PHP crypt(), UPDATE and Comparisons

Question

I am creating my change password site for my website and I have some problems with the code...

For some reason i have difficulties with the passwords being compared and replaced in the db after crypting them.

I wanted this:

Either get the current users password and compare it to the input value of $oldpass or compare the input value of $oldpass with the password stored in the database for the current user.

After checking if the $oldpass and the password from the database match and IF they match then take the input value of $newpass and $repeatpass, compare them and if they match, then crypt() $newpass and update the database with the new password.

I am not even sure if the passwords are even crypted.

Also in the code I am comparing $oldpass with $_SESSION['password'] which is not the password from the db, I can't figure out how to call the password from the db.

    <?php

include 'check_login_status.php';

$u="";
$oldpass=md5($_POST['oldpass']);
//stripping both strings of white spaces
$newpass = preg_replace('#[^a-z0-9]#i', '', $_POST['newpass']);
$repeatpass = preg_replace('#[^a-z0-9]#i', '', $_POST['repeatpass']);

//get the username from the header
if(isset($_GET["u"])){
    $u = preg_replace('#[^a-z0-9]#i', '', $_GET['u']);
} else {
    header("location: compare_pass.php?u=".$_SESSION["username"]);
    exit(); 
}

// Select the member from the users table
$sql = "SELECT password FROM users WHERE username='$u' LIMIT 1";
mysqli_query($db_conx, $sql);
$user_query = mysqli_query($db_conx, $sql);
// Now make sure that user exists in the table
$numrows = mysqli_num_rows($user_query);
if($numrows < 1){
    echo "That user does not exist or is not yet activated, press back";
    exit(); 
}

if ($oldpass == $_SESSION['password']) {
    echo "session and oldpass are matching";
} else {
    echo "Session and oldpass do not match!";
}

$isOwner = "no";
//check if user is logged in owner of account
if($u == $log_username && $user_ok == true){
    $isOwner = "yes";
}
$newpass = password_hash($newpass, PASSWORD_BCRYPT);

if (isset($_POST["submit"]) && ($isOwner == "yes") && ($user_ok == true) && ($newpass == $repeatpass)) {
    $newpass = password_hash($newpass, PASSWORD_BCRYPT);
    $sql = "UPDATE users SET `password`='$newpass' WHERE username='$u' LIMIT 1";
}

if (mysqli_query($db_conx, $sql)) {
    echo "Record updated successfully";

} else {
    echo "Error updating record: " . mysqli_error($db_conx);
    }

?>

<h3>Create new password</h3>
  <form action="" method="post">
    <div>Current Password</div>
    <input type="text" class="form-control" id="password" name="oldpass" ><?php echo "{$oldpass}"; ?>
    <div>New Password</div>
    <input type="text" class="form-control" id="password" name="newpass" ><?php echo "{$newpass}"; ?>
    <div>Repeat Password</div>
    <input type="text" class="form-control" id="password" name="repeatpass" ><?php echo "{$repeatpass}"; ?>
    <br /><br />
    <input type="submit" name="submit" value="Submit"> 
    <p id="status" ></p>
  </form><?php echo "{$oldpass}, {$_SESSION['password']}"; ?>


  <pre>
  <?php
  var_dump($_SESSION);
    var_dump($oldpass);

    var_dump($newpass);
    var_dump($repeatpass);
    ?>
  </pre>

Answer 1

Ther is a much easier way to solve the problem:

// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
$hashToStoreInDb = password_hash($password, PASSWORD_BCRYPT);

// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from $existingHashFromDb.
$isPasswordCorrect = password_verify($password, $existingHashFromDb);

The algorithm MD5 is not a good choice to protect passwords because it is designed to be fast and can be brute-forced too easily.

Storing the password/hash in the session is not very helpful, if you know it is the same user, you know if he is already logged in, just store an indicator in the session like $_SESSION['is_logged_in'] or just the username $_SESSION['username'].