$user_id'"); mysql_close(); die("Your password has been changed. <a href='index.php'> Return</a>"); } else die("New password doesn't match!"); } else { $user_id = $_GET['user_id']; $query = mysql_query("SELECT * FROM users WHERE user_id='$user_id'"); $row = mysql_fetch_assoc($query); ?> <form action="?user_id=<?php echo $row['user_id']; ?>" method="post"> <input type="hidden" name="ID" value="<?php echo $row['user_id']; ?>"> user ID: <input type="text" name="user_name" value="<?php echo $row['user_name']; ?>"><br> First Name: <input type="text" name="user_fname" value="<?php echo $row['user_fname']; ?>"><br> Last Name: <input type="text" name="user_lname" value="<?php echo $row['user_lname']; ?>"><br> New Password: <input type='password' name='newpassword'><p> Repeat New Password: <input type='password' name='repeatnewpassword'><p> <input type="Submit" name="submit" value="Enter information"> </form> <?php }} ?> thanks! Quote Link to comment https://forums.phpfreaks.com/topic/286187-update-password-with-password_hash-error/ Share on other sites More sharing options...
doddsey_65 Posted February 14, 2014 Share Posted February 14, 2014 The avatar is a bit distracting but I'll try to get past it. Try enabling error reporting to see what errors are outputted. ini_set('display_errors', 'on'); error_reporting(E_ALL); Add that to the top of the script. Also you arent inserting the hashed password into the database. You are only inserting $newpassword which is the data that was posted. It also isnt sanitized which leaves you open to sql injection. Quote Link to comment https://forums.phpfreaks.com/topic/286187-update-password-with-password_hash-error/#findComment-1468831 Share on other sites More sharing options...
jazzman1 Posted February 14, 2014 Share Posted February 14, 2014 @off: Can you change your avatar when providing code next time. I can't concentrate into it Quote Link to comment https://forums.phpfreaks.com/topic/286187-update-password-with-password_hash-error/#findComment-1468832 Share on other sites More sharing options...
LisaDee Posted February 14, 2014 Author Share Posted February 14, 2014 wow that was fast response i was about to go sleep. Cheers!!! kk added error check to code and ive got an error: Call to undefined function password_hash() in edit_pwd.php on line 40 hmm ive got password_compatibility_library.php in ../library/ for that function, why it didn't recognised it? And does the actual code looks ok? @off i'll change it 2morrow Quote Link to comment https://forums.phpfreaks.com/topic/286187-update-password-with-password_hash-error/#findComment-1468837 Share on other sites More sharing options...
doddsey_65 Posted February 14, 2014 Share Posted February 14, 2014 is the file "password_compatibility_library.php" being included anywhere? Quote Link to comment https://forums.phpfreaks.com/topic/286187-update-password-with-password_hash-error/#findComment-1468838 Share on other sites More sharing options...
LisaDee Posted February 14, 2014 Author Share Posted February 14, 2014 it doesn't use any tag 'include' for the function but i thought the function is in 'session'. The full login scrip is here . There u can see that /libraries/password_compatibility_library.php holds a function password_hash and in /classes/Registration.php uses same password_hash function without any 'includes'. Quote Link to comment https://forums.phpfreaks.com/topic/286187-update-password-with-password_hash-error/#findComment-1468881 Share on other sites More sharing options...
LisaDee Posted February 14, 2014 Author Share Posted February 14, 2014 P.S. as per doddsey_65 suggestion I added line on top require_once('../libraries/password_compatibility_library.php'); and now it is inserted password into DB w/o error but it is not hashed - plain password e.g. 123456 Quote Link to comment https://forums.phpfreaks.com/topic/286187-update-password-with-password_hash-error/#findComment-1468885 Share on other sites More sharing options...
LisaDee Posted February 14, 2014 Author Share Posted February 14, 2014 ye figured out, i had to change these lines as well to get it work. $user_password = $_POST['newpassword']; $newpassword = $_POST['newpassword']; $repeatnewpassword = $_POST['repeatnewpassword']; $user_password = password_hash($newpassword, PASSWORD_DEFAULT); mysql_query("UPDATE users SET user_password_hash='$user_password', ... Just 1 more thing please how do i add checking for a empty password - e.g. if empty echo "please insert password" Quote Link to comment https://forums.phpfreaks.com/topic/286187-update-password-with-password_hash-error/#findComment-1468886 Share on other sites More sharing options...
