Query about how to retrieve a password from the database and compare to the one the user has entered

Paul_Withers · September 4, 2014

Hi, after following lots of advice and changing to MySqli I am running into a few probs. This is me just probably missing something stupid, I know what I want, but can't figure out what query I should use and where I should place it. All the queries I have tried have failed.

I just need a query that gets the $current_stored_password from the password field on the database, to confirm the last check

elseif 
	($current_password !== $current_stored_password) {
	include 'includes/overall/header.php';
	echo $current_password . ' AND ' . $_POST['current_password'] . ' Password and password again do not match';
	include 'includes/overall/header.php';

}

Here is the whole script.

<?php
session_start();
error_reporting(0);
//ini_set('display_errors', '1');

require( 'database.php' );

$username = $_SESSION['loggedinuser'];
$current_stored_password = $_SESSION['password'];
$current_password = $_POST['current_password'];
$password = mysqli_real_escape_string($con, md5( $_POST['password']));
$password_again = mysqli_real_escape_string($con, md5( $_POST['password_again']));


// Run checks

if	(isset($_POST['current_password'], $_POST['password'], $_POST['password_again'])) {
	
if( strlen( $_POST['current_password'] ) < 8 )
    {
        include('includes/overall/header.php');
        echo "Password Must Be 8 or More Characters.";
        include('includes/overall/footer.php');
}
elseif( strlen( $_POST['password'] ) < 8 )
    {
        include('includes/overall/header.php');
        echo "Password Must Be 8 or More Characters.";
        include('includes/overall/footer.php');
    }
elseif 
		( strlen( $_POST['password_again'] ) < 8 )
    {
        include('includes/overall/header.php');
        echo "Password Must Be 8 or More Characters.";
        include('includes/overall/footer.php');
    }
elseif 
	($password !== $password_again) {
	include 'includes/overall/header.php';
	echo ' Password and password again do not match';
	include 'includes/overall/header.php';
}
elseif 
	($current_password !== $current_stored_password) {
	include 'includes/overall/header.php';
	echo $current_password . ' AND ' . $_POST['current_password'] . ' Password and password again do not match';
	include 'includes/overall/header.php';

} else {

// Define a query to run 
$query = "UPDATE `user` SET `password` = '$password' WHERE `username` = '$username'"; 

// Query the database 
$result = mysqli_query($con,$query); 

// Check if the query failed 
if( !$result ) 
{ 
   die('There was a problem executing the query ('.$query.'):<br>('.mysqli_errno($con).') '.mysqli_error($con)); 
} 

else {

include 'includes/overall/header.php';
	echo 'Password has been changed';
include 'includes/overall/footer.php';
}    
}
}

// Close the connection 
mysqli_close($con); 
?>

At the moment the message displayed when the form is submitted is

	echo $current_password . ' AND ' . $_POST['current_password'] . ' Password and password again do not match';

How do I retrieve the password from the database to compare against the current password entered by the user? Any help is much appreciated.

PS. Yes I know I have repeated code and that md5 is not secure, but I am just building onto a template I got and will be making changes to shorten the code and secure the password soon

mac_gyver · September 4, 2014

you would write a SELECT query to retrieve the password field, FROM the correct table, WHERE the username is equal to = the posted username, applying either your database library's string escape function to the posted username or using a prepared query, to prevent errors or to prevent sql injection.

if that's a little less than you expected, it's because what you are asking, form and run a query that retrieves a specific column from a specific row in a database table, is a basic skill that you need to learn first, before you can attempt to do it for your data.

