Member Avatar for nanakumi75

I used similar process for users to update username and email, but password is giving me a headache

<?php
        if(isset($_SESSION['id'])){
          if(isset($_POST['change_password_submit'])){
             $usersId = $_SESSION['id'];
             include 'includes/dbh.inc.php';//connection to database
            $currentpassword = $_POST['currentpassword'];
            $newpassword = $_POST['newpassword']; 
            $newpasswordagain = $_POST['newpasswordagain'];
            $currentHash = password_hash($currentpassword,PASSWORD_DEFAULT);
            $newHash = password_hash($newpassword,PASSWORD_DEFAULT);

            if(empty($currentpassword)){
            echo '<p id="sorry">Please enter your current password</p>';        
            }
             if(empty($newpassword)){
                echo '<p id="sorry">Choose a new password!</p>'; 
             }
             if(strlen($newpassword)<6){
                 echo '<p id="sorry">Password cannot be less than 6 characters!</p>';
             }
             if(!preg_match("#[0-9]+#",$newpassword)){
                 echo '<p id="sorry">Password should have at least one number!</p>';
             }
             if(!preg_match("#[A-Z]+#",$newpassword)){
                 echo '<p id="sorry">Password should have at least one UpperCase letter!</p>';
             }
             if(!preg_match("#[\W]+#",$newpassword)){
                 echo '<p id="sorry">Password must have at least one special character!</p>';
             }
             if(empty($newpasswordagain)){
                 echo '<p id="sorry">Please repeat new password!</p>';
             }
             if($newpasswordagain !== $newpassword){
                 echo '<p sorry">Password does not match!</p>';
             }
             $sql = "SELECT * FROM users WHERE usersPassword=? AND usersID=?";
             $stmt = mysqli_stmt_init($conn);
             if(!mysqli_stmt_prepare($stmt,$sql)){
                 echo '<p id="sorry">Cannot connect to database!</p>';
             }else{
                 mysqli_stmt_bind_param($stmt,"ss",$currentHash,$usersId);
                 mysqli_stmt_execute($stmt);
                 $action = mysqli_stmt_get_result($stmt);
                 if($row = mysqli_fetch_assoc($action)){
                     if(password_verify($row['usersPassword'],$currentHash) == true){
                        $sql = "UPDATE users SET usersPassword=? WHERE usersID=?";
                        $stmt = mysqli_stmt_init($conn);
                        if(!mysqli_stmt_prepare($stmt,$sql)){
                            echo '<p id="sorry">Cannot connect to database!</p>';
                        }else{
                            mysqli_stmt_bind_param($stmt,"ss",$newHash,$usersId);
                            mysqli_stmt_execute($stmt);
                            echo '<p id="success">Password Change is successful!</p>';
                        }
                     }else if(password_verify($row['usersPassword'],$currentHash)== false){
                         echo '<p id="sorry">Current Password is wrong!</p>';
                     }
                 }
             }
             mysqli_stmt_close($stmt);
             mysqli_close($conn);
          } 
        }
        ?>

html form is this

<form action="https://marksmandigital.net/change_password.php" method="post">
    <div class="form-row">
     <div class="form-group col-md-12">
       <input type="password" name="currentpassword" class="form-control" placeholder="Enter Current Password">
     </div>
    </div>
    <div class="form-row">
     <div class="form-group col-md-12">
       <input type="password" name="newpassword" class="form-control" placeholder="Enter new Password">
     </div>
    </div>
    <div class="form-row">
     <div class="form-group col-md-12">
       <input type="password" name="newpasswordagain" class="form-control" placeholder="Enter new password again">
     </div>
    </div>
    <div class="form-row">
     <div class="form-group col-md-12">
       <input type="submit" name="change_password_submit" class="form-control btn btn-success" value="Save New Password">
     </div>
    </div>
    </form>

Thanks for your eagle eyes

  • 3 Contributors
  • 5 Replies
  • 586 Views
  • 2 Days Discussion Span
  • Latest Post Latest Post by nanakumi75
Member Avatar for pritaeas

What exactly is causing your headache? Explain your issue(s).

commented: The problem is that, the script runs, but password does not change +0
Member Avatar for nanakumi75

The problem is that, the script runs but password does not change. I don't get any error messages iether

Member Avatar for pritaeas

Debug your code. The simplest way is to echo something every step of the way, so you can see to where the code goes.

If you have a decent debugger, even better.

Member Avatar for Dani

He has a lot of echo statements in there already. Which ones are printed out?

Member Avatar for nanakumi75

I found a way around it. I realized that 

<?php
$row['usersPassword'];
$pwdHashed = password_hash($pwd,PASSWORD_DEFAULT);
 PASSWORD_VERIFY($pwdHashed,$row['usersPassword'] == true);// was actually false,
?>

Could not be verified. Because both gave different values when I created a dummy database.

The string is @Bmedia4000;

DBPass is :$2y$10$XP6TRhqkmrIFR4nheLReIuTaQJZKFiq/Qz4fDIV/F7y.P3gRfOzOO //hashed results from database
Hashed is :$2y$10$GLw2Dkd5ybnphlqgFo2SIePk2tlNXfutz7a708rRzJdUl9Zp78fh2 //hashed result not from database

Clearly ,the results were different.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.