...

View Full Version : password checking problems



Smudly
06-17-2010, 11:25 PM
I'm creating a profile page that allows users to change their first name, last name, email or password.

Everything is working fine, except the password part.

On one of the else statements, it says "Old passwords do not match".

That is the message i get when I try changing the password. It could be an MD5 error

MySQL version: 5.0.19
I'm not getting any mysql errors

Here's the code:

<?php

session_start();
include('inc/connect.php');

$username = $_SESSION['username'];

if ($username)
{
//if user is logged in

$sql = mysql_query("SELECT * FROM `users` WHERE `username`='".$username."'");
$row = mysql_fetch_assoc($sql);

$fname = $row['fname'];
$lname = $row['lname'];
$email = $row['email'];
$edit = ($_POST['edit']);

// Edit variables
$fnamenew = ucfirst(strip_tags($_POST['fname']));
$lnamenew = ucfirst(strip_tags($_POST['lname']));
$emailnew = strip_tags($_POST['email']);
$password = strip_tags(md5($_POST['password']));
$passwordnew = strip_tags(md5($_POST['passwordnew']));
$passwordconf = strip_tags(md5($_POST['passwordconf']));


if($edit){

// check password against database

$oldpassworddb = $row['password'];

// check passwords
if($password==$oldpassworddb)
{
//check two new passwords
if($passwordnew==$passwordconf)
{
// success
// change password in database
$edit = "UPDATE users SET `fname`='$fnamenew', `lname`='$lnamenew', `email`='$emailnew', `password`='$passwordnew' WHERE username='$username'";
mysql_query($edit);

$fname = ucfirst(strip_tags($_POST['fname']));
$lname = ucfirst(strip_tags($_POST['lname']));
$email = strip_tags($_POST['email']);

$submitted = "Changes Submitted";


}
else
die("New Passwords Don't Match!");

}
else
die("Old Password doesn't match!");

}
}
else
header("Location: index.php");

?>

<html>
<head>
<title>Profile</title>
</head>
<body>

<form action="profile.php" method="POST">
Username: <input type="text" value="<?php echo $username; ?>" readonly="readonly"><br />
First Name: <input type="text" maxlength="25" name="fname" value="<?php echo $fname; ?>"><br />
Last Name: <input type="text" maxlength="25" name="lname" value="<?php echo $lname; ?>"><br />
Email: <input type="text" maxlength="64" name="email" value="<?php echo $email; ?>"><br />
Password: <input type="password" maxlength="32" name="password"><br />
New Password: <input type="password" maxlength="32" name="passwordnew"><br />
Confirm Password: <input type="password" maxlength="32" name="passwordconf"><br />

<input type="submit" name="edit" value="Submit Changes">
<?php echo $submitted; ?>
</form>
</body>
</html>

Fou-Lu
06-17-2010, 11:29 PM
Before:


if($password==$oldpassworddb)

Add:


printf("\$password = %s, \$oldpassworddb = %s\n", $password, $oldpassworddb);

And post that result.

Zoic
06-17-2010, 11:29 PM
Well for one, you don't need to do strip_tags after something has been md5()'d

Fou-Lu
06-17-2010, 11:34 PM
Check the names of your variables.

You have $oldpassworddb in your if statement.

The names look fine to me:


$oldpassworddb = $row['password'];

// check passwords
if($password==$oldpassworddb)

Zoic
06-17-2010, 11:35 PM
Yeah... lol I just woke up, cut me some slack :P

Fou-Lu
06-17-2010, 11:38 PM
Yeah... lol I just woke up, cut me some slack :P

Hah, well I definitely know how that goes :o

Smudly
06-18-2010, 12:00 AM
Sorry about the wait.

I placed that code and get the following result:

$password = e63ecc8562f85d493f170a75412b22d0, $oldpassworddb = 0050c32551ba1a7f34ef07a68fe5efc5 Old Password doesn't match!

I got no mysql errors.

Fou-Lu
06-18-2010, 12:09 AM
The passwords just don't match, and the datatypes are fine (char32). How are you checking the password for login, can you post that too?

