Tom8001 Posted October 19, 2015 Share Posted October 19, 2015 Hi i am coding a user settings panel and i have a functions.php file, which contains the change password code, However when the form is submitted a 500 internal error is displayed. here is the code: Html Form <?php require('/includes/functions.php'); require('/includes/connect.php'); isLoggedIn(); $username = $_SESSION['username']; if($_SERVER['REQUEST_METHOD'] == "POST") { if($_POST['chgPwd']) { chgPwd(); } } ?> <html> <title>User CP - <?php echo $username; ?></title> <body> <center> <font color='#ff0000'> <h1>Change your password</h1> <form action="" method="POST"> Current password: <input type="password" name="password" placeholder="Current password" required /><br> New Password: <input type="password" name="npassword" placeholder="New password" required /><br> Confirm Password: <input type="password" name="cpassword" placeholder="Confirm password" required /><br> <br><input type="submit" name="chgPwd" value="Update Password" /> </form> </font> Change Password Code function chgPwd() { require('connect.php'); $username = $_SESSION['username']; $password = $_POST['password']; $npassword = $_POST['npassword']; $cpassword = $_POST['cpassword']; $sql = "SELECT password FROM users WHERE password = :p"; $sql->bindParam(':p', $password, PDO::PARAM_STR, 255); $sql->execute(); $fetch = $handler->fetch(); if($cpassword !== $cpassword) { echo "Passwords do not match!"; } if(password_verify($password, $fetch['password'])) { $pass_isok = 1; } else { $pass_isok = 0; } if($pass_isok == 1) { $enc_password = password_hash($cpassword, PASSWORD_BCRYPT); $sql = "UPDATE users SET password = '$enc_password' WHERE username = '$username'"; $sql->execute(); if($sql) { echo "Password updated successfully!"; } else { echo "Error. Password could not be updated at this time, If this persists please contact support."; } } else { echo "Your old password is incorrect!"; } } Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted October 19, 2015 Share Posted October 19, 2015 So what does your error log say? If you don't have an error log, enable logging now and do it over. Quote Link to comment Share on other sites More sharing options...
lush_rainforest Posted October 19, 2015 Share Posted October 19, 2015 500 error usually means you configured your .htaccess wrong. Quote Link to comment Share on other sites More sharing options...
Tom8001 Posted October 19, 2015 Author Share Posted October 19, 2015 (edited) Fatal error: Call to a member function bindParam() on string in C:\xampp\htdocs\adminpanel\includes\functions.php on line 48 And this is on localhost Thats what i got from error reporting, As for the apache error log i got the following, [Mon Oct 19 21:51:58.437261 2015] [ssl:warn] [pid 5092:tid 240] AH01909: www.example.com:443:0 server certificate does NOT include an ID which matches the server name [Mon Oct 19 21:51:58.990292 2015] [core:warn] [pid 5092:tid 240] AH00098: pid file C:/xampp/apache/logs/httpd.pid overwritten -- Unclean shutdown of previous Apache run? [Mon Oct 19 21:51:59.359309 2015] [ssl:warn] [pid 5092:tid 240] AH01909: www.example.com:443:0 server certificate does NOT include an ID which matches the server name [Mon Oct 19 21:52:07.623749 2015] [mpm_winnt:notice] [pid 5092:tid 240] AH00455: Apache/2.4.10 (Win32) OpenSSL/1.0.1i PHP/5.6.3 configured -- resuming normal operations [Mon Oct 19 21:52:07.624749 2015] [mpm_winnt:notice] [pid 5092:tid 240] AH00456: Apache Lounge VC11 Server built: Jul 17 2014 11:50:08 [Mon Oct 19 21:52:07.624749 2015] [core:notice] [pid 5092:tid 240] AH00094: Command line: 'c:\\xampp\\apache\\bin\\httpd.exe -d C:/xampp/apache' [Mon Oct 19 21:52:07.661750 2015] [mpm_winnt:notice] [pid 5092:tid 240] AH00418: Parent: Created child process 6096 [Mon Oct 19 21:52:08.682801 2015] [ssl:warn] [pid 6096:tid 252] AH01909: www.example.com:443:0 server certificate does NOT include an ID which matches the server name [Mon Oct 19 21:52:09.227829 2015] [ssl:warn] [pid 6096:tid 252] AH01909: www.example.com:443:0 server certificate does NOT include an ID which matches the server name [Mon Oct 19 21:52:09.423839 2015] [mpm_winnt:notice] [pid 6096:tid 252] AH00354: Child: Starting 150 worker threads. Edited October 19, 2015 by Tom8001 Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted October 19, 2015 Share Posted October 19, 2015 $sql is a string, so it doesn't have a bind_param() method. If you want a prepared statement, you need to create one with PDO::prepare(). Quote Link to comment Share on other sites More sharing options...
Tom8001 Posted October 19, 2015 Author Share Posted October 19, 2015 Thanks, I'm not getting errors now but it says the old password is incorrect function chgPwd() { require('connect.php'); $username = $_SESSION['username']; $password = $_POST['password']; $npassword = $_POST['npassword']; $cpassword = $_POST['cpassword']; $sql = $handler->prepare("SELECT password FROM users WHERE password = :p"); $sql->bindParam(':p', $password, PDO::PARAM_STR, 255); $sql->execute(); $fetch = $sql->fetch(); if($cpassword !== $cpassword) { echo "Passwords do not match!"; } if(password_verify($password, $fetch['password'])) { $pass_isok = 1; } else { $pass_isok = 0; } if($pass_isok == 1) { $enc_password = password_hash($cpassword, PASSWORD_BCRYPT); $sql = "UPDATE users SET password = '$enc_password' WHERE username = '$username'"; $sql->execute(); if($sql >= 1) { echo "Password updated successfully!"; } else { echo "Error. Password could not be updated at this time, If this persists please contact support."; } } else { echo "Your old password is incorrect!"; } } That's the code updated Quote Link to comment Share on other sites More sharing options...
Solution Jacques1 Posted October 19, 2015 Solution Share Posted October 19, 2015 Your code generally doesn't make a lot of sense. What is the query SELECT password FROM users WHERE password = supposed to do? You take the submitted plaintext password and then try to find the exact same string in your database? Aren't your database passwords hashed? I guess what you actually want is get the password hash(!) for the provided username: SELECT password FROM users WHERE username = :username It might be a good idea to rename the column "password" to "password_hash" to avoid this confusion in the future. You have a lot of other weird parts in your code, so I strongly recommend you go through this line by line and carefully test each part with var_dump(). Don't just write down one big block of code and test it afterwards, because this makes debugging much harder. 1 Quote Link to comment Share on other sites More sharing options...
Tom8001 Posted October 19, 2015 Author Share Posted October 19, 2015 Thanks, yeah i got confused with the query's , Thanks everyone for the help it's much appreciated. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.