Jump to content

Query about how to retrieve a password from the database and compare to the one the user has entered


Go to solution Solved by Paul_Withers,

Recommended Posts

Hi, after following lots of advice and changing to MySqli I am running into a few probs. This is me just probably missing something stupid, I know what I want, but can't figure out what query I should use and where I should place it. All the queries I have tried have failed.

 

I just need a query that gets the $current_stored_password from the password field on the database, to confirm the last check

elseif 
	($current_password !== $current_stored_password) {
	include 'includes/overall/header.php';
	echo $current_password . ' AND ' . $_POST['current_password'] . ' Password and password again do not match';
	include 'includes/overall/header.php';

}

Here is the whole script.

<?php
session_start();
error_reporting(0);
//ini_set('display_errors', '1');

require( 'database.php' );

$username = $_SESSION['loggedinuser'];
$current_stored_password = $_SESSION['password'];
$current_password = $_POST['current_password'];
$password = mysqli_real_escape_string($con, md5( $_POST['password']));
$password_again = mysqli_real_escape_string($con, md5( $_POST['password_again']));


// Run checks

if	(isset($_POST['current_password'], $_POST['password'], $_POST['password_again'])) {
	
if( strlen( $_POST['current_password'] ) < 8 )
    {
        include('includes/overall/header.php');
        echo "Password Must Be 8 or More Characters.";
        include('includes/overall/footer.php');
}
elseif( strlen( $_POST['password'] ) < 8 )
    {
        include('includes/overall/header.php');
        echo "Password Must Be 8 or More Characters.";
        include('includes/overall/footer.php');
    }
elseif 
		( strlen( $_POST['password_again'] ) < 8 )
    {
        include('includes/overall/header.php');
        echo "Password Must Be 8 or More Characters.";
        include('includes/overall/footer.php');
    }
elseif 
	($password !== $password_again) {
	include 'includes/overall/header.php';
	echo ' Password and password again do not match';
	include 'includes/overall/header.php';
}
elseif 
	($current_password !== $current_stored_password) {
	include 'includes/overall/header.php';
	echo $current_password . ' AND ' . $_POST['current_password'] . ' Password and password again do not match';
	include 'includes/overall/header.php';

} else {

// Define a query to run 
$query = "UPDATE `user` SET `password` = '$password' WHERE `username` = '$username'"; 

// Query the database 
$result = mysqli_query($con,$query); 

// Check if the query failed 
if( !$result ) 
{ 
   die('There was a problem executing the query ('.$query.'):<br>('.mysqli_errno($con).') '.mysqli_error($con)); 
} 

else {

include 'includes/overall/header.php';
	echo 'Password has been changed';
include 'includes/overall/footer.php';
}    
}
}

// Close the connection 
mysqli_close($con); 
?> 

At the moment the message displayed when the form is submitted is

	echo $current_password . ' AND ' . $_POST['current_password'] . ' Password and password again do not match';
 

How do I retrieve the password from the database to compare against the current password entered by the user? Any help is much appreciated.

 

PS. Yes I know I have repeated code and that md5 is not secure, but I am just building onto a template I got and will be making changes to shorten the code and secure the password soon

 

 

  • Replies 56
  • Created
  • Last Reply

Top Posters In This Topic

you would write a SELECT query to retrieve the password field, FROM the correct table, WHERE the username is equal to = the posted username, applying either your database library's string escape function to the posted username or using a prepared query, to prevent errors or to prevent sql injection.

 

if that's a little less than you expected, it's because what you are asking, form and run a query that retrieves a specific column from a specific row in a database table, is a basic skill that you need to learn first, before you can attempt to do it for your data.


elseif 

	$query = "SELECT password FROM `user` WHERE `username`='username'";
	$result = $mysqli->query($query) or die($mysqli->error.__LINE__);

// GOING THROUGH THE DATA
	if($result->num_rows > 0) {
		while($row = $result->fetch_assoc()) {
	$current_stored_password = $row['password'];
		}


	($current_password !== $current_stored_password) {
	include 'includes/overall/header.php';
	echo $_SESSION['pass'] . ' AND ' . $_POST['current_password'] . ' Password and password again do not match';
	include 'includes/overall/header.php';
}
} else {

// Define a query to run 
$query = "UPDATE `user` SET `password` = '$password' WHERE `username` = '$username'"; 

// Query the database 
$result = mysqli_query($con,$query); 

// Check if the query failed 
if( !$result ) 
{ 
   die('There was a problem executing the query ('.$query.'):<br>('.mysqli_errno($con).') '.mysqli_error($con)); 
} 

else {

include 'includes/overall/header.php';
	echo 'Password has been changed';
include 'includes/overall/footer.php';
}    
}
}

// Close the connection 
mysqli_close($con); 
?> 

Hi, thanks for your reply. Sorry if I am being thick, but I got the following, but it doesn't work. I can't seem to work out how to assign the result to a variable I can check against.

