0

I'm trying to implement that users can change password once they are logged into the dashboard of my system.

When I attempt to change password, nothing happens though there are no errors and I'm not sure what I'm doing wrong. I have implemented password hash to keep users password safe though I'm not sure that may be the issue.

Here is my change password code

<?php
include('../configfiles/config.php');
session_start();

if (isset($_POST['submit']))
{
  $logged_in_user = $_SESSION['loggedin'];

  $currentpassword = $_POST ['currentpassword'];
  $newpassword = $_POST ['newpassword'];
  $newhashpassword = password_hash($newpassword, PASSWORD_DEFAULT);

  if ($newpassword != $currentpassword)
  {
    $sql = ("SELECT * FROM users WHERE email = '$logged_in_user'");
    $db_check = $db->query($sql);

    if (password_verify($currentpassword, $db_check->fetch_assoc()['password']))
    {
      $fetch = $db->query("UPDATE users SET password = '$newhashpassword' WHERE email = '$logged_in_user'");
      $currentpassword = ''; 
      $newpassword = '';
      header('Location: ../dashboard.php');
    }
  }
}
?>
ADyson
  • 57,178
  • 14
  • 51
  • 63
shallew
  • 1
  • 1
  • have you attempted to debug it at all? Have you checked that the variable values in the code are what you expect? Have you worked out where the code starts to deviate from the process you expected (e.g. by doing some simple logging, or using a debugger)? Have you got error logging switched on in PHP? Have you got your database library (e.g. PDO maybe, or mysqli, it would be useful for us to know) set to throw exceptions when SQL errors occur? – ADyson May 18 '20 at 14:31
  • Remove the space between $_POST ['currentpassword'] so it's $_POST['currentpassword'] and the same for 'newpassword'. Still not working? Then put some echo "HERE"; exit(); code after your If statements to see how far its getting before failing. – fraggley May 18 '20 at 14:32
  • BTW you should really make your queries more robust by using prepared statements and parameterised queries. You'll be less vulnerable to both injection attacks and unexpected SQL syntax errors. – ADyson May 18 '20 at 14:33
  • 1
    @fraggley that's not actually an error. Demo: http://sandbox.onlinephpfunctions.com/code/c256495b8caa16ce3cb2a62f8bca13503aa9b53f – ADyson May 18 '20 at 14:34
  • Thanks for the replies. It seems that the errors come somewhere after if(password_verify) etc (found this by echoing after each statement as suggested) – shallew May 18 '20 at 14:36
  • Is password_verify returning true? It wasn't quite clear. If so then most likely cause is a database error, by the looks of it. Like I said, ensure you've got error logging switched on in PHP, and then ensure your database library is set to throw exceptions. See the following setup guides: https://stackify.com/php-error-logs-guide/ (php error logging/reporting) https://stackoverflow.com/a/14578644/5947043 (mysqli exception handling) https://www.php.net/manual/en/pdo.error-handling.php (PDO exception handling). If you aren't using mysqli or PDO you might need to locate different instructions. – ADyson May 18 '20 at 14:40
  • you are using `($newpassword != $currentpassword)` your current password is in hash, but your new password is in text format.. – mufazmi May 18 '20 at 14:50
  • 1
    @MUFAzmi no, those variables are both coming from values entered by the user. You can see that from only 2 lines above there! This particular statement is just checking that the user didn't try to change their password to the same one again. And anyway, OP has already confirmed that the code gets past this point successfully. Look more closely at the code before you comment :-) – ADyson May 18 '20 at 15:00
  • yeah so the password_verify isnt returning true thats the problem.. though i apolgise I'm not sure how to go around fixing that. any help? – shallew May 18 '20 at 15:09
  • Well it's hard to be sure what the cause might be, without any example data (both the entered password, and the user record to compare it to), or knowledge of how the existing password got there in the first place. Presumably, either a) the current password isn't what you think it is, or b) you mis-typed it, or c) the password in the db currently wasn't hashed correctly originally, or d) the SELECT query didn't return the expected result. – ADyson May 18 '20 at 15:28

0 Answers0