0

Yesterday I have posted some code asking how the user can update a password through a form. Look here

However after updating the password, I couldn't login though my android app. So I decided to change a bit the forgotpassword.php file. 

<?php
session_start();
require "../init.php";
ini_set('display_errors', 1);



if(isset($_POST['update'])){


    $email = $_POST['email'];
    $user_name = $_POST['user_name'];
    $password = $_POST['user_pass'];
    $passwordEncrypted = sha1($user_pass); 

    $confpassword = $_POST['confirm_pass'];
    $confPasswordEncrypted = sha1($confirmPass);  

    if($password !== $confpassword){
       echo "<script>alert('Passwords are not equal')</script>";
    }else{
        $select_query = "SELECT * FROM user_info";

        $run_select_query = mysqli_query($con,$select_query); 

        while ($row_post=mysqli_fetch_array($run_select_query)){

              $_SESSION['id'] = $row_post['id'];
              $user_id = $_SESSION['id'];
              $useremail = $row_post['email'];
              $username = $row_post['user_name'];

              var_dump($user_id);

            if($useremail == $email AND $username == $user_name){
                //echo "<script>alert('$useremail')</script>";
                //echo "<script>alert('$username')</script>";
                echo "<script>alert('$id')</script>";
                $update_posts = "UPDATE user_info SET user_pass='$passwordEncrypted',confirm_pass ='$confPasswordEncrypted'  
                WHERE $id='$_userid'";  

                $run_update = mysqli_query($con,$update_posts); 
                //var_dump($user_name);
            echo "<script>alert('Password Has been Updated!')</script>";
            }else{
             echo "<script>alert('No email or username was found')</script>";
            }

        }

    }

}
?>

But now the password is not updated as it was before. There is something wrong in the update statement or a line before that. The $_SESSION['id'] is not null so the select query works fine.

Any ideas?

Thanks.

Community
  • 1
  • 1
Theo
  • 3,099
  • 12
  • 53
  • 94
  • 1
    You've got no error checking in your code. And why 2 SQL statements when this can be implemented with 1 (update where the password and user matches - if it changes 0 rows, the username or password was invalid). – symcbean Apr 22 '16 at 08:02
  • Single round of sha1 is not enough for password hashing. See here: http://stackoverflow.com/questions/401656/secure-hash-and-salt-for-php-passwords – 1615903 Apr 22 '16 at 11:07
  • Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). Make sure that you [don't escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Apr 22 '16 at 15:56

4 Answers4

3

typo in where clause. WHERE $id='$_userid'";

change update query's where clause to this: WHERE $id='$user_id'";

Pathik Vejani
  • 4,263
  • 8
  • 57
  • 98
1

Update your select query:

$select_query = "SELECT * FROM user_info where email = '".$email."' and user_name = '".$username."' ";

and then check if mysqli_num_rows(). If it > 0 then only execute the update query & put the data in the session.

Also your update query is not proper.It should be : 

$update_posts = "UPDATE user_info SET user_pass='$passwordEncrypted',confirm_pass ='$confPasswordEncrypted'  
                WHERE $id='$userid'";
Pathik Vejani
  • 4,263
  • 8
  • 57
  • 98
Dipanwita Kundu
  • 1,637
  • 1
  • 9
  • 14
1

Your update query should be like this :

$update_posts = "UPDATE user_info 
    SET
           user_pass='$passwordEncrypted',
           confirm_pass ='$confPasswordEncrypted' 
    WHERE id = $user_id";
Tom Regner
  • 6,856
  • 4
  • 32
  • 47
Muhammad Hasham
  • 45
  • 4
0

Ok. I have changed the code and made it work. So this is what I am doing.

1) I run a select query to check if the user is already registered. If yes then update the password and send a new one in his email.

2) If not then you get a json response in my android app saying that the user email is not found.

3) And finally the user can login with his updated 5 digit password:).

<?php
 require "init.php";
 $email = $_POST['email'];



  if($email){
        $select_query = "SELECT * FROM user_info";

        $run_select_query = mysqli_query($con,$select_query); 

        while ($row_post=mysqli_fetch_array($run_select_query)){

            $id = $row['id'];
            $usermail = $row_post['email'];
            $username = $row_post['user_name'];



        }
            if($usermail == $email){
                $don = array('result' =>"success","message"=>"user mail found.");

                $random = rand(72891, 92729);
                $new_pass = $random;

                $email_password = $new_pass;
                $new_pass = sha1($new_pass);

                $update_pass = "update user_info set user_pass='$new_pass',confirm_pass='$new_pass' where user_name='$username'";

                $run_update = mysqli_query($con,$update_pass); 


                    $subject = "Login information";

                    $message = "Your password has been changed to $email_password";

                    $from = "From: example@example.com";

                    mail($email,$subject,$message,$from);

                $don = array('result' =>"success","message"=>"your password has been updated. Please check your email");



            }else{
                $don = array('result' =>"fail","message"=>"user mail not found.");
            }
        }else{
            $don = array('result' =>"fail","message"=>"please enter your email");
        }

   echo json_encode($don);
?>
Theo
  • 3,099
  • 12
  • 53
  • 94