0

I'm new to PHP and I know that this Code is not perfect, but I want to try a few things and now I have a problem here:

error_reporting(E_ALL);
ini_set('display_errors', 1);

include "../../pdo_connect.php";

$submit = $_POST["submit"];

if($submit != 1) {

    $id = $_GET["id"];
    $token = $_GET["tk"];

    $getinfoquery = "SELECT email from passreset WHERE resid = ? AND restoken = ?";

    $getinfostmt = $pdo_log->prepare($getinfoquery);
    $getinfostmt->execute(array(
        $id,
        $token
    ));

    while(true) {

        $info = $getinfostmt->fetch(PDO::FETCH_ASSOC);

        if(empty($info)) {
            echo "This link doesn't work";
            break;
        } else if(!empty($info)) {
            $email = $info["email"];
            ?>  
                <div id="badPasswordText" style="display: none"></div>

                <form method="POST" action="">
                    New Password         <input type="password" name="newpass"><br/>
                    Reenter new Password <input type="password" name="newpassB"><br/>
                    <input type="hidden" value="1" name="submit"> 
                    <input type="hidden" value="<?php echo '$email'; ?>" name="email">
                    <input type="submit" value="Change"><br/><br/>
                </form>
                <form method="POST" action="">
                    <input type="hidden" value="1" name="submit">
                    <input type="hidden" value="1" name="cancel">
                    <input type="submit" value="Cancel">
                </form>
            <?php
            break;
        }
    }

} else if($submit == 1) {

    $cancel = $_POST["cancel"];

    if($cancel == 1) {
        echo "<script> window.location = '##Deleted this link##'; </script>";
    } else {

        $newpass = $_POST["newpass"];
        $newpassB = $_POST["newpassB"];
        $email = $_POST["email"];

        $newpasshash = password_hash($newpass, PASSWORD_BCRYPT);
        $newpassBhash = password_hash($newpassB, PASSWORD_BCRYPT);

        if(password_verify($newpasshash, $newpassBhash)) {

            $updatequery = "UPDATE user SET password = ? WHERE email = ?";

            $updatestmt = $pdo_log->prepare($updatequery);
            $updatestmt->execute(array(
                $newpasshash,
                $email
            ));

            $deletequery = "DELETE FROM passreset WHERE email = ?";

            $deletestmt = $pdo_log->prepare($deletequery);
            $deletestmt->execute(array(
                $email
            ));

            echo "Successful! ";
            ?><a href="##Deleted this link##">Continue</a><?php

        } else {
            echo "<script>badPassword();</script>";
        }
    }

}

This Code is part of a password reset function. Everything works fine, the only problem appears, if the user enters his new password and clicks "Change". Then it only shows a blank site. I think I have some sort of logical fault in here, but I dont know where it is...

Maybe you can help me with this!

Error Log:

[Tue Dec 05 00:49:44 2017] [error] [client 66.249.64.195] File does not exist: /var/customers/webs/ni873420_2/robots.txt
[Tue Dec 05 04:52:09 2017] [error] [client 5.45.207.40] File does not exist: /var/customers/webs/ni873420_2/robots.txt
[Tue Dec 05 07:51:18 2017] [error] [client 37.9.113.143] File does not exist: /var/customers/webs/ni873420_2/robots.txt
[Tue Dec 05 09:52:06 2017] [error] [client 66.249.64.143] File does not exist: /var/customers/webs/ni873420_2/robots.txt
[Tue Dec 05 10:31:41 2017] [error] [client 95.108.213.23] File does not exist: /var/customers/webs/ni873420_2/robots.txt
[Tue Dec 05 12:19:06 2017] [error] [client 95.108.213.23] File does not exist: /var/customers/webs/ni873420_2/robots.txt
[Tue Dec 05 13:52:15 2017] [error] [client 95.108.213.23] File does not exist: /var/customers/webs/ni873420_2/robots.txt
[Tue Dec 05 14:09:08 2017] [error] [client 95.108.213.23] File does not exist: /var/customers/webs/ni873420_2/robots.txt
[Tue Dec 05 14:10:16 2017] [error] [client 95.108.213.23] File does not exist: /usr/share/doc/apache2-doc/manual/tr/mod/mod_auth_anon.html
[Tue Dec 05 14:11:21 2017] [error] [client 95.108.213.23] File does not exist: /usr/share/doc/apache2-doc/manual/tr/mod/mod_auth.html
[Tue Dec 05 14:12:04 2017] [error] [client 95.108.213.23] File does not exist: /usr/share/doc/apache2-doc/manual/tr/mod/mod_access.html
[Tue Dec 05 14:51:13 2017] [error] [client 95.108.213.23] File does not exist: /usr/share/doc/apache2-doc/manual/tr/ru
[Tue Dec 05 15:59:39 2017] [error] [client 95.108.213.23] File does not exist: /var/customers/webs/ni873420_2/robots.txt
[Tue Dec 05 16:50:40 2017] [error] [client 95.108.213.23] File does not exist: /var/customers/webs/ni873420_2/robots.txt
[Tue Dec 05 19:20:24 2017] [error] [client 95.108.213.23] File does not exist: /var/customers/webs/ni873420_2/robots.txt
[Tue Dec 05 19:21:40 2017] [error] [client 95.108.213.23] File does not exist: /usr/share/doc/apache2-doc/manual/tr/ru
[Tue Dec 05 20:20:32 2017] [error] [client 66.249.64.198] File does not exist: /var/customers/webs/ni873420_2/robots.txt
[Tue Dec 05 20:32:30 2017] [warn] [client 91.113.119.184] mod_fcgid: stderr: PHP Parse error: syntax error, unexpected '{' in /var/customers/webs/ni873420_2/login/reset/index.php on line 26, referer: http://www.website.com/login/
[Tue Dec 05 20:32:30 2017] [error] [client 91.113.119.184] File does not exist: /var/customers/webs/ni873420_2/favicon.ico, referer: http://www.website.com/login/reset/
[Tue Dec 05 20:57:39 2017] [warn] [client 91.113.119.184] mod_fcgid: stderr: PHP Parse error: syntax error, unexpected '{' in /var/customers/webs/ni873420_2/login/reset/changepass.php on line 90
[Tue Dec 05 20:58:12 2017] [error] [client 95.108.213.23] File does not exist: /var/customers/webs/ni873420_2/robots.txt
[Tue Dec 05 20:59:36 2017] [warn] [client 91.113.119.184] mod_fcgid: stderr: PHP Fatal error: Call to undefined method PDOStatement::exec() in /var/customers/webs/ni873420_2/login/reset/changepass.php on line 37
[Tue Dec 05 21:05:31 2017] [error] [client 95.108.213.23] File does not exist: /var/customers/webs/ni873420_2/robots.txt
[Tue Dec 05 21:35:06 2017] [warn] [client 91.113.119.184] mod_fcgid: stderr: PHP Notice: Undefined index: submit in /var/customers/webs/ni873420_2/login/reset/changepass.php on line 30
[Tue Dec 05 21:56:38 2017] [warn] [client 91.113.119.184] mod_fcgid: stderr: PHP Notice: Undefined index: submit in /var/customers/webs/ni873420_2/login/reset/changepass.php on line 30
[Tue Dec 05 21:56:44 2017] [warn] [client 91.113.119.184] mod_fcgid: stderr: PHP Notice: Undefined index: cancel in /var/customers/webs/ni873420_2/login/reset/changepass.php on line 82, referer: http://www.website.com/login/reset/changepass.php?id=7dNGokCyEu&tk=sDm5IE8UhjSrzawWakRejr0ae584744AIqFr4Nlm
[Tue Dec 05 21:59:54 2017] [warn] [client 91.113.119.184] mod_fcgid: stderr: PHP Notice: Undefined index: submit in /var/customers/webs/ni873420_2/login/reset/changepass.php on line 30