 

Any help is much appreciated. All of the google results seem to be more complicated than what I need :(

if you're using password hashing in your database then just compare them using the same algoritm

 

example with md5()

 

if(md5($current_password) !== $current_stored_password)

Hi jazzman1, that bit is not the problem, I am having trouble getting the password from the database and assigning it to the $current_stored_password variable. Once this is done I am comfortable with carrying out the check. Just the MySqli I'm having trouble with

Ok I don't that, the page now reads

<?php
session_start();
error_reporting(0);
//ini_set('display_errors', '1');

require( 'database.php' );

$username = $_SESSION['loggedinuser'];
$current_stored_password = $_SESSION['password'];
$current_password = $_POST['current_password'];
$password = mysqli_real_escape_string($con, md5( $_POST['password']));
$password_again = mysqli_real_escape_string($con, md5( $_POST['password_again']));


// Run checks

if	(isset($_POST['current_password'], $_POST['password'], $_POST['password_again'])) {
	
if( strlen( $_POST['current_password'] ) < 8 )
    {
        include('includes/overall/header.php');
        echo "Password Must Be 8 or More Characters.";
        include('includes/overall/footer.php');
}
elseif( strlen( $_POST['password'] ) < 8 )
    {
        include('includes/overall/header.php');
        echo "Password Must Be 8 or More Characters.";
        include('includes/overall/footer.php');
    }
elseif 
		( strlen( $_POST['password_again'] ) < 8 )
    {
        include('includes/overall/header.php');
        echo "Password Must Be 8 or More Characters.";
        include('includes/overall/footer.php');
    }
elseif 
	($password !== $password_again) {
	include 'includes/overall/header.php';
	echo ' Password and password again do not match';
	include 'includes/overall/header.php';
}
elseif 
	($current_password !== $current_stored_password) {
	include 'includes/overall/header.php';
	echo $current_password . ' AND ' . $_POST['current_password'] . ' Password and password again do not match';
	include 'includes/overall/header.php';

} else {

$query = "SELECT password FROM `user` WHERE `username`='username'";
	$result = $mysqli->query($query) or die($mysqli->error.__LINE__);

// GOING THROUGH THE DATA
	if($result->num_rows > 0) {
		while($row = $result->fetch_assoc()) {
	$current_stored_password = $row['password'];
		}


 if($current_password !== $current_stored_password) {
 	include 'includes/overall/header.php';
	echo $_SESSION['pass'] . ' AND ' . $_POST['current_password'] . ' Password and password again do not match';
	include 'includes/overall/header.php';
}
} else {

// Define a query to run 
$query = "UPDATE `user` SET `password` = '$password' WHERE `username` = '$username'"; 

// Query the database 
$result = mysqli_query($con,$query); 

// Check if the query failed 
if( !$result ) 
{ 
   die('There was a problem executing the query ('.$query.'):<br>('.mysqli_errno($con).') '.mysqli_error($con)); 
} 

else {

include 'includes/overall/header.php';
	echo 'Password has been changed';
include 'includes/overall/footer.php';
}    
}
}
}
// Close the connection 
mysqli_close($con); 
?> 

now I get the error 

 

ozzie2004 AND ozzie2004 Password and password again do not match

 
But they do match. Whats going on?
$query = "SELECT password FROM `user` WHERE `username`='username'";
	$result = $mysqli->query($query) or die($mysqli->error.__LINE__);

// GOING THROUGH THE DATA
	if($result->num_rows > 0) {
		while($row = $result->fetch_assoc()) {
	$current_stored_password = $row['password'];
		}


 if(md5($current_password) !== $current_stored_password) {
 	include 'includes/overall/header.php';
	echo $_POST['current_password'] . ' AND ' . $current_stored_password . ' Password and password again do not match';
	include 'includes/overall/header.php';
}
} else {

// Define a query to run 
$query = "UPDATE `user` SET `password` = '$password' WHERE `username` = '$username'"; 

// Query the database 
$result = mysqli_query($con,$query); 

// Check if the query failed 
if( !$result ) 
{ 
   die('There was a problem executing the query ('.$query.'):<br>('.mysqli_errno($con).') '.mysqli_error($con)); 
} 

else {

include 'includes/overall/header.php';
	echo 'Password has been changed';
include 'includes/overall/footer.php';
}    
}
}
}
// Close the connection 
mysqli_close($con); 
?> 

This is the correct code, but with the same problem

the type is the problem i thing, try - if(md5($current_password) != $current_stored_password) ( use ony one equal sign )