Paul_Withers · September 4, 2014


elseif 

	$query = "SELECT password FROM `user` WHERE `username`='username'";
	$result = $mysqli->query($query) or die($mysqli->error.__LINE__);

// GOING THROUGH THE DATA
	if($result->num_rows > 0) {
		while($row = $result->fetch_assoc()) {
	$current_stored_password = $row['password'];
		}


	($current_password !== $current_stored_password) {
	include 'includes/overall/header.php';
	echo $_SESSION['pass'] . ' AND ' . $_POST['current_password'] . ' Password and password again do not match';
	include 'includes/overall/header.php';
}
} else {

// Define a query to run 
$query = "UPDATE `user` SET `password` = '$password' WHERE `username` = '$username'"; 

// Query the database 
$result = mysqli_query($con,$query); 

// Check if the query failed 
if( !$result ) 
{ 
   die('There was a problem executing the query ('.$query.'):<br>('.mysqli_errno($con).') '.mysqli_error($con)); 
} 

else {

include 'includes/overall/header.php';
	echo 'Password has been changed';
include 'includes/overall/footer.php';
}    
}
}

// Close the connection 
mysqli_close($con); 
?>

Hi, thanks for your reply. Sorry if I am being thick, but I got the following, but it doesn't work. I can't seem to work out how to assign the result to a variable I can check against.

Any help is much appreciated. All of the google results seem to be more complicated than what I need

jazzman1 · September 4, 2014

if you're using password hashing in your database then just compare them using the same algoritm

example with md5()

if(md5($current_password) !== $current_stored_password)

Paul_Withers · September 4, 2014

Hi jazzman1, that bit is not the problem, I am having trouble getting the password from the database and assigning it to the $current_stored_password variable. Once this is done I am comfortable with carrying out the check. Just the MySqli I'm having trouble with

jazzman1 · September 4, 2014

change this line - ($current_password !== $current_stored_password) to if($current_password !== $current_stored_password)

Paul_Withers · September 4, 2014

Ok I don't that, the page now reads

<?php
session_start();
error_reporting(0);
//ini_set('display_errors', '1');

require( 'database.php' );

$username = $_SESSION['loggedinuser'];
$current_stored_password = $_SESSION['password'];
$current_password = $_POST['current_password'];
$password = mysqli_real_escape_string($con, md5( $_POST['password']));
$password_again = mysqli_real_escape_string($con, md5( $_POST['password_again']));


// Run checks

if	(isset($_POST['current_password'], $_POST['password'], $_POST['password_again'])) {
	
if( strlen( $_POST['current_password'] ) < 8 )
    {
        include('includes/overall/header.php');
        echo "Password Must Be 8 or More Characters.";
        include('includes/overall/footer.php');
}
elseif( strlen( $_POST['password'] ) < 8 )
    {
        include('includes/overall/header.php');
        echo "Password Must Be 8 or More Characters.";
        include('includes/overall/footer.php');
    }
elseif 
		( strlen( $_POST['password_again'] ) < 8 )
    {
        include('includes/overall/header.php');
        echo "Password Must Be 8 or More Characters.";
        include('includes/overall/footer.php');
    }
elseif 
	($password !== $password_again) {
	include 'includes/overall/header.php';
	echo ' Password and password again do not match';
	include 'includes/overall/header.php';
}
elseif 
	($current_password !== $current_stored_password) {
	include 'includes/overall/header.php';
	echo $current_password . ' AND ' . $_POST['current_password'] . ' Password and password again do not match';
	include 'includes/overall/header.php';

} else {

$query = "SELECT password FROM `user` WHERE `username`='username'";
	$result = $mysqli->query($query) or die($mysqli->error.__LINE__);

// GOING THROUGH THE DATA
	if($result->num_rows > 0) {
		while($row = $result->fetch_assoc()) {
	$current_stored_password = $row['password'];
		}


 if($current_password !== $current_stored_password) {
 	include 'includes/overall/header.php';
	echo $_SESSION['pass'] . ' AND ' . $_POST['current_password'] . ' Password and password again do not match';
	include 'includes/overall/header.php';
}
} else {

// Define a query to run 
$query = "UPDATE `user` SET `password` = '$password' WHERE `username` = '$username'"; 

// Query the database 
$result = mysqli_query($con,$query); 

// Check if the query failed 
if( !$result ) 
{ 
   die('There was a problem executing the query ('.$query.'):<br>('.mysqli_errno($con).') '.mysqli_error($con)); 
} 

else {

include 'includes/overall/header.php';
	echo 'Password has been changed';
include 'includes/overall/footer.php';
}    
}
}
}
// Close the connection 
mysqli_close($con); 
?>

now I get the error

ozzie2004 AND ozzie2004 Password and password again do not match

But they do match. Whats going on?

