Tom10 Posted February 22, 2015 Share Posted February 22, 2015 (edited) Hi, i'm making a change password script which works fine, it changes the password but i want to check the old password before setting a new one and it keeps saying the old password is incorrect. Here is my script: if(isset($_POST['updatepass'])) { $currentpass = $_POST['oldpassword']; $newpass = $_POST['newpassword']; $cpass = $_POST['cpassword']; $currentpass = htmlspecialchars($currentpass, ENT_QUOTES); $currentpass = mysqli_real_escape_string($con, $currentpass); $currentpass = strip_tags($currentpass, ENT_QUOTES); $currentpass = filter_var($currentpass, FILTER_SANITIZE_STRING, FILTER_FLAG_ENCODE_HIGH); $currentpass = htmlentities($currentpass, ENT_QUOTES); $newpass = htmlspecialchars($newpass, ENT_QUOTES); $newpass = mysqli_real_escape_string($con, $newpass); $newpass = strip_tags($newpass, ENT_QUOTES); $newpass = filter_var($newpass, FILTER_SANITIZE_STRING, FILTER_FLAG_ENCODE_HIGH); $newpass = htmlentities($newpass, ENT_QUOTES); $cpass = htmlspecialchars($cpass, ENT_QUOTES); $cpass = mysqli_real_escape_string($con, $cpass); $cpass = strip_tags($cpass, ENT_QUOTES); $cpass = filter_var($cpass, FILTER_SANITIZE_STRING, FILTER_FLAG_ENCODE_HIGH); $cpass = htmlentities($cpass, ENT_QUOTES); $cpass = hash('ripemd128', $cpass); $currentpass = hash('ripemd128', $cpass); $oldpasswd = "SELECT password FROM users WHERE username='$username' AND password='$password'"; $opwd = mysqli_query($con, $oldpasswd); if($currentpass != $password) { die("Your old password is not correct."); } else { $query = "UPDATE users SET password='$cpass' WHERE username='$username'"; $UPDATE = mysqli_query($con, $query); if($UPDATE === TRUE) { echo "<div style='color: red; font-family: sans-serif; font-size: 18px;'>Your password has been updated!</div>"; } else { echo "Password could not be changed."; echo var_dump($UPDATE); } } } All help is very much appreciated Edited February 22, 2015 by Tom10 Quote Link to comment Share on other sites More sharing options...
Ch0cu3r Posted February 22, 2015 Share Posted February 22, 2015 Why are you doing this to the passwords? $currentpass = htmlspecialchars($currentpass, ENT_QUOTES); $currentpass = mysqli_real_escape_string($con, $currentpass); $currentpass = strip_tags($currentpass, ENT_QUOTES); $currentpass = filter_var($currentpass, FILTER_SANITIZE_STRING, FILTER_FLAG_ENCODE_HIGH); $currentpass = htmlentities($currentpass, ENT_QUOTES); This is not needed. There is no need to sanitize the password provided by the user. You should convert it to a hash as soon as you get their password. The hash will only contain alphanumeric characters. Shouldn't you be passing $currentpass to the hash function here? $currentpass = hash('ripemd128', $cpass); Where is the variable $password defined? $oldpasswd = "SELECT password FROM users WHERE username='$username' AND password='$password'"; You only have variables called $cpass, $currentpass and $newpass defined Quote Link to comment Share on other sites More sharing options...
Tom10 Posted February 22, 2015 Author Share Posted February 22, 2015 Sorry $cpass is confirming the new password Quote Link to comment Share on other sites More sharing options...
wleorule Posted February 22, 2015 Share Posted February 22, 2015 (edited) There is no variable called $password I think you can do it this way: $cpass = hash('ripemd128', $cpass); $currentpass = hash('ripemd128', $cpass); $oldpasswd = "SELECT COUNT(password) FROM users WHERE username='$username' AND password='$currentpass'"; // We check if there is user with that username and password (old password) $opwd = mysqli_query($oldpasswd, $con); $result = mysql_result($opwd, 0); // If result is = to 1 then old password is correct if($result != 1) { die("Your old password is not correct."); } else { .... Hope that helps Edited February 22, 2015 by wleorule 1 Quote Link to comment Share on other sites More sharing options...
Tom10 Posted February 22, 2015 Author Share Posted February 22, 2015 Also in my register.php page i just did what you said $currentpass = hash('ripemd128', $currentpass); $newpass = hash('ripemd128', $newpass); $cpass = hash('ripemd128', $cpass); but i have if(strlen($username) <3 || strlen($username) >30) { die("Your username must be 3 - 30 characters."); } else if(strlen($password) <3 || strlen($password) >30) { die("Your password must be 3 - 30 characters."); } And because the password is hashed it's bigger than 30 Quote Link to comment Share on other sites More sharing options...
Tom10 Posted February 22, 2015 Author Share Posted February 22, 2015 There is no variable called $password $cpass = hash('ripemd128', $cpass); $currentpass = hash('ripemd128', $cpass); $oldpasswd = "SELECT COUNT(password) FROM users WHERE username='$username' AND password='$currentpass'"; // We check if there is user with that username and password (old password) $opwd = mysqli_query($oldpasswd, $con); $result = mysql_result($opwd, 0); // If result id = to 1 then old password is correct if($result != 1) { die("Your old password is not correct."); } else { .... Hope that helps Thanks man , i'll try it in a sec Quote Link to comment Share on other sites More sharing options...
Tom10 Posted February 22, 2015 Author Share Posted February 22, 2015 Doesn't work mate thanks a lot though i appreciate any help Quote Link to comment Share on other sites More sharing options...
wleorule Posted February 22, 2015 Share Posted February 22, 2015 Add your hash function after ELSE IF loop like this: if(strlen($username) <3 || strlen($username) >30) { die("Your username must be 3 - 30 characters."); } else if(strlen($password) <3 || strlen($password) >30) { die("Your password must be 3 - 30 characters."); } else { } 1 Quote Link to comment Share on other sites More sharing options...
Tom10 Posted February 22, 2015 Author Share Posted February 22, 2015 Okay forget my register.php page turns out the server needed time to update the file Quote Link to comment Share on other sites More sharing options...
wleorule Posted February 22, 2015 Share Posted February 22, 2015 Add your hash function after IF LOOP (don't hash password until you check its raw lenght), like this: if(strlen($username) <3 || strlen($username) >30) { die("Your username must be 3 - 30 characters."); } else if(strlen($password) <3 || strlen($password) >30) { die("Your password must be 3 - 30 characters."); } // Now I will hash $password $password = hash('ripemd128', $password); Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.