0

I created a forgot password link and everything works(password resets, token is set back to " ", password is properly hashed) but when I try to login with my new password, my script login.inc.php is not able to recognize the new password. I also get no errors whatsoever. If anyone can teach me what I have done wrong, I would really appreciate it.

reset-password.php:

<?php
    session_start();
    include 'database/login-dbh.php';

    if (isset($_GET["email"]) && isset($_GET["token"])) {

        $email = $_GET['email'];
        $token = $_GET['token'];

        $sql = "SELECT id FROM user WHERE email='$email' AND token='$token'";
        $result = mysqli_query($conn, $sql);
        $num_rows = mysqli_num_rows($result);

        if ($num_rows > 0) {
            $str = "0123456789qwertyuiopasdfghjklzxcvbnm";
            $str = str_shuffle($str);
            $str = substr($str, 0, 35);

            $password = password_hash($str, PASSWORD_DEFAULT);

            $sql = "UPDATE user SET password='$password', token='' WHERE email='$email'";
            mysqli_query($conn, $sql);

            echo "Your new password is: $str";
        }     
    }else{
        header("Location: forgot-password.php?error=token+not+found");
        exit();
    }
?>

<!DOCTYPE html>
<html>
<head>
    <title>Yahbang</title>
    <link rel="stylesheet" type="text/css" href="stylesheet/forgotpassword-style.css">
</head>
<header>

</header>
<body>


</body>
</html>

login.inc.php:

<?php
session_start();
include '../database/login-dbh.php';

$email = $_POST['email'];
$pwd = $_POST['pwd'];


$sql = "SELECT * FROM user WHERE email= ? ";
$stmt = mysqli_prepare($conn, $sql);
mysqli_stmt_bind_param($stmt, 's', $email);
mysqli_stmt_execute($stmt);
$result = mysqli_stmt_get_result($stmt);
$row = mysqli_fetch_assoc($result);

if(password_verify($pwd, $row['password'])) {
    $_SESSION['id'] = $row['id'];   
    $userID = $row['id'];

    header("Location: ../index.php?id=$userID");
    exit();
} else {
   header("Location: ../index.php?error=login");
   exit();
} 

?>
RiggsFolly
  • 93,638
  • 21
  • 103
  • 149
  • 4
    Your script is wide open to [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) – RiggsFolly Feb 18 '18 at 16:09
  • I didn't ask about security. if you can't answer then don't. –  Feb 18 '18 at 17:15
  • 3
    @user9098801 he didn't answer - he provided a very helpful comment. – JimL Feb 18 '18 at 17:29
  • But this whole process is about security, thats why you make people login – RiggsFolly Feb 18 '18 at 17:35
  • 1
    Its just a thought, but did you check that your `password` column is large enough to hold the hash? How is your `password` column defined in your schema? – RiggsFolly Feb 18 '18 at 17:37
  • @user9098801 What is the output you get when you add `var_dump($str, $password)` to your reset-password.php file before you send the SQL query. And what is the output you get when you add `var_dump($pwd, $row['password']);` before your `password_verify()` check? Please edit your question to include the output you get from these `var_dump()` calls. – Progman Feb 18 '18 at 19:15

1 Answers1

2

First of all, your reset-password.php file is insecure because you are subject to SQL injection. You should NEVER use a GET / POST variable directly in a SQL statement. Always protect the variable first (there are many posts on this).

This said, I'd need to see your password_verify() function. To debug, here are a few tricks I use:

  • Print your $_POST variables you're receiving: print_r($_POST);
  • Print your SQL statement
  • Print the result of your $row variable: print_r($row);

Somewhere in there, you're missing something, but with these simple tricks, you'll find them out.

Rotimi
  • 4,783
  • 4
  • 18
  • 27
Bernz
  • 171
  • 3