-2

By commenting out I found out that the last line in this code that isn't commented out 

$query->bindParam(':password', $password);

is the line where the code stops working and all I get is a

This page isn’t working .... is currently unable to handle this request. HTTP ERROR 500"

However, I have no idea what is wrong with the bindParam() usage.

I later added this:

$query = $conn->prepare('UPDATE users SET user_password = ? WHERE user_email = ?');
$query->execute(array($password, $email));
echo "Your password has been successfully reset.";

I have changed the code again and now it is working, The entire code now looks like this: 

// Was the form submitted?
if (isset($_POST["ResetPasswordForm"])) {
    // Gather the post data
    include_once 'includes/database.inc.php';
    $email = $_POST['email'];
    $password = $_POST['password'];
    $confirmpassword = $_POST['confirmpassword'];
    $hash = $_POST["q"];

    // Use the same salt from the forgot_password.php file
    $salt = "498#2D83B631%3800EBD!801600D*7E3CC13";

    // Generate the reset key
    $resetkey = hash('sha512', $salt.$email);

    // Does the new reset key match the old one?
    if ($resetkey == $hash) {
        if ($password == $confirmpassword) {
            // has and secure the password
            $hashedPassword = password_hash($password, PASSWORD_DEFAULT);
        // Update the user's password








            $sqlUpdate =  "UPDATE users SET user_password = ? WHERE user_email = ?;";


                   $stmt = mysqli_stmt_init($conn); 
                    if (!mysqli_stmt_prepare($stmt, $sqlUpdate)) {
                    echo "SQL Failed";
                    exit();
                    } else {
                       mysqli_stmt_bind_param($stmt, "ss", $hashedPassword, $email);
                       mysqli_stmt_execute($stmt);
                       echo "Your password has been successfully reset2.";

                       exit();

    } else {
        echo "Your password reset key is invalid.";
        exit();
    }
}
?>
griesgram
  • 71
  • 6
  • 1
    What do you mean by "stops working"? Do you get an error message? If you just get a blank screen, have you checked your PHP error logs? Or do you get a result but not the one you want? There are probably details that seem obvious to you because you've been staring at this for a while, but we have only what you tell us. (Please [edit] the question with extra details, don't try to fit them into comments.) – IMSoP Jun 05 '18 at 16:51
  • 2
    sha512 is far too fast for password hashing. This is what you need to be using: http://php.net/password_hash – Mike Jun 05 '18 at 16:51
  • `bindParam` returns `FALSE` when an error occurs. Check the return value, and also the PHP logs. – Seblor Jun 05 '18 at 16:54
  • See: https://stackoverflow.com/questions/8776344/how-to-view-query-error-in-pdo-php – Mike Jun 05 '18 at 16:55
  • @Mike Question one: What do you mean by too fast? I can echo out the hashed password. Question two (or note): see my edit. I tried to throw out the exception, but to no succes. – griesgram Jun 05 '18 at 19:12
  • @griesgram In order for password hashing to be secure, it must be slow and hopefully memory-intensive to calculate, it must also contain a *random* salt (not a hard-coded one like you have it). That way if a hacker ever gained access to your database, it would be extremely difficult for them to ever determine the original passwords based on the password hashes. – Mike Jun 05 '18 at 21:06
  • @griesgram `setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);` needs to be done on the PDO object, not on the PDOStatement object (i.e. on `$conn`). And it is best done right after connecting. – Mike Jun 05 '18 at 21:08
  • @Mike i will change these things as soon as i get this running. I guess i am almost there. See my edit. Thanks for all the info by the way. – griesgram Jun 05 '18 at 21:16
  • If you are using `PDO::ERRMODE_EXCEPTION` and it's not throwing exceptions, your query was executed. Maybe there were no matching rows. See also http://php.net/manual/en/pdostatement.rowcount.php. – Mike Jun 05 '18 at 21:23
  • It was definitly executing but no password change was made in the DB, no idea why. I changed the code as above and now it is working. I used the hashing method you mentioned before and it was no problem implementing it. Now what i have no idea of is how to generate a random salt, but i will look into that soon enough. If you have any good link about it, i will appreciate it a lot. Thanks. – griesgram Jun 06 '18 at 06:58

1 Answers1

-3

You need to specify the data type when binding: http://php.net/manual/en/pdostatement.bindparam.php

Use: $query->bindParam(':password', $password, PDO::PARAM_STR);

Brian Pluhar
  • 39
  • 8