Jump to content

Recommended Posts

Hi, i'm making a change password script which works fine, it changes the password but i want to check the old password before setting a new one and it keeps saying the old password is incorrect.

 

Here is my script:

if(isset($_POST['updatepass'])) {

	$currentpass = $_POST['oldpassword'];
	$newpass = $_POST['newpassword'];
	$cpass = $_POST['cpassword'];

	$currentpass = htmlspecialchars($currentpass, ENT_QUOTES);
	$currentpass = mysqli_real_escape_string($con, $currentpass);
	$currentpass = strip_tags($currentpass, ENT_QUOTES);
	$currentpass = filter_var($currentpass, FILTER_SANITIZE_STRING, FILTER_FLAG_ENCODE_HIGH);
	$currentpass = htmlentities($currentpass, ENT_QUOTES);

	$newpass = htmlspecialchars($newpass, ENT_QUOTES);
	$newpass = mysqli_real_escape_string($con, $newpass);
	$newpass = strip_tags($newpass, ENT_QUOTES);
	$newpass = filter_var($newpass, FILTER_SANITIZE_STRING, FILTER_FLAG_ENCODE_HIGH);
	$newpass = htmlentities($newpass, ENT_QUOTES);

	$cpass = htmlspecialchars($cpass, ENT_QUOTES);
	$cpass = mysqli_real_escape_string($con, $cpass);
	$cpass = strip_tags($cpass, ENT_QUOTES);
	$cpass = filter_var($cpass, FILTER_SANITIZE_STRING, FILTER_FLAG_ENCODE_HIGH);
	$cpass = htmlentities($cpass, ENT_QUOTES);

	$cpass = hash('ripemd128', $cpass);
	
	$currentpass = hash('ripemd128', $cpass);

	$oldpasswd = "SELECT password FROM users WHERE username='$username' AND password='$password'";

	$opwd = mysqli_query($con, $oldpasswd);

	if($currentpass != $password) {

		die("Your old password is not correct.");
		
	} else {

	$query = "UPDATE users SET password='$cpass' WHERE username='$username'";

	$UPDATE = mysqli_query($con, $query);

	if($UPDATE === TRUE) {

		echo "<div style='color: red; font-family: sans-serif; font-size: 18px;'>Your password has been updated!</div>";

	} else {

		echo "Password could not be changed.";

		echo var_dump($UPDATE);
	}
	
	
	}

}
All help is very much appreciated 
Edited by Tom10
Link to comment
https://forums.phpfreaks.com/topic/294799-problem-checking-old-password/
Share on other sites

Why are you doing this to the passwords?

	$currentpass = htmlspecialchars($currentpass, ENT_QUOTES);
	$currentpass = mysqli_real_escape_string($con, $currentpass);
	$currentpass = strip_tags($currentpass, ENT_QUOTES);
	$currentpass = filter_var($currentpass, FILTER_SANITIZE_STRING, FILTER_FLAG_ENCODE_HIGH);
	$currentpass = htmlentities($currentpass, ENT_QUOTES);

This is not needed. There is no need to sanitize the password provided by the user. You should convert it to a hash as soon as you get their password. The hash will only contain alphanumeric characters.

 

Shouldn't you be passing $currentpass to the hash function here?

$currentpass = hash('ripemd128', $cpass);

Where is the variable $password defined?

$oldpasswd = "SELECT password FROM users WHERE username='$username' AND password='$password'";

You only have variables called $cpass, $currentpass and $newpass defined

There is no variable called

$password

I think you can do it this way:

   $cpass = hash('ripemd128', $cpass);
   $currentpass = hash('ripemd128', $cpass);

   $oldpasswd = "SELECT COUNT(password) FROM users WHERE username='$username' AND password='$currentpass'";
   // We check if there is user with that username and password (old password)
   $opwd = mysqli_query($oldpasswd, $con);
   $result = mysql_result($opwd, 0); // If result is = to 1 then old password is correct 

   if($result != 1) {
        die("Your old password is not correct.");
    } else {
   ....

Hope that helps :)

Edited by wleorule
  • Like 1

Also in my register.php page i just did what you said 

$currentpass = hash('ripemd128', $currentpass);
$newpass = hash('ripemd128', $newpass);
$cpass = hash('ripemd128', $cpass);

but i have

if(strlen($username) <3 || strlen($username) >30) {

		die("Your username must be 3 - 30 characters.");

	} else if(strlen($password) <3 || strlen($password) >30) {

		die("Your password must be 3 - 30 characters.");
	}

And because the password is hashed it's bigger than 30

There is no variable called

$password
   $cpass = hash('ripemd128', $cpass);

    

    $currentpass = hash('ripemd128', $cpass);



    $oldpasswd = "SELECT COUNT(password) FROM users WHERE username='$username' AND password='$currentpass'";
    // We check if there is user with that username and password (old password)



    $opwd = mysqli_query($oldpasswd, $con);
    $result = mysql_result($opwd, 0); // If result id = to 1 then old password is correct 



    if($result != 1) {



        die("Your old password is not correct.");

        

    } else {
   ....

Hope that helps :)

Thanks man :), i'll try it in a sec

Add your hash function after ELSE IF loop like this:

 

 

    if(strlen($username) <3 || strlen($username) >30) {

        die("Your username must be 3 - 30 characters.");

    } else if(strlen($password) <3 || strlen($password) >30) {

        die("Your password must be 3 - 30 characters.");
    }
  else
  {
 
 }

 

  • Like 1

Add your hash function after IF LOOP (don't hash password until you check its raw lenght), like this:

 

 

   if(strlen($username) <3 || strlen($username) >30) {

        die("Your username must be 3 - 30 characters.");

    } else if(strlen($password) <3 || strlen($password) >30) {

        die("Your password must be 3 - 30 characters.");
    }
 
    // Now I will hash $password 
    $password = hash('ripemd128', $password);
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.