Ch0cu3r Posted February 14, 2014 Share Posted February 14, 2014 (edited) Only display error if $user_password, $newpassword, or $repeatnewpassword are empty // check current password is empty if(trim($user_password) == '') { echo 'Please enter your current password'; } // check users new password is emtpty elseif(trim($newpassword) == '' || trim($repeatnewpassword) == '') { echo 'Please provide new password'; } // confirm new password matches elseif($newpassword != $repeatnewpassword) { echo 'New passwords do not match'; } else { // code for resetting password } Edited February 14, 2014 by Ch0cu3r Quote Link to comment https://forums.phpfreaks.com/topic/286187-update-password-with-password_hash-error/#findComment-1468906 Share on other sites More sharing options...
Solution LisaDee Posted February 14, 2014 Author Solution Share Posted February 14, 2014 ty all for ur help. looks like all is working. Quote Link to comment https://forums.phpfreaks.com/topic/286187-update-password-with-password_hash-error/#findComment-1468939 Share on other sites More sharing options...
trq Posted February 15, 2014 Share Posted February 15, 2014 It makes me sad that the code within ircmaxell's password_compat library was literally copied and pasted into this "login script" project. PHP has moved beyond that kind of approach these days. As described in the instructions here, they (and you) should be using composer to manage there (your) dependencies. That would have also avoided the issue of having to include different files as everything autoloads via composer. Quote Link to comment https://forums.phpfreaks.com/topic/286187-update-password-with-password_hash-error/#findComment-1469031 Share on other sites More sharing options...
doddsey_65 Posted February 15, 2014 Share Posted February 15, 2014 Although sound advice @trq not everyone is comfortable with that kind of approach. From the looks of the code (and the question) it would seem OP is still learning PHP. Not sure if Composer was around when I started learning but stuff like that would have been over my head and un-comprehensible while I was learning. Quote Link to comment https://forums.phpfreaks.com/topic/286187-update-password-with-password_hash-error/#findComment-1469038 Share on other sites More sharing options...
LisaDee Posted February 15, 2014 Author Share Posted February 15, 2014 It makes me sad that the code within ircmaxell's password_compat library was literally copied and pasted into this "login script" project. I don't use ircmaxell's lib. I use http://www.php-login.net and he uses ircmaxell lib . License says: "Licensed under MIT. You can use this script for free for any private or commercial projects.". Any ways I it use for non commercial, for training purpose only. And like I said I'm new to PHP it's easier for me to get bits of code and modify them to see how they work then learn from them. Quote Link to comment https://forums.phpfreaks.com/topic/286187-update-password-with-password_hash-error/#findComment-1469040 Share on other sites More sharing options...
trq Posted February 15, 2014 Share Posted February 15, 2014 I don't use ircmaxell's lib. I use http://www.php-login.net and he uses ircmaxell lib . License says: "Licensed under MIT. You can use this script for free for any private or commercial projects.". Your using it. But, I'm not having a go about the licensing stuff, thats fine. It's how it was installed. PHP has moved on from copy and paste. Quote Link to comment https://forums.phpfreaks.com/topic/286187-update-password-with-password_hash-error/#findComment-1469041 Share on other sites More sharing options...
doddsey_65 Posted February 15, 2014 Share Posted February 15, 2014 PHP has moved on but the practice of learning by browsing code and modifying it to learn hasn't. People will eventually move on to things like package control when they are competent enough with the source language. Better to learn one thing at a time than to learn several just to stick to best practices, those practices come with time. Quote Link to comment https://forums.phpfreaks.com/topic/286187-update-password-with-password_hash-error/#findComment-1469042 Share on other sites More sharing options...
trq Posted February 15, 2014 Share Posted February 15, 2014 PHP has moved on but the practice of learning by browsing code and modifying it to learn hasn't. That is indeed what is making me sad. The op is learning from code that is not using "current best practice". Quote Link to comment https://forums.phpfreaks.com/topic/286187-update-password-with-password_hash-error/#findComment-1469050 Share on other sites More sharing options...
doddsey_65 Posted February 15, 2014 Share Posted February 15, 2014 When you learnt to speak, did you learn by forming coherent sentences, or did you learn word by word? You start from the beginning and then learn the best way to go about things. Quote Link to comment https://forums.phpfreaks.com/topic/286187-update-password-with-password_hash-error/#findComment-1469051 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.