Edited by jazzman1

mikosiko, yes I have just seen that, from here down

}
/*
elseif 
	($current_password !== $current_stored_password) {
	include 'includes/overall/header.php';
	echo $current_password . ' AND ' . $_POST['current_password'] . ' Error: Password and password again do not match';
	include 'includes/overall/header.php';
*/
} else {

$query = "SELECT password FROM `user` WHERE `username`='username'";
	$result = $mysqli->query($query) or die($mysqli->error.__LINE__);

// GOING THROUGH THE DATA
	if($result->num_rows > 0) {
		while($row = $result->fetch_assoc()) {
	$current_stored_password = $row['password'];
		}


 if(md5($current_password) != ($current_stored_password)) {
 	include 'includes/overall/header.php';
	echo $current_password . ' AND ' . $current_stored_password . ' Password and currently stored password do not match';
	include 'includes/overall/header.php';
}
} else {

// Define a query to run 
$query = "UPDATE `user` SET `password` = '$password' WHERE `username` = '$username'"; 

// Query the database 
$result = mysqli_query($con,$query); 

// Check if the query failed 
if( !$result ) 
{ 
   die('There was a problem executing the query ('.$query.'):<br>('.mysqli_errno($con).') '.mysqli_error($con)); 
} 

else {

include 'includes/overall/header.php';
	echo 'Password has been changed';
include 'includes/overall/footer.php';
}    
}
}
}
// Close the connection 
mysqli_close($con); 
?> 

It is the first check that is throwing out the error.

 

The only thing is, whenever I try to remove one of those checks and error messages, the script doesn't run. What is the correct way to write this? Everything I try results in error messages or blank pages :(

Edited by Paul_Withers

Do var_dump on both variables:

echo var_dump($current_password) . ' AND ' . var_dump($_POST['current_password']) . ' Password and password again do not match';

Post the output!

 

 

ozzie2004 AND ozzie2004 Password and password again do not match

 

How do you get those values in case you're using md5() hashing?

Edited by jazzman1

Do var_dump on both variables:

echo var_dump($current_password) . ' AND ' . var_dump($_POST['current_password']) . ' Password and password again do not match';

Post the output!

 

 

How do you get those values in case you're using md5() hashing?

 

ozzie2004 AND ozzie2004 Password and password again do not match

Search me lol

You're all over the place...

 

First you get $current_stored_password from a db query:

$current_stored_password = $row['password'];

Then you compare md5(password) to $current_stored_password, but when you echo the error you don't include the md5(password) value, you echo just the original password, and you also use the value from $_POST instead of $current_stored_password. So in your error output, you are not seeing exactly what you are comparing...

 

Try something like:

$current_password = md5($current_password);
if($current_password != $current_stored_password) {
  echo var_dump($current_password) . ' AND ' . var_dump($current_stored_password) . ' Password and password again do not match';
}
Edited by CroNiX

Ok, this is the result

 

ozzie2004 AND ozzie2004 Error: Password and password again do not match
string(9) "ozzie2004" string(9) "ozzie2004" AND Password and password again do not match

 

​It doesn't seem to be getting the data from the form at all. Even if I change the password it still displays ozzie2004

 

The form posts to this script with the method set to post

 

I dont understand what is wrong.

 

​The first thing I want to do is remove the first 

elseif 
	($current_password !== $current_stored_password) {
	include 'includes/overall/header.php';
	echo $current_password . ' AND ' . $_POST['current_password'] . ' Error: Password and password again do not match<br>';
	echo var_dump($current_password) . ' AND ' . var_dump($_POST['current_password']) . ' Password and password again do not match';

	include 'includes/overall/footer.php';

} else {

$query = "SELECT password FROM `user` WHERE `username`='username'";
	$result = $mysqli->query($query) or die($mysqli->error.__LINE__);

// GOING THROUGH THE DATA
	if($result->num_rows > 0) {
		while($row = $result->fetch_assoc()) {
	$current_stored_password = $row['password'];
		}


 if(md5($current_password) != ($current_stored_password)) {
 	include 'includes/overall/header.php';
	echo $current_password . ' AND ' . $current_stored_password . ' Password and currently stored password do not match';
	include 'includes/overall/footer.php';
}
} else {

// Define a query to run 
$query = "UPDATE `user` SET `password` = '$password' WHERE `username` = '$username'"; 

// Query the database 
$result = mysqli_query($con,$query); 

// Check if the query failed 
if( !$result ) 
{ 
   die('There was a problem executing the query ('.$query.'):<br>('.mysqli_errno($con).') '.mysqli_error($con)); 
} 

else {

include 'includes/overall/header.php';
	echo 'Password has been changed';
include 'includes/overall/footer.php';
}    
}
}
}
// Close the connection 
mysqli_close($con); 
?> 

I need to remove the first

 

elseif 
($current_password !== $current_stored_password) {
 
part of the script and go straight to running the rest of the script correctly

Well, you didn't incorporate the code changes I mentioned, so your error output is wrong and misleading you. The values you are comparing are NOT actually ozzy2004 and ozzy2004. That's impossible if you are using MD5().