Paul_Withers · September 4, 2014

$query = "SELECT password FROM `user` WHERE `username`='username'";
	$result = $mysqli->query($query) or die($mysqli->error.__LINE__);

// GOING THROUGH THE DATA
	if($result->num_rows > 0) {
		while($row = $result->fetch_assoc()) {
	$current_stored_password = $row['password'];
		}


 if(md5($current_password) !== $current_stored_password) {
 	include 'includes/overall/header.php';
	echo $_POST['current_password'] . ' AND ' . $current_stored_password . ' Password and password again do not match';
	include 'includes/overall/header.php';
}
} else {

// Define a query to run 
$query = "UPDATE `user` SET `password` = '$password' WHERE `username` = '$username'"; 

// Query the database 
$result = mysqli_query($con,$query); 

// Check if the query failed 
if( !$result ) 
{ 
   die('There was a problem executing the query ('.$query.'):<br>('.mysqli_errno($con).') '.mysqli_error($con)); 
} 

else {

include 'includes/overall/header.php';
	echo 'Password has been changed';
include 'includes/overall/footer.php';
}    
}
}
}
// Close the connection 
mysqli_close($con); 
?>

This is the correct code, but with the same problem

jazzman1 · September 4, 2014

the type is the problem i thing, try - if(md5($current_password) != $current_stored_password) ( use ony one equal sign )

Paul_Withers · September 4, 2014

Aarrrggghhh! Nope still doesn't work lol, same error

jazzman1 · September 4, 2014

I am out

mikosiko · September 4, 2014

Do you realize that you are displaying the same message in 2 places right?.... so the obvious question is which message of those 2 are you seeing?

Paul_Withers · September 4, 2014

mikosiko, yes I have just seen that, from here down

}
/*
elseif 
	($current_password !== $current_stored_password) {
	include 'includes/overall/header.php';
	echo $current_password . ' AND ' . $_POST['current_password'] . ' Error: Password and password again do not match';
	include 'includes/overall/header.php';
*/
} else {

$query = "SELECT password FROM `user` WHERE `username`='username'";
	$result = $mysqli->query($query) or die($mysqli->error.__LINE__);

// GOING THROUGH THE DATA
	if($result->num_rows > 0) {
		while($row = $result->fetch_assoc()) {
	$current_stored_password = $row['password'];
		}


 if(md5($current_password) != ($current_stored_password)) {
 	include 'includes/overall/header.php';
	echo $current_password . ' AND ' . $current_stored_password . ' Password and currently stored password do not match';
	include 'includes/overall/header.php';
}
} else {

// Define a query to run 
$query = "UPDATE `user` SET `password` = '$password' WHERE `username` = '$username'"; 

// Query the database 
$result = mysqli_query($con,$query); 

// Check if the query failed 
if( !$result ) 
{ 
   die('There was a problem executing the query ('.$query.'):<br>('.mysqli_errno($con).') '.mysqli_error($con)); 
} 

else {

include 'includes/overall/header.php';
	echo 'Password has been changed';
include 'includes/overall/footer.php';
}    
}
}
}
// Close the connection 
mysqli_close($con); 
?>

It is the first check that is throwing out the error.

The only thing is, whenever I try to remove one of those checks and error messages, the script doesn't run. What is the correct way to write this? Everything I try results in error messages or blank pages

jazzman1 · September 4, 2014

Do var_dump on both variables:

echo var_dump($current_password) . ' AND ' . var_dump($_POST['current_password']) . ' Password and password again do not match';

Post the output!

ozzie2004 AND ozzie2004 Password and password again do not match

How do you get those values in case you're using md5() hashing?

