Jump to content

Password Change, 500 Internal Server Error


Tom8001
Go to solution Solved by Jacques1,

Recommended Posts

Hi i am coding a user settings panel and i have a functions.php file, which contains the change password code, However when the form is submitted a 500 internal error is displayed.

 

here is the code:

 

Html Form

<?php

require('/includes/functions.php');
require('/includes/connect.php');

isLoggedIn();

$username = $_SESSION['username'];

if($_SERVER['REQUEST_METHOD'] == "POST")
{
 
    if($_POST['chgPwd'])
    {
     
        chgPwd();
        
    }
    
}

?>

<html>

    <title>User CP - <?php echo $username; ?></title>
    
    <body>
        
        <center>
            
            <font color='#ff0000'>
            
            <h1>Change your password</h1>
        
            <form action="" method="POST">
            
                Current password: <input type="password" name="password" placeholder="Current password" required /><br>
                New Password: <input type="password" name="npassword" placeholder="New password" required /><br>
                Confirm Password: <input type="password" name="cpassword" placeholder="Confirm password" required /><br>
                <br><input type="submit" name="chgPwd" value="Update Password" />
                
            </form>
                
            </font>

Change Password Code

function chgPwd() {
 
    require('connect.php');
    $username = $_SESSION['username'];
    
    $password = $_POST['password'];
    $npassword = $_POST['npassword'];
    $cpassword = $_POST['cpassword'];
    
    $sql = "SELECT password FROM users WHERE password = :p";
    $sql->bindParam(':p', $password, PDO::PARAM_STR, 255);
    $sql->execute();
    $fetch = $handler->fetch();
    
    if($cpassword !== $cpassword)
    {
     
        echo "Passwords do not match!";
        
    }
    
    if(password_verify($password, $fetch['password']))
    {
     
        $pass_isok = 1;
        
    } else {
     
        $pass_isok = 0;
    }
    
    if($pass_isok == 1)
    {
        
        $enc_password = password_hash($cpassword, PASSWORD_BCRYPT);
        
        $sql = "UPDATE users SET password = '$enc_password' WHERE username = '$username'";
        $sql->execute();
        
        if($sql)
        {
            echo "Password updated successfully!";       
            
        } else {
            
            echo "Error. Password could not be updated at this time, If this persists please contact support.";   
        }
        
    } else {
        
        echo "Your old password is incorrect!";
        
    }
}

Link to comment
Share on other sites

Fatal error: Call to a member function bindParam() on string in C:\xampp\htdocs\adminpanel\includes\functions.php on line 48

 

And this is on localhost

 

Thats what i got from error reporting, As for the apache error log i got the following, 

[Mon Oct 19 21:51:58.437261 2015] [ssl:warn] [pid 5092:tid 240] AH01909: www.example.com:443:0 server certificate does NOT include an ID which matches the server name
[Mon Oct 19 21:51:58.990292 2015] [core:warn] [pid 5092:tid 240] AH00098: pid file C:/xampp/apache/logs/httpd.pid overwritten -- Unclean shutdown of previous Apache run?
[Mon Oct 19 21:51:59.359309 2015] [ssl:warn] [pid 5092:tid 240] AH01909: www.example.com:443:0 server certificate does NOT include an ID which matches the server name
[Mon Oct 19 21:52:07.623749 2015] [mpm_winnt:notice] [pid 5092:tid 240] AH00455: Apache/2.4.10 (Win32) OpenSSL/1.0.1i PHP/5.6.3 configured -- resuming normal operations
[Mon Oct 19 21:52:07.624749 2015] [mpm_winnt:notice] [pid 5092:tid 240] AH00456: Apache Lounge VC11 Server built: Jul 17 2014 11:50:08
[Mon Oct 19 21:52:07.624749 2015] [core:notice] [pid 5092:tid 240] AH00094: Command line: 'c:\\xampp\\apache\\bin\\httpd.exe -d C:/xampp/apache'
[Mon Oct 19 21:52:07.661750 2015] [mpm_winnt:notice] [pid 5092:tid 240] AH00418: Parent: Created child process 6096
[Mon Oct 19 21:52:08.682801 2015] [ssl:warn] [pid 6096:tid 252] AH01909: www.example.com:443:0 server certificate does NOT include an ID which matches the server name
[Mon Oct 19 21:52:09.227829 2015] [ssl:warn] [pid 6096:tid 252] AH01909: www.example.com:443:0 server certificate does NOT include an ID which matches the server name
[Mon Oct 19 21:52:09.423839 2015] [mpm_winnt:notice] [pid 6096:tid 252] AH00354: Child: Starting 150 worker threads.
Edited by Tom8001
Link to comment
Share on other sites

Thanks, I'm not getting errors now but it says the old password is incorrect

function chgPwd() {
 
    require('connect.php');
    $username = $_SESSION['username'];
    
    $password = $_POST['password'];
    $npassword = $_POST['npassword'];
    $cpassword = $_POST['cpassword'];
    
    $sql = $handler->prepare("SELECT password FROM users WHERE password = :p");
    $sql->bindParam(':p', $password, PDO::PARAM_STR, 255);
    $sql->execute();
    $fetch = $sql->fetch();
    
    if($cpassword !== $cpassword)
    {
     
        echo "Passwords do not match!";
        
    }
    
    if(password_verify($password, $fetch['password']))
    {
     
        $pass_isok = 1;
        
    } else {
     
        $pass_isok = 0;
    }
    
    if($pass_isok == 1)
    {
        
        $enc_password = password_hash($cpassword, PASSWORD_BCRYPT);
        
        $sql = "UPDATE users SET password = '$enc_password' WHERE username = '$username'";
        $sql->execute();
        
        if($sql >= 1)
        {
            echo "Password updated successfully!";       
            
        } else {
            
            echo "Error. Password could not be updated at this time, If this persists please contact support.";   
        }
        
    } else {
        
        echo "Your old password is incorrect!";
        
    }
}

That's the code updated

Link to comment
Share on other sites

  • Solution

Your code generally doesn't make a lot of sense. What is the query

SELECT password FROM users WHERE password = 

supposed to do? You take the submitted plaintext password and then try to find the exact same string in your database? Aren't your database passwords hashed?

 

I guess what you actually want is get the password hash(!) for the provided username:

SELECT password FROM users WHERE username = :username

It might be a good idea to rename the column "password" to "password_hash" to avoid this confusion in the future.

 

You have a lot of other weird parts in your code, so I strongly recommend you go through this line by line and carefully test each part with var_dump(). Don't just write down one big block of code and test it afterwards, because this makes debugging much harder.

  • Like 1
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.