Smudly
06-18-2010, 12:11 AM
sure, here is login.php


<?php
$username = ucfirst($_POST['username']);
$password = $_POST['password'];


include('inc/connect.php');


if ($username&&$password)
{

$query = mysql_query("SELECT * FROM users WHERE username='$username'");

$numrows = mysql_num_rows($query);

if ($numrows!=0)
{

while ($row = mysql_fetch_assoc($query))
{
$dbusername = $row['username'];
$dbpassword = $row['password'];
$userid = $row['id'];


session_start();
$_SESSION['username'] = $username;
$_SESSION['userid'] = $userid;
}

// check to see if they match
if ($username==$dbusername&&md5($password)==$dbpassword)
{
//echo "You're In! <a href='member.php'>Click</a> here to enter the member page.";
$_SESSION['username']=$username;

header('Location:http://www.daobux.com/member.php');
}
else
echo "Incorrect Password!";

}
else
die("That user doesn't exist!");


}
else
die("Please fill out all fields!");


?>

Fou-Lu
06-18-2010, 12:29 AM
The login is flawed, the session will always be set regardless of if the password is valid. Only set these if the check is true.
Other than that, the password change should be ok. It was mentioned that strip tags needn't be done on hashed values, though leaving them shouldn't cause fault either (I'd remove). You're going to need to run some tests, but best I can see it should work for matching passwords which indicate that the passwords just don't match. Start by MD5 ing your actual password and update the db, then try again.

Smudly
06-18-2010, 12:54 AM
Alright, this is where I am at.

The login and password change is now working, however there are still a couple minor issues.

1. If the user doesn't want a new password, and they leave those 2 fields blank, the database sets their password as nothing, leaving an MD5 of their blank password. Not sure how to fix this.

2. If the user's current password doesn't match, it takes them to another page that says "Old Password Doesn't Match!". How can I set this error message so it appears on the same page next to my submit button?

Thanks much everyone!

Fou-Lu
06-18-2010, 01:21 AM
Use empty() to check if a new password is entered, an dynamically build sql on that condition or set the new password to equal the old before updating.
Capture errors in a variable and print them where desired. If its on another page, pass it with get or use a session.

On ps3 so can't codes

Smudly
06-18-2010, 02:29 AM
Alright thanks!

I tried using the empty as an if statement, but it's like it isn't even going through the script. It still gives the new password empty values.


if (empty($passwordnew)) {
$passwordnew = $oldpassworddb;
}

Jazz914
06-18-2010, 09:35 AM
why not just try ignoring the pass change if the field is left empty instead of creating another mysql connection which is unneeded.


<?php
if ($passwordnew != NULL) {
//then do the change password stuff
}
?>

This way, the password would only be changed if the user actually enters a password in the new password box

As for the errors:
You could various things, 2 common examples are:
- you could store them in arrays
- you could just echo them out on the same page.

Fou-Lu
06-18-2010, 03:29 PM
Null isn't the same as empty, but its the right idea. Empty will attempt to cast anything its given to a string and evaluate it as empty, and since null when cast to string is empty, empty will also return true for null, but an empty string will not equate to null.
Lol, less winded: null == '' when checking with empty(), but '' != null when checking $str == null.

Input fields will send an empty string across, not null. I actually wish they were since it would reduce complications; hashing null returns null, but hashing an empty string with md5 returns 'd41d8cd98f00b204e9800998ecf8427e'.
The empty check needs to be performed before you hash the value (either that or hash the value and compare it to md5(''), but that seems like a waste of resource to me).


<?php

session_start();
include('inc/connect.php');

$username = isset($_SESSION['username']) ? $_SESSION['username'] : '';
$curfname = '';
$curlname = '';
$curemail = '';

$aNotice = array();

if (!empty($username))
{
//if user is logged in

$sql = mysql_query("SELECT * FROM `users` WHERE `username`='$username'");
$row = mysql_fetch_assoc($sql);

$curfname = $row['fname'];
$curlname = $row['lname'];
$curemail = $row['email'];
$curpassword = $row['password'];

if (isset($_POST['edit']))
{
// Edit variables
// You should validate these for any required fields. If you allow empty values, then this is fine. I'd allow all to be optional except email, so you may want to validate that with filter_var or regex
$fnamenew = mysql_real_escape_string(ucfirst(strip_tags($_POST['fname'])));
$lnamenew = mysql_real_escape_string(ucfirst(strip_tags($_POST['lname'])));
$emailnew = mysql_real_escape_string(strip_tags($_POST['email']));

