Jump to content

Problem checking old password


Tom10

Recommended Posts

Hi, i'm making a change password script which works fine, it changes the password but i want to check the old password before setting a new one and it keeps saying the old password is incorrect.

 

Here is my script:

if(isset($_POST['updatepass'])) {

	$currentpass = $_POST['oldpassword'];
	$newpass = $_POST['newpassword'];
	$cpass = $_POST['cpassword'];

	$currentpass = htmlspecialchars($currentpass, ENT_QUOTES);
	$currentpass = mysqli_real_escape_string($con, $currentpass);
	$currentpass = strip_tags($currentpass, ENT_QUOTES);
	$currentpass = filter_var($currentpass, FILTER_SANITIZE_STRING, FILTER_FLAG_ENCODE_HIGH);
	$currentpass = htmlentities($currentpass, ENT_QUOTES);

	$newpass = htmlspecialchars($newpass, ENT_QUOTES);
	$newpass = mysqli_real_escape_string($con, $newpass);
	$newpass = strip_tags($newpass, ENT_QUOTES);
	$newpass = filter_var($newpass, FILTER_SANITIZE_STRING, FILTER_FLAG_ENCODE_HIGH);
	$newpass = htmlentities($newpass, ENT_QUOTES);

	$cpass = htmlspecialchars($cpass, ENT_QUOTES);
	$cpass = mysqli_real_escape_string($con, $cpass);
	$cpass = strip_tags($cpass, ENT_QUOTES);
	$cpass = filter_var($cpass, FILTER_SANITIZE_STRING, FILTER_FLAG_ENCODE_HIGH);
	$cpass = htmlentities($cpass, ENT_QUOTES);

	$cpass = hash('ripemd128', $cpass);
	
	$currentpass = hash('ripemd128', $cpass);

	$oldpasswd = "SELECT password FROM users WHERE username='$username' AND password='$password'";

	$opwd = mysqli_query($con, $oldpasswd);

	if($currentpass != $password) {

		die("Your old password is not correct.");
		
	} else {

	$query = "UPDATE users SET password='$cpass' WHERE username='$username'";

	$UPDATE = mysqli_query($con, $query);

	if($UPDATE === TRUE) {

		echo "<div style='color: red; font-family: sans-serif; font-size: 18px;'>Your password has been updated!</div>";

	} else {

		echo "Password could not be changed.";

		echo var_dump($UPDATE);
	}
	
	
	}

}
All help is very much appreciated 
Link to comment
https://forums.phpfreaks.com/topic/294799-problem-checking-old-password/
Share on other sites

Why are you doing this to the passwords?

	$currentpass = htmlspecialchars($currentpass, ENT_QUOTES);
	$currentpass = mysqli_real_escape_string($con, $currentpass);
	$currentpass = strip_tags($currentpass, ENT_QUOTES);
	$currentpass = filter_var($currentpass, FILTER_SANITIZE_STRING, FILTER_FLAG_ENCODE_HIGH);
	$currentpass = htmlentities($currentpass, ENT_QUOTES);

This is not needed. There is no need to sanitize the password provided by the user. You should convert it to a hash as soon as you get their password. The hash will only contain alphanumeric characters.

 

Shouldn't you be passing $currentpass to the hash function here?

$currentpass = hash('ripemd128', $cpass);

Where is the variable $password defined?

$oldpasswd = "SELECT password FROM users WHERE username='$username' AND password='$password'";

You only have variables called $cpass, $currentpass and $newpass defined

There is no variable called

$password

I think you can do it this way:

   $cpass = hash('ripemd128', $cpass);
   $currentpass = hash('ripemd128', $cpass);

   $oldpasswd = "SELECT COUNT(password) FROM users WHERE username='$username' AND password='$currentpass'";
   // We check if there is user with that username and password (old password)
   $opwd = mysqli_query($oldpasswd, $con);
   $result = mysql_result($opwd, 0); // If result is = to 1 then old password is correct 

   if($result != 1) {
        die("Your old password is not correct.");
    } else {
   ....

Hope that helps :)

Also in my register.php page i just did what you said 

$currentpass = hash('ripemd128', $currentpass);
$newpass = hash('ripemd128', $newpass);
$cpass = hash('ripemd128', $cpass);

but i have

if(strlen($username) <3 || strlen($username) >30) {

		die("Your username must be 3 - 30 characters.");

	} else if(strlen($password) <3 || strlen($password) >30) {

		die("Your password must be 3 - 30 characters.");
	}

And because the password is hashed it's bigger than 30

There is no variable called

$password
   $cpass = hash('ripemd128', $cpass);

    

    $currentpass = hash('ripemd128', $cpass);



    $oldpasswd = "SELECT COUNT(password) FROM users WHERE username='$username' AND password='$currentpass'";
    // We check if there is user with that username and password (old password)



    $opwd = mysqli_query($oldpasswd, $con);
    $result = mysql_result($opwd, 0); // If result id = to 1 then old password is correct 



    if($result != 1) {



        die("Your old password is not correct.");

        

    } else {
   ....

Hope that helps :)

Thanks man :), i'll try it in a sec

Add your hash function after ELSE IF loop like this:

 

 

    if(strlen($username) <3 || strlen($username) >30) {

        die("Your username must be 3 - 30 characters.");

    } else if(strlen($password) <3 || strlen($password) >30) {

        die("Your password must be 3 - 30 characters.");
    }
  else
  {
 
 }

 

Add your hash function after IF LOOP (don't hash password until you check its raw lenght), like this:

 

 

   if(strlen($username) <3 || strlen($username) >30) {

        die("Your username must be 3 - 30 characters.");

    } else if(strlen($password) <3 || strlen($password) >30) {

        die("Your password must be 3 - 30 characters.");
    }
 
    // Now I will hash $password 
    $password = hash('ripemd128', $password);

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.