-1

I am building this code to change the password of a simple login system (I know it isn't verry secure) Now I am coding the following bit of code but when I execute it it puts out an HTTP 500 error, so I checked it for errors but could not find any. I entered it in a PHP validator. Allso with no relult. Does any of you maybe know what I am not seeing right now?

<?php

session_start();
if (isset($_POST['updatepassword'])) {
    $user = $_POST['username'];
    $mysqli = new mysqli('localhost', 'creatalo_mika', 'Temppass100_', 'creatalo_lscdb') or die("verbinding error");
    $sql = $mysqli->query("SELECT * FROM users_table WHERE username='$user'") or die("selection error");
    $row = mysqli_fetch_assoc($sql);
    $dbpass = $row['password'];
    $newpass = $_POST['password'];
    $pass = $_POST['passwordold'];
    $passen = md5(md5('dsgf'.$pass.'sadf'));
    if ($passen == $dbpass) {
        $newpass = md5(md5('dsgf'.$newpass.'sadf'));

        $sql->query("UPDATE users_table SET password='$newpass' WHERE username='$user'") or die($mysqli->error);
        header("location: ../index.php ") or die($mysqli->error);
    } else {
        header("location: ../index.php#notgood ") or die($mysqli->error);
    }
}
Dharman
  • 30,962
  • 25
  • 85
  • 135
Mika Van de wiel
  • 25
  • 1
  • 8
  • i know it isn't secure. but i am still experimenting with php login systems, after i can make the basic stuf i ll make a more advanced system. – Mika Van de wiel Jul 12 '19 at 17:46
  • You are just creating more trouble for yourself. Prepared statements are not difficult and `password_hash` is easier than MD5. – Dharman Jul 12 '19 at 17:47

1 Answers1

0

You have problems with SQL injection, password hashing, and you are completely confused about die($mysqli->error) for which I do not blame you. I fixed your problems to show you how the code should look like more or less, but if you are creating authentication system you really should read more about security first. 

session_start();
if (isset($_POST['updatepassword'])) {
    mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);
    $mysqli = new mysqli('localhost', 'creatalo_mika', 'Temppass100_', 'creatalo_lscdb');

    $user = $_POST['username'];

    $stmt = $mysqli->prepare("SELECT * FROM users_table WHERE username=?");
    $stmt->bind_param('s', $user);
    $stmt->execute();
    $row = $stmt->get_result()->fetch_assoc();

    if (password_verify($_POST['passwordold'], $row['password'])) {
        $newpass = password_hash($_POST['password'], PASSWORD_DEFAULT);

        $stmt = $mysqli->prepare("UPDATE users_table SET password=? WHERE username=?");
        $stmt->bind_param('ss', $newpass, $user);
        $stmt->execute();
        exit(header("location: ../index.php "));
    } else {
        exit(header("location: ../index.php#notgood "));
    }
}

Most importantly enable error reporting: How to get the error message in MySQLi?

Dharman
  • 30,962
  • 25
  • 85
  • 135
  • 1
    thanks, i think its a better lession for me to learn making a login system correctly then one with poor security. i ll try looking into making a new one! – Mika Van de wiel Jul 12 '19 at 18:00