I don't want to disturb your happy debugging session, but why on earth do you fix a feature when you already know that it's wrong?

 

You've already spent 5 hours on this MD5 crap. And when you're done, congratulations, you can throw it all away and start over with an entirely different interface. Learning to hash passwords with MD5 is like learning to write websites for Netscape Navigator 1.0: It's not very useful in the 21st century.

 

Of course you're free to keep debugging. Maybe you like it. But if your goal is to get your application done, then it's time to stop playing with fossiles from the 90s and get serious: The Password Hashing extension.

Ok, lets simplify things, here is a script i found - I have edited my form fields to match the values sent 

<?php 
session_start(); 
$username = $_SESSION['loggedinuser']; 
$password1 = $_POST['password1']; 
$password2 = $_REQUEST['password2']; 

include('database.php'); 
$sql = mysqli_query($con, "SELECT password, salt FROM user WHERE username ='".$username."'"); 
while($row = mysqli_fetch_array($sql)){ $salt = $row['salt']; 
$password = $password1; 
$hash = md5($salt . $password); 

mysqli_query($con, "UPDATE user SET password = '".$hash."' WHERE username ='".$username."'"); 
} 
?>

The only prob is I get the following error

 

Warning: mysqli_fetch_array() expects parameter 1 to be mysqli_result, boolean given in /Applications/XAMPP/xamppfiles/htdocs/changepasswordcheck.php on line 9

 

I have pasted this into php checker and it says the syntax is correct. Any ideas? This would solve so many problems

This is the original code

<?php
session_start();
$user_id = $_SESSION['user_id'];
$password1 = $_POST['password1'];
$password2 = $_REQUEST['password2'];

include('database.php');
$sql = mysqli_query($con, "SELECT password, salt FROM user WHERE id ='".$user_id."'");
while($row = mysqli_fetch_array($sql)){ $salt = $row['salt'];
$password = $password1;
$hash = md5($salt . $password);

mysqli_query($con, "UPDATE user SET password = '".$hash."' WHERE id='".$user_id."'");
}
?>

The errors given are

 

 

 

Notice: Undefined index: user_id in /Applications/XAMPP/xamppfiles/htdocs/changepasswordcheck.php on line 3

Warning: mysqli_fetch_array() expects parameter 1 to be mysqli_result, boolean given in /Applications/XAMPP/xamppfiles/htdocs/changepasswordcheck.php on line9

 

if i change user_id to id as it is in my database, I get the same error.  I think its because the mysqli_result does not contain a number. If I leave it as

$username = $_SESSION['loggedinuser']; 

then the variable passed to the query is a word and not a number.

 

How can I get $_SESSION['id']; to exist?

So you've replaced a bunch of broken crap code with a different bunch of broken crap code. And that helps you how exactly? As far as I can tell, we're back to square one: The stuff doesn't work, and you need help to fix it.

 

Look, you can spend the rest of your life debugging nonsense code you found somewhere on the Internet. But what's the point of that? Wouldn't it make a lot more sense to learn PHP and write your own code? Isn't that the whole point of programming?

 

PHP is no rocket science. If you're willing to learn, you should be able to understand database queries, sessions and password hashing very quickly. I think you should give it a try. It's also much more satisfying to create something yourself rather than end up with “I found some random code on the Internet, and then some random guy fixed it for me”.

Jacques1, for your information, although I am not a complete rocket science at PHP, I understood enough of it to have a successfully working site in MySQL. I am just having a bit of trouble making it work in MySQLi.

 

The first lot of "crap" works fine to register a user, its just the "crap" doesn't work on the changepasswordcheck.php. I thought it would be easier to use the registercheck.php as a template, but it hasn't quite worked out. So I thought I would copy a supposedly working script from the internet, but then again thats "crap" too.

 

Help is much appreciated, but being told everything I write is crap, is rude, insulting and of absolutely no help to anyone.

 

If you can't leave a comment without being helpful, then please politely refrain

$sql = mysqli_query($con, "SELECT password, salt FROM user WHERE id ='".$user_id."'");
while($row = mysqli_fetch_array($sql)){ $salt = $row['salt'];
$password = $password1;
$hash = md5($salt . $password);

The logic should be:

if ($row['password'] == md5($data['password'].$row['salt']) 

where "$data['password']" is the user password input field!

 

How did you salt the password? Is it something like that: 

 $salt = 'salt_password';

 $pass = md5($data['password']. $salt);

I don't see how to insert the hashing data into a database in your examples. Can you show us the script, please?

Edited by jazzman1
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.