Paul_Withers · September 4, 2014

Do var_dump on both variables:
echo var_dump($current_password) . ' AND ' . var_dump($_POST['current_password']) . ' Password and password again do not match';
Post the output!

How do you get those values in case you're using md5() hashing?

ozzie2004 AND ozzie2004 Password and password again do not match

Search me lol

CroNiX · September 4, 2014

You're all over the place...

First you get $current_stored_password from a db query:

$current_stored_password = $row['password'];

Then you compare md5(password) to $current_stored_password, but when you echo the error you don't include the md5(password) value, you echo just the original password, and you also use the value from $_POST instead of $current_stored_password. So in your error output, you are not seeing exactly what you are comparing...

Try something like:

$current_password = md5($current_password);
if($current_password != $current_stored_password) {
  echo var_dump($current_password) . ' AND ' . var_dump($current_stored_password) . ' Password and password again do not match';
}

CroNiX · September 4, 2014

Are the passwords actually stored as a md5() hash in the database, or is it a plaintext password?

Paul_Withers · September 4, 2014

Ok, this is the result

ozzie2004 AND ozzie2004 Error: Password and password again do not match
string(9) "ozzie2004" string(9) "ozzie2004" AND Password and password again do not match

It doesn't seem to be getting the data from the form at all. Even if I change the password it still displays ozzie2004

The form posts to this script with the method set to post

I dont understand what is wrong.

The first thing I want to do is remove the first

elseif 
	($current_password !== $current_stored_password) {
	include 'includes/overall/header.php';
	echo $current_password . ' AND ' . $_POST['current_password'] . ' Error: Password and password again do not match<br>';
	echo var_dump($current_password) . ' AND ' . var_dump($_POST['current_password']) . ' Password and password again do not match';

	include 'includes/overall/footer.php';

} else {

$query = "SELECT password FROM `user` WHERE `username`='username'";
	$result = $mysqli->query($query) or die($mysqli->error.__LINE__);

// GOING THROUGH THE DATA
	if($result->num_rows > 0) {
		while($row = $result->fetch_assoc()) {
	$current_stored_password = $row['password'];
		}


 if(md5($current_password) != ($current_stored_password)) {
 	include 'includes/overall/header.php';
	echo $current_password . ' AND ' . $current_stored_password . ' Password and currently stored password do not match';
	include 'includes/overall/footer.php';
}
} else {

// Define a query to run 
$query = "UPDATE `user` SET `password` = '$password' WHERE `username` = '$username'"; 

// Query the database 
$result = mysqli_query($con,$query); 

// Check if the query failed 
if( !$result ) 
{ 
   die('There was a problem executing the query ('.$query.'):<br>('.mysqli_errno($con).') '.mysqli_error($con)); 
} 

else {

include 'includes/overall/header.php';
	echo 'Password has been changed';
include 'includes/overall/footer.php';
}    
}
}
}
// Close the connection 
mysqli_close($con); 
?>

I need to remove the first

elseif

($current_password !== $current_stored_password) {

part of the script and go straight to running the rest of the script correctly

CroNiX · September 4, 2014

Well, you didn't incorporate the code changes I mentioned, so your error output is wrong and misleading you. The values you are comparing are NOT actually ozzy2004 and ozzy2004. That's impossible if you are using MD5().

Jacques1 · September 4, 2014

I don't want to disturb your happy debugging session, but why on earth do you fix a feature when you already know that it's wrong?

You've already spent 5 hours on this MD5 crap. And when you're done, congratulations, you can throw it all away and start over with an entirely different interface. Learning to hash passwords with MD5 is like learning to write websites for Netscape Navigator 1.0: It's not very useful in the 21st century.

Of course you're free to keep debugging. Maybe you like it. But if your goal is to get your application done, then it's time to stop playing with fossiles from the 90s and get serious: The Password Hashing extension.

