Update password not working PHP

Question

I am currently working on a PHP file, an admin having the privilege of updating the user account's password which has hash, but it is currently not working and updating inside the database. I tried looking for the problem but failed to do so, a little help would be appreciated. Here is my simple code...

edit-accounts-process.php:

<?php
$connect=mysqli_connect('localhost','root','','report_generation');

if(isset($_POST['submit'])) {
        $id = $_POST['id'];
        $username = $_POST['username'];
        $password= $_POST['password']; 
        $login_name = $_POST['login_name']; //full name of the user

        $query = "UPDATE dim_login set username = '$username', password = md5('$password'), login_name = '$login_name', where id = '$id'";

        mysqli_query($connect, $query);
        header( "Location: user-account.php" ); die;
        echo "<script>window.open('user-account.php','_self')</script>";
} ?>

Form:

    <div class="row">
    <div class="col-md-12">
        <div class="box box-primary">
        <div class="box-header with-border">
          <h3 class="box-title">Quick Example</h3>
        </div>
        <!-- /.box-header -->
        <!-- form start -->
        <?php
          $id = $_GET['id'];
          $query = "select * from dim_login where id = '$id';";             
          $run = mysqli_query($connect, $query);    

          while ($row = mysqli_fetch_array($run)) {

            $id = $row[0];
            $username = $row[1];
            $password = $row[2]);
            $login_name = $row[3];

          }                    
        ?>
        <form class="form" action="edit-account-process.php?id=<?php echo $id; ?>" method="post">
          <div class="box-body">
            <div class="form-group">
              <label>Full Name</label>
              <input type="text" class="form-control" name="login_name" value="<?php echo $login_name; ?>">
            </div>
            <div class="form-group">
              <label>Username</label>
              <input type="text" class="form-control" name="username" value="<?php echo $username; ?>">
            </div>
            <div class="form-group">
              <label>New Password</label>
              <input type="password" class="form-control" name="password" value="">
            </div>
          </div>
          <!-- /.box-body -->

          <div class="box-footer">
            <input type="submit" class="btn btn-primary" value="Submit" name="submit" />
          </div>
          <input type= "hidden" name = "id" value ="<?php echo $id ?>"/>
        </form>
      </div>
        <!-- /.box -->
    </div>

</div>

SQL injection *and* MD5 hashing? You're really ticking all the boxes for bad practices. http://php.net/manual/en/mysqli.prepare.php http://php.net/manual/en/function.password-hash.php — Sammitch, Mar 13 '18 at 18:22

score 0 · Accepted Answer · answered Mar 13 '18 at 18:19

0

Please use http://de2.php.net/manual/en/function.password-hash.php the newer function to create Passwords, its safer and better.

login_name = '$login_name', < remove the last comma befor WHERE

answered Mar 13 '18 at 18:19

Juu

24
2

In addition I strongly suggest some escape for user input, using of `mysqli_real_escape_string` is a **must** to prevent SQL Injections – GrowingBrick Mar 13 '18 at 18:21
I've been looking for hours already to resolve this problem! Thank you so much for helping me notice this simple mistake! – Mark Lim Mar 13 '18 at 18:22
@GrowingBrick yes this too! :) – Juu Mar 13 '18 at 18:22
I will, this is simple script for now. Thank you both for your help. – Mark Lim Mar 13 '18 at 18:24
Incidentally, see [Is mysqli_real_escape_string safe?](https://stackoverflow.com/questions/22304930/is-mysqli-real-escape-string-safe) and [Is “mysqli_real_escape_string” enough to avoid SQL injection or other SQL attacks?](https://stackoverflow.com/questions/32391315/is-mysqli-real-escape-string-enough-to-avoid-sql-injection-or-other-sql-attack), etc. – showdev Mar 13 '18 at 18:25
I know about that, but unless there aren't variables wihout single-quotes ' and you don't use GBK encoding, injections are still impossible. Using prepared statements is another way to do it, but is not true that is the **only** way. (however the encoding problem is solved in MySQL**i** lib since you pass db connection link which handles correctly the encoding used) – GrowingBrick Mar 13 '18 at 18:37

score -1 · Answer 2 · answered Mar 13 '18 at 18:42

First of all if you test your query with a sql checker you will get a error. (here for example: https://www.eversql.com/sql-syntax-check-validator/)

Your resulting query has a comma before the where clause

"UPDATE dim_login set username = 'xxx', password = md5('xxx'), login_name = 'xxx', where id = '1'"

That is the right one

"UPDATE dim_login set username = 'xxx', password = md5('xxx'), login_name = 'xxx' where id = '1'"

Second are you sure that your id field have to be treated like a string?

Third what's the purpose to check if isset($_POST['submit'])?

Update password not working PHP

2 Answers2