Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 8 of 8
  1. #1
    New Coder
    Join Date
    Aug 2015
    Posts
    12
    Thanks
    0
    Thanked 0 Times in 0 Posts

    User change password script HELP

    Hello, i'm trying to make a change password function for my logged in users, i though this was fairly easy but then things started to get too complicated for me, so i'm now hoping for someone willing to help me get this working...
    When i hit submit, it does nothing, this is what i have so far.

    I'm using sha256, and a salt, for crypting...

    Layout
    ------------------------------------
    Current password:
    New password:
    Re-type password:
    ------------------------------------


    Button itself
    "skift kode" means "change password" in Danish, just a heads up...
    loggedindex.php
    PHP Code:
     <<button type="button" href="skiftkodeord?id=activate" class="btn btn-primary">Skift Kodeord?</button> <a/> 


    Skiftkode.php
    PHP Code:
    <?php
    $connect 
    mysql_connect("******""******""******") or die(mysql_error());
    mysql_select_db("******"$connect);


    if(
    $_GET['id'] == "activate") {


    echo 
    "<form action='skiftkodeord?id=activate' method='POST' <center>";
    echo 
    "Current password: <input type='text' name='curr_pass'><br/>
    New password: <input type='Password' name='new_pass'><br />
    Re-type password: <input type='Password' name='re_pass'><br/>
    <input type='submit' name='change_pass' value='Change'></center><br />"
    ;

    $cur_pass $_POST['curr_pass'];
    $new_pass $_POST['new_pass'];
    $re_pass $_POST['re_pass'];
    $pass_ok false;
    }

    if(isset(
    $_POST['change_pass'])){

        
    $check mysql_query("SELECT * FROM users WHERE username='".$username."'");
        
    $rows mysql_num_rows($check);
        while(
    $row mysql_fetch_assoc($check)) {
        
            
    $get_pass hash('sha256'$_POST['password'] . $row['salt']); 
            for(
    $round 0$round 65536$round++){
            
    $get_pass hash('sha256'$get_pass $row['salt']);
                        
            if(
    $get_pass === $row['password']){
                        
    $pass_ok true;
            }
        }
        

        
        
        if(
    $pass_ok) {
            if(
    strlen($new_pass) > 6) {
                if(
    $re_pass $new_pass) {
                    
                    
    /* Define a salt. */
                    
    $salt dechex(mt_rand(02147483647)) . dechex(mt_rand(02147483647));
                        
                    
    //encrypt the new password
                    
    $new_passhash('sha256'$new_pass$salt);
                    for(
    $round 0$round 65536$round++){
                    
    $new_passhash('sha256'$new_pass$salt);
                    }
                        
                    
    //set the new password into database with a new salt
                    
    if($query mysql_query("UPDATE users SET password='".$new_pass."' WHERE username='".$_SESSION['username']."'")) {
                        
    mysql_query("UPDATE users set salt='".$salt."' WHERE username='".$_SESSION['username']."'");
                        echo 
    "Password changed.";
                    }
                    }else{
                        echo 
    "New password does not match.";
                    }
                    }else{
                        echo 
    "New password must be longer than 6 characters.";
                    }
                    }else{
                        echo 
    "Your current password is incorrect to your real password.";
                    }
        }
    }

    ?>

  • #2
    New Coder
    Join Date
    Aug 2015
    Posts
    12
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Okay, i got most of it fixed, my problem is now it does not compare the currently password with the one in database, so i can simply type whatever i want in the "currently password field" and it still changes my password:

    skiftkode.php
    PHP Code:
    <?php
    $connect 
    mysql_connect("*****""*****""*****") or die(mysql_error());
    mysql_select_db("*****"$connect);


    if(
    $_GET['id'] == "activate") {


    echo 
    "<form action='skiftkodeord?id=activate' method='POST' <center>";
    echo 
    "Current password: <input type='text' name='curr_pass'><br/>
    New password: <input type='Password' name='new_pass'><br />
    Re-type password: <input type='Password' name='re_pass'><br/>
    <input type='submit' name='change_pass' value='Change Password'></center><br />"
    ;

    $cur_pass $_POST['curr_pass'];
    $new_pass $_POST['new_pass'];
    $re_pass $_POST['re_pass'];

    }

    if(isset(
    $_POST['change_pass'])){

        
    $check mysql_query("SELECT * FROM users WHERE username='".$username."'");
        
    $rows mysql_num_rows($check);
        while(
    $rows mysql_fetch_assoc($check)) {
        
        
    $login_ok false;
        
    $rows $stmt->fetch(); 
            if(
    $rows){ 
                
    $get_pass hash('sha256'$_POST['password'] . $row['salt']); 
                for(
    $round 0$round 65536$round++){
                    
    $get_pass hash('sha256'$get_pass $row['salt']);
            }
        if(
    $get_pass === $row['password']){
            
    $login_ok true;
            
    $currently_pass hash('sha256'$_POST['curr_pass'] . $row['salt']); 
            for(
    $round 0$round 65536$round++){
            
    $currently_pass hash('sha256'$currently_pass $row['salt']);
        }
        }
        }
        }

        if(
    $currently_pass == $get_pass){
            if(
    strlen($new_pass) >=6) {
                if(
    $re_pass $new_pass) {
                    