Paul_Withers · September 4, 2014

Ok, lets simplify things, here is a script i found - I have edited my form fields to match the values sent

<?php 
session_start(); 
$username = $_SESSION['loggedinuser']; 
$password1 = $_POST['password1']; 
$password2 = $_REQUEST['password2']; 

include('database.php'); 
$sql = mysqli_query($con, "SELECT password, salt FROM user WHERE username ='".$username."'"); 
while($row = mysqli_fetch_array($sql)){ $salt = $row['salt']; 
$password = $password1; 
$hash = md5($salt . $password); 

mysqli_query($con, "UPDATE user SET password = '".$hash."' WHERE username ='".$username."'"); 
} 
?>

The only prob is I get the following error

Warning: mysqli_fetch_array() expects parameter 1 to be mysqli_result, boolean given in /Applications/XAMPP/xamppfiles/htdocs/changepasswordcheck.php on line 9

I have pasted this into php checker and it says the syntax is correct. Any ideas? This would solve so many problems

Paul_Withers · September 4, 2014

This is the original code

<?php
session_start();
$user_id = $_SESSION['user_id'];
$password1 = $_POST['password1'];
$password2 = $_REQUEST['password2'];

include('database.php');
$sql = mysqli_query($con, "SELECT password, salt FROM user WHERE id ='".$user_id."'");
while($row = mysqli_fetch_array($sql)){ $salt = $row['salt'];
$password = $password1;
$hash = md5($salt . $password);

mysqli_query($con, "UPDATE user SET password = '".$hash."' WHERE id='".$user_id."'");
}
?>

The errors given are

Notice: Undefined index: user_id in /Applications/XAMPP/xamppfiles/htdocs/changepasswordcheck.php on line 3

Warning: mysqli_fetch_array() expects parameter 1 to be mysqli_result, boolean given in /Applications/XAMPP/xamppfiles/htdocs/changepasswordcheck.php on line9

if i change user_id to id as it is in my database, I get the same error. I think its because the mysqli_result does not contain a number. If I leave it as

$username = $_SESSION['loggedinuser'];

then the variable passed to the query is a word and not a number.

How can I get $_SESSION['id']; to exist?

Jacques1 · September 4, 2014

So you've replaced a bunch of broken crap code with a different bunch of broken crap code. And that helps you how exactly? As far as I can tell, we're back to square one: The stuff doesn't work, and you need help to fix it.

Look, you can spend the rest of your life debugging nonsense code you found somewhere on the Internet. But what's the point of that? Wouldn't it make a lot more sense to learn PHP and write your own code? Isn't that the whole point of programming?

PHP is no rocket science. If you're willing to learn, you should be able to understand database queries, sessions and password hashing very quickly. I think you should give it a try. It's also much more satisfying to create something yourself rather than end up with “I found some random code on the Internet, and then some random guy fixed it for me”.

Paul_Withers · September 4, 2014

Jacques1, for your information, although I am not a complete rocket science at PHP, I understood enough of it to have a successfully working site in MySQL. I am just having a bit of trouble making it work in MySQLi.

The first lot of "crap" works fine to register a user, its just the "crap" doesn't work on the changepasswordcheck.php. I thought it would be easier to use the registercheck.php as a template, but it hasn't quite worked out. So I thought I would copy a supposedly working script from the internet, but then again thats "crap" too.

Help is much appreciated, but being told everything I write is crap, is rude, insulting and of absolutely no help to anyone.

If you can't leave a comment without being helpful, then please politely refrain

jazzman1 · September 5, 2014

$sql = mysqli_query($con, "SELECT password, salt FROM user WHERE id ='".$user_id."'");
while($row = mysqli_fetch_array($sql)){ $salt = $row['salt'];
$password = $password1;
$hash = md5($salt . $password);

The logic should be:

if ($row['password'] == md5($data['password'].$row['salt'])

where "$data['password']" is the user password input field!

How did you salt the password? Is it something like that:

 $salt = 'salt_password';

 $pass = md5($data['password']. $salt);

I don't see how to insert the hashing data into a database in your examples. Can you show us the script, please?

Sign In

Query about how to retrieve a password from the database and compare to the one the user has entered

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Archived

Important Information