0

I have an login-system on my website and i'm trying to create password reset. I have no problem with the registration, or the login code, but password change code does not work. Here are two examples that i tried(actual code) 

<?php
    require_once("config.php");
    session_start();
    if(isset($_POST['submit'])) {

        include_once 'config.php';

        $password = mysqli_real_escape_string($con, $_POST['password']);
        $password1 = mysqli_real_escape_string($con, $_POST['uc_pass1']);
        $password2 = mysqli_real_escape_string($con, $_POST['uc_pass2']);
        $uid = $_SESSION['s_id'];

        if ($password1 != $password2 || empty($password1) || empty($password2)) {
            header("Location: ../user-conf.php?pass=notmatching");
            exit();
        } else {
            $sql = "SELECT password FROM userdb WHERE username='$uid'";
            $result = mysqli_query($con, $sql);
            $resultCheck = mysqli_num_rows($result);

            if (!$resultCheck > 0) {
                header("Location: ../user-conf.php?error");
                exit();
            } else {
                $hashedPwdCheck = password_verify($password, $_SESSION['s_pw']);
                if ($hashedPwdCheck == false) {
                    header("Location: ../user-conf.php?error");
                    exit();
                } elseif ($hashedPwdCheck == true) {
                    $hashedPwd2 = password_hash($password1, PASSWORD_DEFAULT);
                    $sql2 = "INSERT INTO userdb (password) VALUES($hashedPwd2) WHERE username=$uid";
                    mysqli_query($con, $sql2);
                    header("Location: ../user-conf.php?pass=successfull");
                    exit();
                }
            }
        }
    } else {
        header("Location: ../login.php?nologon");
    }
?>

And the other one is below.

<?php
    require_once("config.php");
    session_start();
    if(isset($_POST['submit'])) {

        include_once 'config.php';

        $password = mysqli_real_escape_string($con, $_POST['password']);
        $password1 = mysqli_real_escape_string($con, $_POST['uc_pass1']);
        $password2 = mysqli_real_escape_string($con, $_POST['uc_pass2']);
        $uid = $_SESSION['s_id'];

        if ($password1 != $password2 || empty($password1) || empty($password2)) {
            header("Location: ../user-conf.php?pass=notmatching");
            exit();
        } else {

            $hashedPwdCheck = password_verify($password, $_SESSION['s_pw']);
            if ($hashedPwdCheck == false) {
                header("Location: ../user-conf.php?error");
                exit();
            } elseif ($hashedPwdCheck == true) {
                $hashedPwd = password_hash($password1, PASSWORD_DEFAULT);
                $sql = "INSERT INTO userdb (password) VALUES($hashedPwd) WHERE username=$uid";
                mysqli_query($con, $sql);
                header("Location: ../user-conf.php?pass=successfull");
                exit();
            }
        }
    } else {
        header("Location: ../login.php?nologon");
    }
?>

I also tried wit the UPDATE syntax. but, it didn't seems to change the old password with the new one. It would be nice to know what I did wrong so if you know please tell me and it will be appreciated! :)

Improve this question
4
  • And it does give me the ("?pass=successfull") as in it did complete everything correctly, but nothing changes in the table's password column. Also on the html code if ur wondering uc_pass1 = (input for new pass) and the uc_pass2 = (input for confirm pass). Nothing wrong there either all working etc. Commented Sep 28, 2017 at 9:22
  • Do you want to insert or update? "INSERT INTO userdb (password) VALUES($hashedPwd) WHERE username=$uid" is a strange mix of both. Commented Sep 28, 2017 at 9:23
  • 2
    "It would be nice to know what I did wrong" - well, almost everything.. from relative redirects via header to not using parameterized queries.. are you new to this perhaps? The code you posted resembles year 1999 tutorials, the language and approach to these kind of tasks evolved, I'm not trying to criticize you, I'm simply wondering what your level is. There's room for improvement, I sincerely hope you'll progress your skills further, please don't take my comment as insulting or demeaning, we need to have good developers and someone has to tell you that you can and should improve. Commented Sep 28, 2017 at 9:29
  • Oh not at all! I've really never got any education for html or php coding yet, actually started trying it out maybe 2 weeks ago so every criticizim is a plus! I'm sure to try improving on this. Commented Sep 28, 2017 at 9:48

1 Answer 1

Reset to default
2

99% sure that:

"INSERT INTO userdb (password) VALUES($hashedPwd2) WHERE username=$uid"

Should be:

"UPDATE userdb SET password = '$hashedPwd2' WHERE username='$uid'"

You are missing quotes around your PHP variable and the INSERT should be an UPDATE.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Oh god, i swear that i used that first time but without the $uid but instead using the $_SESSION['s_id'] on the username. You totally made it work! Thanks a bunch for the answer! :)
No problem. Hope it helps. BTW, $uid should really be run through mysqli_real_escape_string() as well.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.