Jump to content

update password with password_hash error


LisaDee
Go to solution Solved by LisaDee,

Recommended Posts

Hi

I'm quite newbie with php. Im trying to add password change to existing login script and stuck on a problem with password change code. May be someone could help me out here please.
Can't figure out where is the problem, why it doesn't insert the hashed password - getting some error after submit ( blank page).

 

i noticed problem is between lines 32 and 47

 

I've tried with md5 and it worked (inserted md5 pwd into DB) but my login don't recognise md5 as it reads password_hash passwords.

<?php
session_start();
include('menu.php');
require_once('../config/db.php');

//strip and trim slashes
function clear($message)
{
	if(!get_magic_quotes_gpc())
		$message = addslashes($message);
	$message = strip_tags($message);
	$message = htmlentities($message);
	return trim($message);
}
// include the configs / constants for the database connection
$con = mysql_connect(DB_HOST, DB_USER, DB_PASS) or
die("Could not connect: " . mysql_error());
mysql_select_db(DB_NAME);
if(!$_GET['user_id'])
{
	$query = mysql_query("SELECT * FROM users ORDER BY user_id DESC") or die(mysql_error());
}
	else
		{
		if ($_POST['submit'])
			{			
			$user_name = clear($_POST['user_name']);
			$user_fname = clear($_POST['user_fname']);
			$user_lname = clear($_POST['user_lname']);
			$user_id = $_GET['user_id'];
					
			$user_password = $_POST['newpassword'];			
			$newpassword = $_POST['newpassword'];
			$repeatnewpassword = $_POST['repeatnewpassword'];						
			
                // crypt the user's password with PHP 5.5's password_hash() function, results in a 60 character
                // hash string. the PASSWORD_DEFAULT constant is defined by the PHP 5.5, or if you are using
                // PHP 5.3/5.4, by the password hashing compatibility library
                $user_password_hash = password_hash($newpassword, PASSWORD_DEFAULT);
				
			//check two new passwords
			if ($newpassword==$repeatnewpassword)
				{
				//successs
				//change password in db

				mysql_query("UPDATE users SET user_password_hash='$newpassword', user_name='$user_name', user_fname='$user_fname', user_lname='$user_lname' WHERE user_id='$user_id'");
				mysql_close();
				die("Your password has been changed. <a href='index.php'> Return</a>");
					}
					else die("New password doesn't match!");
                    }
			else
				{
				$user_id = $_GET['user_id'];
				$query = mysql_query("SELECT * FROM users WHERE user_id='$user_id'");
				$row = mysql_fetch_assoc($query);
?>
<form action="?user_id=<?php echo $row['user_id']; ?>" method="post">
<input type="hidden" name="ID" value="<?php echo $row['user_id']; ?>">
user ID: <input type="text" name="user_name" value="<?php echo $row['user_name']; ?>"><br>
First Name: <input type="text" name="user_fname" value="<?php echo $row['user_fname']; ?>"><br>
Last Name: <input type="text" name="user_lname" value="<?php echo $row['user_lname']; ?>"><br>
New Password: <input type='password' name='newpassword'><p>
Repeat New Password: <input type='password' name='repeatnewpassword'><p>
<input type="Submit" name="submit" value="Enter information">
</form>
<?php }} ?>

thanks!

Link to comment
Share on other sites

The avatar is a bit distracting but I'll try to get past it.

 

Try enabling error reporting to see what errors are outputted.

ini_set('display_errors', 'on');
error_reporting(E_ALL);

Add that to the top of the script.

 

Also you arent inserting the hashed password into the database. You are only inserting $newpassword which is the data that was posted. It also isnt sanitized which leaves you open to sql injection.

Link to comment
Share on other sites

wow that was fast response i was about to go sleep. Cheers!!! 

 

kk added error check to code and ive got an error: Call to undefined function password_hash() in edit_pwd.php on line 40

 

hmm ive got password_compatibility_library.php in ../library/ for that function, why it didn't recognised it?

And does the actual code looks ok?

 

 

@off i'll change it 2morrow ::)

Link to comment
Share on other sites

it doesn't use any tag 'include' for the function but i thought the function is in 'session'. The full login scrip is here . There u can see that /libraries/password_compatibility_library.php holds a function password_hash and in /classes/Registration.php uses same password_hash function without any 'includes'.

Link to comment
Share on other sites

ye figured out, i had to change these lines as well to get it work.

$user_password = $_POST['newpassword'];			
$newpassword = $_POST['newpassword'];
$repeatnewpassword = $_POST['repeatnewpassword'];						
			
$user_password = password_hash($newpassword, PASSWORD_DEFAULT);
mysql_query("UPDATE users SET user_password_hash='$user_password', ... 

Just 1 more thing please how do i add checking for a empty password - e.g. if empty echo "please insert password"

Link to comment
Share on other sites

Only display error if $user_password, $newpassword, or $repeatnewpassword are empty

// check current password is  empty
if(trim($user_password) == '')
{
   echo 'Please enter your current password';
}
// check users new password is emtpty
elseif(trim($newpassword) == '' || trim($repeatnewpassword) == '')
{
    echo 'Please provide new password';
}
// confirm new password matches
elseif($newpassword != $repeatnewpassword)
{
   echo 'New passwords do not match';
}
else
{
    // code for resetting password
}
Edited by Ch0cu3r
Link to comment
Share on other sites

It makes me sad that the code within ircmaxell's password_compat library was literally copied and pasted into this "login script" project. PHP has moved beyond that kind of approach these days.

 

As described in the instructions here, they (and you) should be using composer to manage there (your) dependencies.

 

That would have also avoided the issue of having to include different files as everything autoloads via composer.

Link to comment
Share on other sites

Although sound advice @trq not everyone is comfortable with that kind of approach. From the looks of the code (and the question) it would seem OP is still learning PHP. Not sure if Composer was around when I started learning but stuff like that would have been over my head and un-comprehensible while I was learning.

Link to comment
Share on other sites

It makes me sad that the code within ircmaxell's password_compat library was literally copied and pasted into this "login script" project.

I don't use ircmaxell's lib. I use http://www.php-login.net and  he uses ircmaxell lib :-* . License says: "Licensed under MIT. You can use this script for free for any private or commercial projects.". Any ways I it use for non commercial, for training purpose only.

And like I said I'm new to PHP it's easier for me to get bits of code and modify them to see how they work then learn from them.

Link to comment
Share on other sites

PHP has moved on but the practice of learning by browsing code and modifying it to learn hasn't. People will eventually move on to things like package control when they are competent enough with the source language. Better to learn one thing at a time than to learn several just to stick to best practices, those practices come with time.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.