[Tue Dec 05 21:59:58 2017] [warn] [client 91.113.119.184] mod_fcgid: stderr: PHP Notice: Undefined index: cancel in /var/customers/webs/ni873420_2/login/reset/changepass.php on line 82, referer: http://www.website.com/login/reset/changepass.php?id=7dNGokCyEu&tk=sDm5IE8UhjSrzawWakRejr0ae584744AIqFr4Nlm
[Tue Dec 05 22:02:17 2017] [warn] [client 91.113.119.184] mod_fcgid: stderr: PHP Notice: Undefined index: submit in /var/customers/webs/ni873420_2/login/reset/changepass.php on line 30
[Tue Dec 05 22:02:21 2017] [warn] [client 91.113.119.184] mod_fcgid: stderr: PHP Notice: Undefined index: cancel in /var/customers/webs/ni873420_2/login/reset/changepass.php on line 82, referer: http://www.website.com/login/reset/changepass.php?id=7dNGokCyEu&tk=sDm5IE8UhjSrzawWakRejr0ae584744AIqFr4Nlm
[Tue Dec 05 22:04:34 2017] [error] [client 37.9.113.67] File does not exist: /usr/share/doc/apache2-doc/manual/tr/ru
[Tue Dec 05 22:04:37 2017] [error] [client 66.249.64.145] File does not exist: /var/customers/webs/ni873420_2/robots.txt
[Tue Dec 05 22:05:39 2017] [error] [client 95.108.213.23] File does not exist: /usr/share/doc/apache2-doc/manual/es/ru
[Tue Dec 05 22:07:39 2017] [warn] [client 91.113.119.184] mod_fcgid: stderr: PHP Notice: Undefined index: cancel in /var/customers/webs/ni873420_2/login/reset/changepass.php on line 82, referer: http://www.website.com/login/reset/changepass.php?id=7dNGokCyEu&tk=sDm5IE8UhjSrzawWakRejr0ae584744AIqFr4Nlm
DoubleJ
  • 117
  • 1
  • 11
  • A blank page indicates that you should have a look at the error log – Nico Haase Dec 05 '17 at 20:52
  • Where can I find that? As I said I'm very new to PHP... – DoubleJ Dec 05 '17 at 20:52
  • @DoubleJ If your code was properly formatted, the issue would probably be pretty obvious. – GrumpyCrouton Dec 05 '17 at 20:53
  • That depends - on a unix system, the error log is placed in /var/log/apache/ usually – Nico Haase Dec 05 '17 at 20:54
  • Try removing the single quotes around `$email` in ` – Sean Dec 05 '17 at 20:55
  • Well, I already said I'm at the beginning of learning PHP. I have also tried to rewrite the complete code, but it still doesn't work – DoubleJ Dec 05 '17 at 20:56
  • @Sean I tried it, but it didnt work. – DoubleJ Dec 05 '17 at 20:57
  • @DoubleJ You are passing 2 hashed strings to [`password_verify()`](http://php.net/manual/en/function.password-verify.php). That is not how this function works. – GrumpyCrouton Dec 05 '17 at 20:58
  • @GrumpyCrouton Oh ok, so if I verify a hashed Password with a non-hashed Password it would return true? – DoubleJ Dec 05 '17 at 21:01
  • @DoubleJ Let's say you have the password "test123". If you ran `password_hash()` on this, and get a hash (For example sake lets say the hash you get is "ksaoipkj2152". You store this hash to the database, now when you want to verify the password you take the user input "test123" and compare it to the hash from earlier. `password_verify("test123", "ksaoipkj2152");` would be `true`. – GrumpyCrouton Dec 05 '17 at 21:03
  • @GrumpyCrouton Ok, thank you for that info! But it still doesn't work :( – DoubleJ Dec 05 '17 at 21:06
  • @DoubleJ I can't help you much more than that without an error description. In the folder you are running the file, there may be a file called `error_log`. Delete this, and run the page again, then update your question with the error code. – GrumpyCrouton Dec 05 '17 at 21:07
  • @GrumpyCrouton I don't have a webserver, I rent a webspace from a big Hoster and I dont have access to the complete Webserver Files. But I just found a error log in the Webinterface... – DoubleJ Dec 05 '17 at 21:11
  • @DoubleJ Any "big hoster" worth their salt will give you FTP access to your files. – GrumpyCrouton Dec 05 '17 at 21:14
  • @GrumpyCrouton sure I have FTP access, but there is no error_log file – DoubleJ Dec 05 '17 at 21:15
  • When you submit via either form, `$_POST ['submit']==1`. When you submit from the first, there is no `$_POST['cancel']` element in your superglobal array. When loading this page for the first time, there is no `$_POST` data to play with -- you need to check `isset ($_POST['submit'])` before checking its value. – mickmackusa Dec 05 '17 at 22:28

0 Answers0