0

I'm having an issue with coding a script that enables a logged in user to change his/her password. But when the form is submitted, a strange, blank page is displayed. There's no error message. Can you guys please, help me to resolve this issue? I'm not yet proficient in PHP and need all the insight I can get, to get my script to work fine. Here is the modifypass.php file:

<?php

    // configuration
    require("../includes/config.php"); 

    // if form was submitted
    if ($_SERVER["REQUEST_METHOD"] == "POST")
    {
        // validate submission
        if (empty($_POST["curpassword"]))
        {
            apologize("You must provide your current password.");
        }
        else if (empty($_POST["newpassword"]))
        {
            apologize("You must enter a desired new password.");
        }
        else if (empty($_POST["confirmation"]))
        {
            apologize("You must confirm your new password.");
        }

        // query database for user
        $rows = query("SELECT * FROM users WHERE username = ?", $_SESSION["id"]);

        // if we found user, check password
        if (count($rows) == 1)
        {
            // first (and only) row
            $row = $rows[0];

            // compare hash of user's input against hash that's in database
            if (crypt($_POST["curpassword"], $row["hash"]) != $row["hash"])
            {
                apologize("You must provide your valid current password");
            }
            else if ($_POST["newpassword"] != $_POST["confirmation"])
            {
                apologize("Your new password and confirmation don't match.");
            }
            else if (query("UPDATE users SET hash = (?) WHERE username = (?)", crypt($_POST["newpassword"]), $_POST["username"]) === false)
            {
                apologize("Password update failed.");
            }
            else
            {
                // remember that user's now logged in by storing user's ID in session
                $_SESSION["id"] = $row["id"];

                // update the user's password to the new one
                crypt($_POST["newpassword"], $row["hash"] = $row["hash"]);

                // redirect to portfolio
                redirect("/");
            }
        }
    }
    else
    {
        // else render form
        render("modifypass-form.php", ["title" => "Reset Password"]);
    }

?>

Here is the modifypass-form.php:

<div>
<a href="/">Home</a> | <a href="quote.php">Quote</a> | <a href="buy.php">Buy</a> | <a href="sell.php">Sell</a> | <a href="history.php">History</a> | <a href="logout.php">Sign Out</a> | <a href="resetpass.php">Modify Password</a>
</div>
<br/>
<br/>
<br/>
<form action="modifypass.php" method="post">
    <fieldset>
        <div class="form-group">
            <input autofocus class="form-control" name="curpassword" placeholder="Current Password" type="password"/>
        </div>
        <div class="form-group">
            <input class="form-control" name="newpassword" placeholder="New Password" type="password"/>
        </div>
        <div class="form-group">
            <input class="form-control" name="confirmation" placeholder="Confirmation" type="password"/>
        </div>
        <div class="form-group">
            <button type="submit" class="btn btn-default">Modify Password</button>
        </div>
    </fieldset>
</form>
<div>
    or <a href="register.php">register</a> for an account
</div>
5
Contributors
11
Replies
57
Views
3 Years
Discussion Span
Last Post by cereal
Featured Replies
  • 1
    cereal 1,515   3 Years Ago

    Hi, It seems you're using some **user defined** functions: `apologize()`, `query()`, `render()` and `redirect()` are not PHP functions, so we cannot help much. Check the included file at the top of the script, it should contain those functions and the instructions on their results. Anyway, on line `51` you wrote: … Read More

  • 1
    diafol 3,720   3 Years Ago

    Maybe check out a post here, using the new-ish `password_hash()` and `password_verify()`: http://www.daniweb.com/web-development/php/threads/478882/changing-pass-in-php-mysql#post2092388 PHP 5.5+ required. If you're not on 5.5+ yet, think about upgrading. If your host isn't on 5.5+, give them hell. :) Read More

  • 1
    cereal 1,515   3 Years Ago

    Sorry for the late update, but I realized I wrote something very wrong in my last post. I wrote: > On line 31 you wrote: if(crypt($_POST["curpassword"], $row["hash"]) != $row["hash"])) > You're using the hash as second argument of crypt, i.e. as salt, but this will always compare different unless $_POST["curpassword"] … Read More

0

You can check this line, here is syntax error

render("modifypass-form.php", ["title" => "Reset Password"]);

1)Square bracket ( [ ,])
2)=>

Please check your render function second argument.

0

@arunmagar,
Sorry, but you don't know what you're talking about. There's no syntax error in the code section you pointed at.

0

I don't know how it so? But when I check your modifypass.php for syntax error it gave me error.

0

@arunmagar,
There seems to be a syntax error somewhere else in the code, but not in the render portion (render("modifypass-form.php", ["title" => "Reset Password"]);), which you pointed.

1

Hi,

It seems you're using some user defined functions: apologize(), query(), render() and redirect() are not PHP functions, so we cannot help much. Check the included file at the top of the script, it should contain those functions and the instructions on their results.

Anyway, on line 51 you wrote:

crypt($_POST["newpassword"], $row["hash"] = $row["hash"]);

if you're referring to the crypt() function in PHP then you need to save the result to a variable and then use an update query, also crypt takes two arguments: string and salt (which is optional), here should be:

crypt($_POST["newpassword"]);

Or for a compare:

crypt($_POST["newpassword"]) == $row["hash"];

But it seems your code just redirects after this action, it should be something like:

$newpwd = crypt($_POST["newpassword"]);
query("UPDATE ...", $newpwd);

But this seems already done in one of the elseif conditions:

else if (query("UPDATE users SET hash = (?) WHERE username = (?)", crypt($_POST["newpassword"]), $_POST["username"]) === false)

On line 31 you wrote:

if(crypt($_POST["curpassword"], $row["hash"]) != $row["hash"]))

You're using the hash as second argument of crypt, i.e. as salt, but this will always compare different unless $_POST["curpassword"] is blank. Correct version should be:

if(crypt($_POST["curpassword"]) != $row["hash"])

Docs:

Hope it helps!

@arunmagar

Hi, mexabet is correct, since PHP 5.4 you can use the short array syntax, as Python lists:

$a = ['a', 'b', 'c'];

Ref: http://www.php.net//manual/en/migration54.new-features.php

Edited by cereal

Votes + Comments
Great insight!
0

@cereal;
A million thanks; I'll work on your suggestions and see what happens.

1

Sorry for the late update, but I realized I wrote something very wrong in my last post. I wrote:

On line 31 you wrote:

if(crypt($_POST["curpassword"], $row["hash"]) != $row["hash"]))

You're using the hash as second argument of crypt, i.e. as salt, but this will always compare different unless $_POST["curpassword"] is blank. Correct version should be:

if(crypt($_POST["curpassword"]) != $row["hash"])

but the OP crypt() implementation is correct. I don't know what I was thinking, my excuses for the wrong information.

As example test:

$post = 'secret';
$salt = '$5$rounds=5000$yd792hcQbEOMHmfi$'; # sha256

# generate hash
$row = crypt($post, $salt);

# check hash
echo crypt($post, $row) == $row ? 'true' : 'false';

Will return true. Bye.

Votes + Comments
senior moment? heh heh - welcome to a very big club!
This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.