// I would take a different approach to handling these with looping, but I won't overcomplicate things here.
$sUpdate = "UPDATE `users` SET `fname` = '$fnamenew', `lname` = '$lnamenew', `email` = '$emailnew'";

if (isset($_POST['passwordnew']) && !empty($_POST['passwordnew']))
{
$password = md5($_POST['password']);
$passwordnew = md5($_POST['passwordnew']);
$passwordconf = md5($_POST['passwordconf']);
if (strcmp($password, $curpassword) <> 0)
{
array_unshift($aNotice, 'Old password does not match!');
}
else if (strcmp($passwordnew, $passwordconf) <> 0)
{
array_unshift($aNotice, 'New passwords do not match!');
}
else
{
$sUpdate .= ", `password` = '$passwordnew'";
}

$sUpdate .= " WHERE `username` = '$username'";
// Here you can decide if you want the 'ok' values to be updated.
// Personally, I'd check on if errors have occured and only update if its clean
mysql_query($sUpdate) or die('Unable to execute query: ' . mysql_error());
array_unshift($aNotice, 'Changes Submitted.');
}
}

?>

<html>
<head>
<title>Profile</title>
</head>
<body>

<form action="profile.php" method="POST">
Username: <input type="text" value="<?php echo $username; ?>" readonly="readonly"><br />
First Name: <input type="text" maxlength="25" name="fname" value="<?php echo $curfname; ?>"><br />
Last Name: <input type="text" maxlength="25" name="lname" value="<?php echo $curlname; ?>"><br />
Email: <input type="text" maxlength="64" name="email" value="<?php echo $curemail; ?>"><br />
Password: <input type="password" maxlength="32" name="password"><br />
New Password: <input type="password" maxlength="32" name="passwordnew"><br />
Confirm Password: <input type="password" maxlength="32" name="passwordconf"><br />

<input type="submit" name="edit" value="Submit Changes">
<?php
if (count($aNotice) > 0)
{
print '<div id="submission_notices">';
foreach ($aNotice AS $notice)
{
printf("<div>%s</div>\n", $notice);
}
print '</div>';
}
?>
</form>
</body>
</html>

Smudly
06-19-2010, 12:04 AM
Thank you so much for that code. It seems to work great (just had to add a missing bracket and it worked). Having a few issues though.

1. Unless the New Password fields are filled in, the user is unable to update their first name, last name or email.
2. If their new passwords don't match, the message "New passwords do not match!" comes up, as well as the message, "Changes Submitted".
3. Same as issue 2, except this happens ONLY if all passwords are filled in and the first password is typed in wrong. If this happens, they get the message "Old password does not match!" and "Changes Submitted".
4. If no passwords are filled in, the form acts like it submits the information, and gives no error message back to the user. (should say "Old password does not match!")
5. Once the fields are inputted correctly, it submits the information correctly into the database, however it does not update the status of the forms. So for example if they type their last name into the field, once the page refreshes and says "Changes Submitted", that field is left blank when it should contain their last name.

I am currently working on these issues to figure out how to fix them, but any input in the meantime would be awesome.

Thanks

Doesn't update fields with new information

Fou-Lu
06-19-2010, 02:18 AM
Oops I see it. 1-3 will be solved by putting the missing } just before $sUpdate .= " WHERE `username` = '$username'". For 4, are you sure thats what you want? That pretty much makes a password change mandatory. If so I'll give you new code next time at computer.
And for 5, add this after the final unshift


$curfname = $fnamenew;
$curlname = $lnamenew;
$curemail =*$emailnew;

Smudly
06-19-2010, 03:50 AM
I think I typed the 4th problem in a confusing way.
I want it so that it isn't mandatory to set a new password. I guess what I should do is have two sections. The top that allows them to change their first name, last name or email, but before they can change it they must type in their current password, then they can submit.
And the second part could be a password change. This would require them to have the Current Password field typed in correctly, and have two identical passwords in the "New Password" and "Confirm Password" fields.

If this simplifies things, I think this is what I'm aiming for.

Thanks so much. Your help is appreciated!



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum