1

I'm stuck with resetting password in php. I'm using password_hash for register, password_verify for login, everything seemed to work until I had the idea to implement the reset password thing. My plan was to have of course 3 fields:oldPassword, newPassword,confirmNewPassword.

First I check if the oldPassword is in db, if yes than after checking if the 2 new passwords are correct to update in db the newPassword. The problem is that I can update in my db the new hashed password but when I login again it can't recognize the password and can't log in. And I really can't understand why.

Here's my code:

For register (maybe it's useless but anyway)

if ($_POST['actiune'] == 'register') {
    $firstname = $_POST['firstName'];
    $lastname = $_POST['lastName'];
    $email = $_POST['email'];
    $_SESSION['username'] = $email;
    $password = $_POST['password'];
    $hash = password_hash($password, PASSWORD_BCRYPT);
    $age = $_POST['age'];
    $address = $_POST['address'];

    if(addUser($firstname, $lastname, $email, $hash, $age, $address)) {
        header("Location: index.php?page=profile");
    }
    else
        die("User didnt add in db.");
}

login:

if($_POST['actiune'] == 'login') {
    $email = $_POST['email'];
    $password = $_POST['password'];
    $pass = getPassword($email);

    $verify = password_verify($password, $pass);
    if ($verify) {
        $_SESSION['username'] = $email;
        header("Location: index.php?page=profile");
    } else {
        header("Location: index.php?page=login&msg=PleaseRegister");
        die();
    }
}

resetPassword:

if($_POST['actiune'] == 'resetPassword') {
    $oldPassword = $_POST['oldPassword'];
    $newPassword = $_POST['newPassword'];
    $confirmPassword = $_POST["confirmPassword"];

    $passwordDb = getPassword($_SESSION['username']);
    $verify = password_verify($oldPassword, $passwordDb);
    if($verify) {
        setPassword($newPassword, $_SESSION['username']);
        header("location: index.php?page=profile");
    }
}

function setPassword

function setPassword($password, $email) {
    include("connectionFile.php");

    $hash = password_hash($password, PASSWORD_BCRYPT); 
    try {
        $sql = $conn->prepare("update user set password = '$hash' where email='$email'");
        $sql->execute();
    } catch(Exception $e) {
        echo $e->getMessage();
        return false;
    }
    return true;
}

getPassword function used for login:

function getPassword($email) {
    include("connectionFile.php");

    $sql = $conn->prepare("select * from user where email='$email'");
    $sql->execute();
    $result = $sql;
    foreach($result as $row) {
        $pass= $row['password'];
    }
    return $pass;
}
Manoj Sharma
  • 1,467
  • 2
  • 13
  • 20
chi
  • 357
  • 3
  • 15
  • Don't understand what you're saying. I have fields for every password. And the verify operation between the old and new password is working. – chi Dec 30 '16 at 16:04
  • All I can see is you're using `setPassword($newPassword,` but then using `$password` in 2 instances of your `setPassword()` function. Make sure that there isn't any whitespace being introduced at the end of the new password neither and that all password-related columns are long enough to hold all hashes, being 60+. Other than that, I don't know why your reset/login is failing. Make sure also that the session array is still set and for the same user. This is probably failing silently since it's hashing something, but "what"? See what `var_dump()` reveals also. – Funk Forty Niner Dec 30 '16 at 16:14
  • You should also be using a prepared statement for everything. You're open to an SQL injection here. – Funk Forty Niner Dec 30 '16 at 16:16
  • Where I didn't use a prepared statement? Thanks for your answer, I will check this out – chi Dec 30 '16 at 16:21
  • No. Doing `prepare` doesn't constitute as a "prepared statement", it's valid with `execute()` but those could be narrowed down to simply `query()`. This is the manual for prepared statements in mysqli_ http://php.net/manual/en/mysqli.prepare.php – Funk Forty Niner Dec 30 '16 at 16:22
  • Firstly the problem was the argument for setPassword function. I replaced with $newPassword and it worked, I didn't think this could be the problem, because in other languages I can set the arg name whatever I want and then use another arg name and they replaced eachother you know. Secondly, I still don't get it your answer with prepared statement. I used PDO mostly not mysqli. But why am I open to SQL injection? – chi Dec 30 '16 at 16:29
  • *"Firstly the problem was the argument for setPassword function."* - as I suspected; wrong variable. (I should put in an answer for this to mark it as solved). As for why you're open to an SQL injection, see the following; it speaks for itself http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php – Funk Forty Niner Dec 30 '16 at 16:31

1 Answers1

0

As I wrote in comments:

setPassword($newPassword, $_SESSION['username']

You're using the wrong variable in:

function setPassword($password, $email)

...

password_hash($password,

The variable should have been $newPassword and not $password.

Your code failed on your silently since password_hash() did do its job, it just didn't hash the said/wanted variable.

This, and along with my other comments about your being open to an SQL injection.

Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141