                    
    /* Define a salt. */
                    
    $salt dechex(mt_rand(02147483647)) . dechex(mt_rand(02147483647));
                        
                    
    //encrypt the new password
                    
    $new_passhash('sha256'$new_pass$salt);
                    for(
    $round 0$round 65536$round++){ $new_passhash('sha256'$new_pass$salt); }
                        
                    
    //set the new password into database with a new salt
                    
    if($query mysql_query("UPDATE users SET password='".$new_pass."' WHERE username='".$_SESSION['user']['username']."'")) {
                        
    mysql_query("UPDATE users set salt='".$salt."' WHERE username='".$_SESSION['user']['username']."'");
                        echo 
    "Password changed.";
                    }
                    }else{
                        echo 
    "New password does not match.";
                    }
                    }else{
                        echo 
    "New password must be longer than 6 characters.";
                    }
                    }else{
                        echo 
    "Your current password is incorrect to your real password.";
                    }
    }

    ?>

  • #3
    New to the CF scene
    Join Date
    Aug 2015
    Posts
    9
    Thanks
    0
    Thanked 1 Time in 1 Post
    Your code looks too complicated for a simple script such as change password.

    if you are submitting form on same page i.e. - Skiftkode.php what is form action='skiftkodeord?id=activate'?? why it is'nt skiftcode.php?id=activate

    why are you posting variables under the form?
    $cur_pass = $_POST['curr_pass'];
    $new_pass = $_POST['new_pass'];
    $re_pass = $_POST['re_pass'];

    Just write a simple code

    -----------------------------------------------

    <?php
    db connection check code;

    <form action='skiftkode.php?id=activate' method='POST'>

    old password field
    new password
    confirm password

    submit button
    </form>

    if(isset($_REQUEST['submit'])
    {
    $old_pass=$_REQUEST['old password field'];

    // use db code to check with current password under logged in user name

    if(old password= db password)
    {
    $new password=$_REQUEST['new password field'];
    $confirm password=$_REQUEST['confirm password field'];
    if($new password==$confirm password)
    {
    update db query with db password= new password
    }
    else
    {
    error message;
    }
    }
    else
    {
    error message;
    }
    // end of code
    --------------------------------------------------------------
    something like this.

  • #4
    Master Coder felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, Australia
    Posts
    7,186
    Thanks
    0
    Thanked 718 Times in 707 Posts
    Why not use the password functions that PHP provides that will automatically rehash the password when a more secure hashing routine becomes necessary.

    Also use == or === for comparison .
    Stephen
    Learn Modern JavaScript - http://javascriptexample.net/
    Helping others to solve their computer problem at http://www.felgall.com/

    Don't forget to start your JavaScript code with "use strict"; which makes it easier to find errors in your code.

  • #5
    New Coder
    Join Date
    Aug 2015
    Posts
    12
    Thanks
    0
    Thanked 0 Times in 0 Posts
    felgall Because, i find sha256 enough security for my type of website, it even includes a salt, so i think it should be enough, maybe in the future i'll make it more secure but sha256 and a salt for now.


    scotv, thanks for your message, but because my passwords is hashed with sha256 and a salt, i need my function to check if the users "current password" is matched with the hashed password in my database, the function you gave here, is not including a function to check for hashed passwords and salt, it just checks if users acutal password is exactly the same set in database, like "Mypass" then it should say "Mypass" in db for your function to work, but in my case my password is hashed, so i cant do that :/...

  • #6
    New Coder
    Join Date
    Aug 2015
    Posts
    12
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Anyone who can help adding this?
    - I'm still new at coding PHP, learning bit by bit, so please dont rag me if my code is totally wrong, instead tell me whats wrong so i can learn from it sincerely Xines.

    Sharing is caring.

  • #7
    Master Coder felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, Australia
    Posts
    7,186
    Thanks
    0
    Thanked 718 Times in 707 Posts
    Quote Originally Posted by Xines View Post
    felgall Because, i find sha256 enough security for my type of website, it even includes a salt, so i think it should be enough, maybe in the future i'll make it more secure but sha256 and a salt for now.
    Why are you trying to reinvent the wheel and making it square rather than round?

    Forget about what hashing the passwords use and just call the password functions to do it for you.

    Once you start using the right tools for the job then it will be much easier to help you.
    Stephen
    Learn Modern JavaScript - http://javascriptexample.net/
    Helping others to solve their computer problem at http://www.felgall.com/

    Don't forget to start your JavaScript code with "use strict"; which makes it easier to find errors in your code.

  • #8
    New Coder
    Join Date
    Aug 2015
    Posts
    12
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by felgall View Post
    Why are you trying to reinvent the wheel and making it square rather than round?
    Because sir, without "reinventions" your phone would not even have a calculator built inside...

    - Instead of pointing the negatives at me, how about you post if you acutally want to help, instead of telling me just to get the "right tools for the job".
    - I'm still new at coding PHP, learning bit by bit, so please dont rag me if my code is totally wrong, instead tell me whats wrong so i can learn from it sincerely Xines.

    Sharing is caring.


  •  

    Tags for this Thread

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •