0

I am using the following php/MySQL script to allow a user to change their password. for some reason this script works on my localhost but not when I try and run it from my main server?

Please can someone show me where I am going wrong? Thanks in advance

<?php
session_start();
if ($_SERVER['REQUEST_METHOD'] === 'POST') {




$old_pass = $_POST['old_pass'];
$old_pass = stripslashes($old_pass);
$old_pass = mysql_real_escape_string($old_pass);

$new_pass = $_POST['new_pass'];
$new_pass = stripslashes($new_pass);
$new_pass = mysql_real_escape_string($new_pass);

$new_pass2 = $_POST['new_pass2'];
$new_pass2 = stripslashes($new_pass2);
$new_pass2 = mysql_real_escape_string($new_pass2);
include '../include/config.php';


$query = "SELECT * FROM supplier_users WHERE user_id = '{$_SESSION['id']}' UNION SELECT * FROM internal_users WHERE user_id = '{$_SESSION['id']}'";
$result = mysql_query($query);
$row = mysql_fetch_assoc($result);


include '../dependables/secure.php'; 

$hashed_pass = crypt($old_pass, $Blowfish_Pre . $row['salt'] . $Blowfish_End);


if($hashed_pass !== $row['user_password_hash']) { 
$_SESSION['message2'] = '<div class="form_error2">Ooops! The Current Password you entered is Incorrect. Please try again.</div> '; 
echo $_SESSION["message2"];
unset($_SESSION['message2']);    
}else{
if($new_pass != $new_pass2) { 
$_SESSION['message2'] = '<div class="form_error2">Ooops! The Passwords do not match. Please try again.</div> '; 
echo $_SESSION["message2"];
unset($_SESSION['message2']);

}else{

if($hashed_pass == $row['user_password_hash']) { 
if($new_pass == $new_pass2) { 

$pass = $new_pass;
$Allowed_Chars =
'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789./';
$Chars_Len = 63;
// 18 would be secure as well.
$Salt_Length = 21;
$mysql_date = date( 'Y-m-d' );
$salt = "";

for($i=0; $i<$Salt_Length; $i++)
{
    $salt .= $Allowed_Chars[mt_rand(0,$Chars_Len)];
}
$bcrypt_salt = $Blowfish_Pre . $salt . $Blowfish_End;
$hash = crypt($pass, $bcrypt_salt);
$title = 'Password';

$query2 = "UPDATE supplier_users SET user_password_hash = '$hash', salt = '$salt', password_change_date = now() WHERE user_id = '{$_SESSION['id']}' LIMIT 1";
$result2 = mysql_query($query2);

$query3 = "UPDATE internal_users SET user_password_hash = '$hash', salt = '$salt', password_change_date = now() WHERE user_id = '{$_SESSION['id']}' LIMIT 1";
$result3 = mysql_query($query3);    

if($result2 || $result3) {
$digits2 = 6;
$ref = rand(pow(10, $digits2-1), pow(10, $digits2)-1);
$final = "INSERT INTO recent_activity (id, user_id, reference, date, activity_type, status) VALUES ('', '{$_SESSION['id']}', '$ref', now(), '$title', 'Complete')";
$second = mysql_query($final);    
$_SESSION['message2'] = '<div class="form_error21">Thank You! Your Password has been changed successfully.</div> '; 
echo $_SESSION["message2"];
unset($_SESSION['message2']);   
} } } } } } ?>






<div class="overlap">
<h23>Change Password</h23>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post"> 
    <input type="text" name="old_pass" id="old_pass" class="user" placeholder="Current Password" autocomplete="off"><br/>
    <input type="text" name="new_pass" id="new_pass" class="user" placeholder="New Password" autocomplete="off"><br/>
    <input type="text" name="new_pass2" id="new_pass2" placeholder="Confirm New Password" autocomplete="off">
    <input type="submit" name="subimt" id="submit" value="Change">
</form>
</div>

<div class="bottom_page_banner"></div>
Mark harris
  • 525
  • 15
  • 39
  • If you can, you should [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). They are no longer maintained and are [officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) [statements](http://php.net/manual/en/pdo.prepared-statements.php) instead, and consider using PDO, [it's really not hard](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Jul 15 '15 at 14:33
  • You really shouldn't use your own salts on password hashes and you really should use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. – Jay Blanchard Jul 15 '15 at 14:33
  • Are you getting any errors on your main server? Have you checked the error logs? You're assuming that every query you have here works, there is no error checking. *If I were a betting man I would bet that the server will throw the "deprecated" error due to the older MySQL API.* – Jay Blanchard Jul 15 '15 at 14:35
  • Maybe the error log or `mysql_error` can show you where you're going wrong. – frz3993 Jul 15 '15 at 14:39
  • the problem is I am not getting any errors on my localhost or my main server when I use MySQL_error – Mark harris Jul 15 '15 at 14:45

0 Answers0