-4
  <?php

 if($_SERVER['REQUEST_METHOD']=='POST'){ 
 require_once('ConnectUsers.php');

 $email = $_POST['email'];
 $password = $_POST['password'];
 $encrypt_pass= encryptIt($password);

$sql="Update Subscriber_Login SET SubsPassword = '$encrypt_pass' where EmailId = '$email'";

if(mysqli_query($conn,$sql)){
echo 'password updated';
}
else{

 echo 'oops! Please try again!';

 }

  function encryptIt( $q ) {
   $cryptKey  = 'mjn2Wb5wM46uBehwuabh';
   $qEncoded      = base64_encode( mcrypt_encrypt( MCRYPT_RIJNDAEL_256, md5( $cryptKey ), $q, 
   MCRYPT_MODE_CBC, md5( md5( $cryptKey ) ) ) );
   return( $qEncoded );
 }

 }

 ?>

that is my code which is used to reset the password in my website, here the encryption method I am using is not seem to be working in newer PHP versions like 7.2 (current PHP version), it was working fine in older versions so what could I do now, I can not change the encryption method now as too many passwords have been encrypted using this..so i would like to know the workaround for this issue.

Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
vips singh
  • 11
  • 1
  • 8
  • 3
    **Never store passwords in clear text or using MD5/SHA1!** Only store password hashes created using PHP's [`password_hash()`](https://php.net/manual/en/function.password-hash.php), which you can then verify using [`password_verify()`](https://php.net/manual/en/function.password-verify.php). Take a look at this post: [How to use password_hash](https://stackoverflow.com/q/30279321/1839439) and learn more about [bcrypt & password hashing in PHP](https://stackoverflow.com/a/6337021/1839439) – Dharman Sep 20 '19 at 21:39
  • 3
    Never ever encrypt passwords. Especially with your weird function, which for some reason mixes encryption with hash functions. Passwords should never be stored on the server, only stored their salted hashes. – Dharman Sep 20 '19 at 21:40
  • so you mean i should change the encryption method – vips singh Sep 20 '19 at 21:42
  • 2
    I mean you should NOT encrypt passwords. Create a hash of the password with [`password_hash()`](https://php.net/manual/en/function.password-hash.php) and use that instead. – Dharman Sep 20 '19 at 21:42
  • ok , i will do it and tell you – vips singh Sep 20 '19 at 21:44
  • 3
    *"I can not change the encryption method now as too many passwords have been encrypted using this"* - You absolutely can and you absolutely should. If you want to keep the old passwords, add a column to the table indicating which are the "old" records that use... this thing... and which are the "new" records that use properly hashed passwords with `password_hash()`. You are then encouraged to notify your users that "security has been upgraded" and they should reset their passwords. As part of that reset, update the record's flag to indicate it no longer uses... this thing. – David Sep 20 '19 at 21:55

1 Answers1

0
   <?php

 if($_SERVER['REQUEST_METHOD']=='POST'){
 require_once('ConnectUsers.php');

 $options = array(
'salt' => mcrypt_create_iv(22, MCRYPT_DEV_URANDOM),
'cost' => 12,
);

$email = $_POST['email'];
$newPass = $_POST['newPass'];
$password = $_POST['password'];

$encrypt_pass= password_hash($password, PASSWORD_BCRYPT, $options);
$encrypt_newpass = password_hash($newPass , PASSWORD_BCRYPT, $options);

if(password_verify($password, $encrypt_pass)){
  $sql = "Update Subscriber_Login Set SubsPassword = '$nePass' where EmailId = 
'$email' and SubsPassword = '$pass'";

  if(mysqli_query($conn,$sql))
  {

 echo "Password Updated";
  } else {

 echo "Password can not be updated";
 }
} else {
echo "your current password does not match";
}

mysqli_close($conn);
}
 ?>

I just did this and it solved the issue, I used password_hash() as mentioned by other fellows..thanks now I am more secured because if you guys...

vips singh
  • 11
  • 1
  • 8