Member Avatar for mexabet

I'm having an issue with coding a script that enables a logged in user to change his/her password. But when the form is submitted, a strange, blank page is displayed. There's no error message. Can you guys please, help me to resolve this issue? I'm not yet proficient in PHP and need all the insight I can get, to get my script to work fine. Here is the modifypass.php file:

<?php

    // configuration
    require("../includes/config.php"); 

    // if form was submitted
    if ($_SERVER["REQUEST_METHOD"] == "POST")
    {
        // validate submission
        if (empty($_POST["curpassword"]))
        {
            apologize("You must provide your current password.");
        }
        else if (empty($_POST["newpassword"]))
        {
            apologize("You must enter a desired new password.");
        }
        else if (empty($_POST["confirmation"]))
        {
            apologize("You must confirm your new password.");
        }

        // query database for user
        $rows = query("SELECT * FROM users WHERE username = ?", $_SESSION["id"]);

        // if we found user, check password
        if (count($rows) == 1)
        {
            // first (and only) row
            $row = $rows[0];

            // compare hash of user's input against hash that's in database
            if (crypt($_POST["curpassword"], $row["hash"]) != $row["hash"])
            {
                apologize("You must provide your valid current password");
            }
            else if ($_POST["newpassword"] != $_POST["confirmation"])
            {
                apologize("Your new password and confirmation don't match.");
            }
            else if (query("UPDATE users SET hash = (?) WHERE username = (?)", crypt($_POST["newpassword"]), $_POST["username"]) === false)
            {
                apologize("Password update failed.");
            }
            else
            {
                // remember that user's now logged in by storing user's ID in session
                $_SESSION["id"] = $row["id"];

                // update the user's password to the new one
                crypt($_POST["newpassword"], $row["hash"] = $row["hash"]);

                // redirect to portfolio
                redirect("/");
            }
        }
    }
    else
    {
        // else render form
        render("modifypass-form.php", ["title" => "Reset Password"]);
    }

?>

Here is the modifypass-form.php:

<div>
<a href="/">Home</a> | <a href="quote.php">Quote</a> | <a href="buy.php">Buy</a> | <a href="sell.php">Sell</a> | <a href="history.php">History</a> | <a href="logout.php">Sign Out</a> | <a href="resetpass.php">Modify Password</a>
</div>
<br/>
<br/>
<br/>
<form action="modifypass.php" method="post">
    <fieldset>
        <div class="form-group">
            <input autofocus class="form-control" name="curpassword" placeholder="Current Password" type="password"/>
        </div>
        <div class="form-group">
            <input class="form-control" name="newpassword" placeholder="New Password" type="password"/>
        </div>
        <div class="form-group">
            <input class="form-control" name="confirmation" placeholder="Confirmation" type="password"/>
        </div>
        <div class="form-group">
            <button type="submit" class="btn btn-default">Modify Password</button>
        </div>
    </fieldset>
</form>
<div>
    or <a href="register.php">register</a> for an account
</div>
  • 5 Contributors
  • 11 Replies
  • 342 Views
  • 3 Weeks Discussion Span
  • Latest Post Latest Post by cereal
Member Avatar for arunmagar

You can check this line, here is syntax error

render("modifypass-form.php", ["title" => "Reset Password"]);

1)Square bracket ( [ ,])
2)=>

Please check your render function second argument.

Member Avatar for mexabet

@arunmagar,
Sorry, but you don't know what you're talking about. There's no syntax error in the code section you pointed at.

Member Avatar for arunmagar

I don't know how it so? But when I check your modifypass.php for syntax error it gave me error.

Member Avatar for mexabet

@arunmagar,
There seems to be a syntax error somewhere else in the code, but not in the render portion (render("modifypass-form.php", ["title" => "Reset Password"]);), which you pointed.

Member Avatar for cereal

Hi,

It seems you're using some user defined functions: apologize(), query(), render() and redirect() are not PHP functions, so we cannot help much. Check the included file at the top of the script, it should contain those functions and the instructions on their results.

Anyway, on line 51 you wrote:

crypt($_POST["newpassword"], $row["hash"] = $row["hash"]);

if you're referring to the crypt() function in PHP then you need to save the result to a variable and then use an update query, also crypt takes two arguments: string and salt (which is optional), here should be:

crypt($_POST["newpassword"]);

Or for a compare:

crypt($_POST["newpassword"]) == $row["hash"];

But it seems your code just redirects after this action, it should be something like:

$newpwd = crypt($_POST["newpassword"]);
query("UPDATE ...", $newpwd);

But this seems already done in one of the elseif conditions:

else if (query("UPDATE users SET hash = (?) WHERE username = (?)", crypt($_POST["newpassword"]), $_POST["username"]) === false)

On line 31 you wrote:

if(crypt($_POST["curpassword"], $row["hash"]) != $row["hash"]))

You're using the hash as second argument of crypt, i.e. as salt, but this will always compare different unless $_POST["curpassword"] is blank. Correct version should be:

if(crypt($_POST["curpassword"]) != $row["hash"])

Docs:

Hope it helps!

@arunmagar

Hi, mexabet is correct, since PHP 5.4 you can use the short array syntax, as Python lists:

$a = ['a', 'b', 'c'];

Ref: http://www.php.net//manual/en/migration54.new-features.php

Edited by cereal
commented: Great insight! +3
Member Avatar for mexabet

@cereal;
A million thanks; I'll work on your suggestions and see what happens.

Member Avatar for arunmagar

@cereal
Thanks, Actully I am using old version of PHP

Member Avatar for mexabet

@diafol,
Thanks.

Member Avatar for kailashkhatri

thanks i will try this and see what happen....

Member Avatar for cereal

Sorry for the late update, but I realized I wrote something very wrong in my last post. I wrote:

On line 31 you wrote:

if(crypt($_POST["curpassword"], $row["hash"]) != $row["hash"]))

You're using the hash as second argument of crypt, i.e. as salt, but this will always compare different unless $_POST["curpassword"] is blank. Correct version should be:

if(crypt($_POST["curpassword"]) != $row["hash"])

but the OP crypt() implementation is correct. I don't know what I was thinking, my excuses for the wrong information.

As example test:

$post = 'secret';
$salt = '$5$rounds=5000$yd792hcQbEOMHmfi$'; # sha256

# generate hash
$row = crypt($post, $salt);

# check hash
echo crypt($post, $row) == $row ? 'true' : 'false';

Will return true. Bye.

commented: senior moment? heh heh - welcome to a very big club! +14
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.