Query about how to retrieve a password from the database and compare to the one the user has entered

[Paul_Withers]

Thank you so much for your help, all is working now. Very much appreciated

[jazzman1]

Can I see the output from var_dump, just to be sure

[Paul_Withers]

Hi Jazzman, I have successfully allowed the user to login and pass all the session variables. However my changepasswordcheck.php file has stopped working. The script runs, says the password has been changed, but neither the password or salt_password fields are updated.

 

Here is what I got

<?php

session_start();
error_reporting(E_ALL);
ini_set('display_errors', '1');

require( 'database.php' );

include('includes/overall/header.php');

$username = $_SESSION['loggedinuser'];
$password_again = mysqli_real_escape_string($con, md5( $_POST['password_again']));

//If I delete the line below the script does not run

$password = mysqli_real_escape_string($con, md5( $_POST['password']));

$salt = md5(uniqid(rand(), true));
$pass = md5($_POST['password'].$salt,true);

if	(isset($password, $password_again)) {
	
if( strlen( $password ) < 8 )
    {
        echo "Password Must Be 8 or More Characters.";
    }
elseif 
		( strlen( $password_again ) < 8 )
    {
        echo "Password again Must Be 8 or More Characters.";
    }
elseif
($password !== $password_again) 
    {
        echo "Password and Password again must match.";
    }
     else {

        require( 'database.php' );

// Define a query to run 
$query = "UPDATE `user` SET `password` = '$pass' AND `salt_password` = '$salt' WHERE `username` = '$username'"; 

// Query the database 
$result = mysqli_query($con,$query); 

// Check if the query failed 
if( !$result ) 
{ 
   die('There was a problem executing the query ('.$query.'):<br>('.mysqli_errno($con).') '.mysqli_error($con)); 
} 

else { 

	echo 'Password has been changed';
}    
}
}
include('includes/overall/footer.php');
        
// Close the connection 
mysqli_close($con); 
?>

Thanks for your help again

[mac_gyver]

just because an update query runs without any errors, doesn't mean that it actually updated the row, if the WHERE clause if false. you should also be testing if the number of rows updated is greater then zero.

 

to debug the problem of why the update query isn't updating the data, have you echoed the $query variable so that you know it contains what you expect?

[Jacques1]

There's a misplaced AND in the UPDATE query.

[Paul_Withers]

Thanks Jacques

 

 

$query = "UPDATE `user` SET `password` = '$pass', `salt_password` = '$salt' WHERE `username` = '$username'"; 

 

 

Is the correct query

[jazzman1]

You need to set the second parameter of md5() hash function to false rather than true (or you could omit it entirely).

For more information checkout the manual of the function.

$pass = md5($_POST['password'].$salt,true);

// must be

$pass = md5($_POST['password'].$salt,false);

// or

$pass = md5($_POST['password'].$salt);

Your update statement is now correct.