Change password page for one user with session

Question

I am trying to make an update Password page for an exercise. I have created an old Password field a new Password field and a repeat Password field. I have created this on my own. I would be glad if you guys can tell me what my mistakes in my code are cause i somehow cant make the page work. Also it would be interesting to know what i could do better when it Comes to security.(I also have a login, Register, welcome page that all work) Greetings session.php:

<?php
include('connection.php');
session_start();

$user_check = $_SESSION['login_user'];


$ses_sql = mysqli_query($db,"select * from clients where email = '$user_check'");

$row = mysqli_fetch_array($ses_sql,MYSQLI_ASSOC);

$_SESSION['email']=$row['email'];
$_SESSION['username']=$row['username'];
$_SESSION['firstname']=$row['firstname'];
$_SESSION['lastname']=$row['lastname'];
$_SESSION['birthdate']=$row['birthdate'];
$_SESSION['street']=$row['street'];
$_SESSION['streetnr']=$row['streetnr'];
$_SESSION['city']=$row['city'];
$_SESSION['plzz']=$row['plzz'];

if(!isset($_SESSION['login_user'])){
  header("location:http://localhost:81/Left_over_youth_website/pages/login.php");
}

?> Connection.php:

  <?php
   define('DB_SERVER', 'localhost');
   define('DB_USERNAME', 'root');
   define('DB_PASSWORD', '');
   define('DB_DATABASE', 'leftoveryouth');  
   $db = mysqli_connect(DB_SERVER,DB_USERNAME,DB_PASSWORD,DB_DATABASE);
?>

changepd:

    <?php
 include("../php/session.php");
?>
<html>
    <head>
        <title>Forgot Password</title>
        <meta charset="utf-8">
        <meta http-equiv="X-UA-Compatible" content="IE=9; IE=8; IE=7; IE=EDGE" />
        <meta content="width=device-width, initial-scale=1, maximum-scale=1, minimum-scale=1, user-scalable=no, minimal-ui" name="viewport">
        <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.12.4/jquery.min.js"></script>
        <script type="text/javascript" src="../scripts/newpd.js"></script>
        <link rel="stylesheet" href="../css/changepd.css">
        <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css" integrity="sha384-1q8mTJOASx8j1Au+a5WDVnPi2lkFfwwEAa8hDDdjZlpLegxhjVME1fgjWPGmkzs7" crossorigin="anonymous">
    </head>
    <body class="img">
        <div class="placeholder">
                <h1 class="logo"><a href="/index.html"class="alogo">Leftover Youth</a></h1>
                <img class="logoo" src="../img/logoo.png" alt="firstimage">
            <form class="form">
                <hr class="verticalline">
                <input class="oldpd" id="oldpd" value="Old Password"
                            onblur="this.value'Old Password':this.value;"
                            onfocus="this.select()"
                            onclick="if (this.value=='Old Password'){this.value=''; this.type='password'}">
                <input class="newpd shine" id="newpd" value="New Password"
                            onblur="this.value'New Password':this.value;"
                            onfocus="this.select()"
                            onclick="if (this.value=='New Password'){this.value=''; this.type='password'}">
                <input class="repeatpd shine" id="repeatpd" value="Repeat Password"
                            onblur="this.value'Repeat Password':this.value;"
                            onfocus="this.select()"
                            onclick="if (this.value=='Repeat Password'){this.value=''; this.type='password'}">
                <p hidden style="color:red;" id="pdontmatch">&#x2612 Password doesn't match</p>
                <p hidden style="color:lightgreen;" id="pmatch">&#x2611 Password matches</p>
                <?php
                    if($_SERVER["REQUEST_METHOD"] == "POST") {
                          $myoldpassword = sha1($_POST['oldpd']);
                          $newpassword = sha1($_POST['newpd']);
                          $repeatpassword = sha1($_POST['repeatpd']);

                          $sql = "SELECT password FROM clients WHERE password = '$myoldpassword'";
                          $result = mysqli_query($db,$sql);
                          if($result){
                              if($newpassword===repeatpassword){
                              $_SESSION["password"] = $newpassword;
                              $update = "UPDATE CLIENTS SET password = mynewpassword";
                              header("location:http://localhost:81/Left_over_youth_website/php/logout.php");
                              }
                              else{
                                  echo('<p>password not updated</p>');
                              }
                          }                            
                       }
                ?>
                <input id="button" type="button" value="Submit" onclick="ausgabe(); marginn();">
                <script>
                function marginn(){
                    document.getElementById('button').style.marginTop = "5px";
                }
                </script>
            </form>
        </div>
    </body>
</html>

If you need further explenation or code pls tell me.

SQL injection for starters. Enter `x'; DROP TABLE clients; --` into your login form. Actually, don't do that. http://www.unixwiz.net/techtips/sql-injection.html — waterloomatt, Apr 09 '18 at 13:20
You should sanitize your $POST-variables before you pass them to your database per query (SQL-Injection prevention). — wayneOS, Apr 09 '18 at 13:22

waterloomatt · Accepted Answer · 2018-04-09T14:12:46.417

-EDIT-

cause i somehow cant make the page work.

You edited your question and added that line. I thought you were only looking for advice on security. What exactly is not working?

You're open to SQL injection attack every time you embed variables in your queries. where email = '$user_check'"). You should use parameterized queries instead. http://php.net/manual/en/mysqli.quickstart.prepared-statements.php https://phpdelusions.net/pdo
Don't use SHA1 for password hashing - it is not secure. Secure hash and salt for PHP passwords. How to use password_hash
Don't store very sensitive data (like passwords) in the session. $_SESSION["password"] = $newpassword; Even though the session resides on the server, the data is often stored in files which can be accessed by other users especially if used in a shared hosting environment.
Is email a primary key? If not, your query will return multiple rows and then you'd be accessing a random row in PHP.
mysqli_query($db,"select * from clients where email = '$user_check'");
Make sure $row exists and is not empty before using it. What happens if you enter a non-existent email address?
By using JS to check if the value is the default value you are adding unnecessary complexity. onclick="if (this.value=='Old Password'){this.value=''; this.type='password'}" Instead, just use the placeholder attribute. https://html.com/attributes/input-placeholder/

you can login with email and Password i never used the Primary key. — Hazaki, Apr 09 '18 at 13:51
@Hazaki - the point is your DB will allow multiple rows with the same email, right? If so, your PHP code doesn't take that into account and you will access *some row* which you cannot guarantee is the one you expect. Either you need to change your DB to make email unique or your PHP needs to retrieve the row you expect by using other fields in the query. Specifically, I am referring to this line `$ses_sql = mysqli_query($db,"select * from clients where email = '$user_check'");` — waterloomatt, Apr 09 '18 at 13:57

Change password page for one user with session

1 Answers1