1

I am pretty new to PHP, so debugging isn't really something I am familiar with when it comes to PHP.

I am using php/javascript(ajax) to change a users password for my website. So basically, when I log in and try to change my password. The code breaks at the first echo. So the password that I am entering into the form does not match the password in the database. But, I am using the same hash method and everything. If anyone has any ideas, let me know. Thanks!

if(isset($_POST["u"])) {
    $u = preg_replace('#[^a-z0-9]#i', '', $_GET['u']);
    $oldpasshash = md5($_POST["cp"]);
    $newpasshash = md5($_POST["cnp"]);
    $sql = "SELECT id, username, password FROM users WHERE username='$u' LIMIT 1";
    $query = mysqli_query($db_conx, $sql);
    $row = mysqli_fetch_row($query);
    $db_id = $row["id"];
    $db_username = $row["username"];
    $db_password = $row["password"];
    if($db_password != $oldpasshash){
        echo "no_exist";
        exit();
    } else {
        $sql = "UPDATE users SET password='$newpasshash', WHERE username='$db_username' LIMIT 1";
        $query = mysqli_query($db_conx, $sql);
    }
    $sql = "SELECT id, username, password FROM users WHERE username='$db_username' LIMIT 1";
    $query = mysqli_query($db_conx, $sql);
    $row = mysqli_fetch_row($query);
    $db_newpass = $row[3];
    if($db_newpass == $newpasshash) {
    echo "success";
    exit();
    } else {
        echo "pass_failed";
        exit();
    }
}
Brad
  • 159,648
  • 54
  • 349
  • 530
Nate
  • 345
  • 3
  • 12
  • 1
    Make sure error logging is on, and go find your PHP error log file. Use `var_dump()` and `print_r()` to inspect variables at various places. Finally, you have potentially opened yourself up to SQL injection vulnerabilities. Use prepared queries to avoid this problem entirely. – Brad Jun 26 '14 at 18:19
  • 2
    You may get hounded for using `md5()` to encode passwords. If able to, look into [hashing your password](http://www.php.net/manual/en/ref.password.php) – Brett Santore Jun 26 '14 at 18:20
  • 1
    Basic debugging always involves making a hypothesis about what value a certain variable should have at a certain point, then testing that hypothesis. The most basic way is by doing `var_dump($var);` on that variable at that point (just write it in your source code and run it again). That way you slowly pinpoint the spot where your actual code diverges from your expectations and where you need to fix something. – deceze Jun 26 '14 at 18:21
  • Quick question on the sql injection. If the variables are coming through AJAX script before they get to the php, will it still cause vulnerability to SQL injection? – Nate Jun 26 '14 at 18:42
  • I am having trouble displaying the variables at certain points in the script. Is there a specific way to do this? I am basically echoing them somewhere on the page. So I assign the variable $dump to the var_dump($username);. It just isn't showing up on the site. – Nate Jun 26 '14 at 21:31

2 Answers2

1

You are using mysqli_fetch_row and accessing the table fields via field name. That is wrong.

mysqli_fetch_row fetches one row of data from the result set and returns it as an enumerated array, where each column is stored in an array offset starting from 0 (zero).

So you have to use

$db_id = $row[0];
$db_username = $row[1];
$db_password = $row[2];
fortune
  • 3,361
  • 1
  • 20
  • 30
  • I wish I could check mark both yours and @Pitchinnate 's answers. Both helped extremely! – Nate Jun 26 '14 at 18:50
1

Look at your first two lines of code:

if(isset($_POST["u"])) {
    $u = preg_replace('#[^a-z0-9]#i', '', $_GET['u']);

You check if $_POST['u'] isset then you use $_GET['u'].

FYI, you are injecting $u directly into the mysql statement, don't do this.

Pitchinnate
  • 7,517
  • 1
  • 20
  • 37
  • What would be the proper way to insert a variable into the mysql statement? – Nate Jun 26 '14 at 18:43
  • Could you give me an example of what I might do with my code? I'm not quite sure I understand the principle. – Nate Jun 26 '14 at 18:48
  • 1
    Look at the examples on php doc page I linked to. Using bound parameters prevents SQL injection. You can look at the answer on this also: http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1 – Pitchinnate Jun 26 '14 at 18:50
  • Ok, that makes some sense. Could I not just use the real_escape function on the newpass variable? – Nate Jun 26 '14 at 18:58
  • Could you? Yes. Should you? No. – Pitchinnate Jun 26 '14 at 19:00