0

I saving user info with the following code:

$hashed = password_hash($password, PASSWORD_DEFAULT);

Then followed by my insert query which look like this:

INSERT INTO users (username, password) VALUES ('$username', '$hashed');

When I retrieve the password with normal select statement and pass the value of the password to an input type of password, the textbox will have the password in hashed form. Then I make changes just to the username and update with:

UPDATE users SET username = '$username', password = '$hashed' WHERE id = 1;

The already hashed password is re-hashed thereby bringing a change to the original password. This causes users not able to log in. Any help?

donsonde
  • 87
  • 8
  • 2
    Don't populate the password field with the hashed password. Or, don't update the password filed when you only want to update the username. It's really unclear why you can't avoid this situation. – John Conde Oct 03 '18 at 00:21
  • I thought of that but will wait for other opinions. Thank you – donsonde Oct 03 '18 at 00:24
  • 1
    My another opinion: do not update a column if you don't want to update it. – zerkms Oct 03 '18 at 00:25
  • Update only the field that needs updating to avoid making a mistake. – Ibu Oct 03 '18 at 00:26
  • There is no reason you should put in the password in hashed form in the field - edits cannot practically be made to it. Users should not ever be able to edit their passwords - only set new passwords. If the password field is empty - do nothing. If it has something, update the password to match. – scorgn Oct 03 '18 at 00:27
  • It seems you're wanting a size-fits-all method for saving all data, whereas there isn't one here. A hashed password is for security reasons. So unless the user explicitly sets the password field, you can `unset($fields['password']);` then update – iautomation Oct 03 '18 at 00:31
  • Possible duplicate of [How do you use bcrypt for hashing passwords in PHP?](https://stackoverflow.com/questions/4795385/how-do-you-use-bcrypt-for-hashing-passwords-in-php) – miken32 Oct 03 '18 at 00:57
  • **WARNING**: Writing your own access control layer is not easy and there are many opportunities to get it severely wrong. Please, do not write your own authentication system when any modern [development framework](http://codegeekz.com/best-php-frameworks-for-developers/) like [Laravel](http://laravel.com/) comes with a robust [authentication system](https://laravel.com/docs/master/authentication) built-in. – tadman Oct 03 '18 at 01:12
  • **WARNING**: Whenever possible use **prepared statements** to avoid injecting arbitrary data in your queries and creating [SQL injection bugs](http://bobby-tables.com/). These are quite straightforward to do in [`mysqli`](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and [PDO](http://php.net/manual/en/pdo.prepared-statements.php) where any user-supplied data is specified with a `?` or `:name` indicator that’s later populated using `bind_param` or `execute` depending on which one you’re using. – tadman Oct 03 '18 at 01:12

2 Answers2

0

Don't update the password column then! And your problem is solved. Or if somehow you must update it with the previously hashed password, query the previous hashed password and store it to a variable untouched. Then just query the update.

PlanetCloud
  • 314
  • 2
  • 11
0

Go without printing the hashed password from database in the password input. Just print the username and if you save the new user data, you check if user also setted any password in the input. If yes, then: UPDATE users SET username=...,password=... WHERE .... If no password was set, then do the same query without the password part.

If you are really in true fresh love with your current code, then just check before executing your UPDATE statement if password is the same like the old hashed one. If yes, then go for the UPDATE query without the password part, if no, go for your old query.

saladzic
  • 56
  • 6
  • Thank you all for pointing me in the right direction. I decided to go with public opinion of skipping update of password , left the input blank and disable the control. – donsonde Oct 03 '18 at 00:51
  • Normally you leave the "change password" field blank unless you're changing it, and if it's not blank then you set it accordingly. For security reasons this often requires entering the existing password in a separate field for verifications purposes. – tadman Oct 03 '18 at 01:14