password checking problems

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Smudly
Forum Commoner
Posts: 71
Joined: Wed Jun 09, 2010 10:09 pm

password checking problems

Post by Smudly »

I'm creating a profile page that allows users to change their first name, last name, email or password.

Everything is working fine, except the password part.

On one of the else statements, it says "Old passwords do not match".

That is the message i get when I try changing the password. It could be an MD5 error

MySQL version: 5.0.19
I'm not getting any mysql errors

Here's the code:

Code: Select all

<?php

session_start();
include('inc/connect.php');

$username = $_SESSION['username'];

if ($username)
{
	//if user is logged in

$sql = mysql_query("SELECT * FROM `users` WHERE `username`='".$username."'");
$row = mysql_fetch_assoc($sql);

$fname = $row['fname'];
$lname = $row['lname'];
$email = $row['email'];
$edit = ($_POST['edit']);

// Edit variables
$fnamenew = ucfirst(strip_tags($_POST['fname']));
$lnamenew = ucfirst(strip_tags($_POST['lname']));
$emailnew = strip_tags($_POST['email']);
$password = strip_tags(md5($_POST['password']));
$passwordnew = strip_tags(md5($_POST['passwordnew']));
$passwordconf = strip_tags(md5($_POST['passwordconf']));


if($edit){

// check password against database

$oldpassworddb = $row['password'];

// check passwords
if($password==$oldpassworddb)
{
	//check two new passwords
	if($passwordnew==$passwordconf)
	{
		// success
		// change password in database
		$edit = "UPDATE users SET `fname`='$fnamenew', `lname`='$lnamenew', `email`='$emailnew', `password`='$passwordnew' WHERE username='$username'";
		mysql_query($edit);

		$fname = ucfirst(strip_tags($_POST['fname']));
		$lname = ucfirst(strip_tags($_POST['lname']));
		$email = strip_tags($_POST['email']);
		
		$submitted = "Changes Submitted";
		
	
	}
	else
		die("New Passwords Don't Match!");

}
else
	die("Old Password doesn't match!");

}
}
else
	header("Location: index.php");

?>

<html>
<head>
<title>Profile</title>
</head>
<body>

<form action="profile.php" method="POST">
	Username: <input type="text" value="<?php echo $username; ?>" readonly="readonly"><br />
	First Name: <input type="text" maxlength="25" name="fname" value="<?php echo $fname; ?>"><br />
	Last Name: <input type="text" maxlength="25" name="lname" value="<?php echo $lname; ?>"><br />
	Email: <input type="text" maxlength="64" name="email" value="<?php echo $email; ?>"><br />
	Password: <input type="password" maxlength="32" name="password"><br />
	New Password: <input type="password" maxlength="32" name="passwordnew"><br />
	Confirm Password: <input type="password" maxlength="32" name="passwordconf"><br />
	
	<input type="submit" name="edit" value="Submit Changes">
	<?php echo $submitted; ?>
</form>
</body>
</html>

[/php]
JakeJ
Forum Regular
Posts: 675
Joined: Thu Dec 10, 2009 6:27 pm

Re: password checking problems

Post by JakeJ »

Look at your existing password creation code. Did you use a salt along with MD5 to create it? If so, you're going to have to duplicate that function in order to change passwords.

If you still can't figure it out, post the code that is used to create the password when the user account is created. They have to have identical parameters.
Smudly
Forum Commoner
Posts: 71
Joined: Wed Jun 09, 2010 10:09 pm

Re: password checking problems

Post by Smudly »

Nope, I didn't use salt, just MD5.

I'm lost.

Here's the code for register.php
Thanks again.

Code: Select all

<?php

echo "<h1>Register</h1>";

$submit = $_POST['submit'];

$username = strtolower(strip_tags($_POST['username']));
$password = strip_tags($_POST['password']);
$confpassword = strip_tags($_POST['confpassword']);
$email = strip_tags($_POST['email']);
$fname = strtolower(strip_tags($_POST['fname']));
//$ref = strip_tags($_POST['ref']);
$joindate = date("Y-m-d");
//I should only give the 50 credits once the user has surfed OR activated email?
$credits = 50.000;
$ip = $_SERVER['REMOTE_ADDR'];
$level = 1;



if ($submit)
{
  include('inc/connect.php');

  $namecheck = mysql_query("SELECT username FROM users WHERE username='$username'");
  $usernamecount = mysql_num_rows($namecheck);
  $emailcheck = mysql_query("SELECT email FROM users WHERE email='$email'");
  $emailcount = mysql_num_rows($emailcheck);

  if ($usernamecount!=0)
  {
   die("Username already taken!");
  }
  if ($emailcount!=0)
  {
   die("E-mail already being used");
   }
  
function validEmail($email)
{
   $isValid = true;
   $atIndex = strrpos($email, "@");
   if (is_bool($atIndex) && !$atIndex)
   {
      $isValid = false;
   }
   else
   {
      $domain = substr($email, $atIndex+1);
      $local = substr($email, 0, $atIndex);
      $localLen = strlen($local);
      $domainLen = strlen($domain);
      if ($localLen < 1 || $localLen > 64)
      {
         // local part length exceeded
         $isValid = false;
      }
      else if ($domainLen < 1 || $domainLen > 255)
      {
         // domain part length exceeded
         $isValid = false;
      }
      else if ($local[0] == '.' || $local[$localLen-1] == '.')
      {
         // local part starts or ends with '.'
         $isValid = false;
      }
      else if (preg_match('/\\.\\./', $local))
      {
         // local part has two consecutive dots
         $isValid = false;
      }
      else if (!preg_match('/^[A-Za-z0-9\\-\\.]+$/', $domain))
      {
         // character not valid in domain part
         $isValid = false;
      }
      else if (preg_match('/\\.\\./', $domain))
      {
         // domain part has two consecutive dots
         $isValid = false;
      }
      else if
(!preg_match('/^(\\\\.|[A-Za-z0-9!#%&`_=\\/$\'*+?^{}|~.-])+$/',
                 str_replace("\\\\","",$local)))
      {
         // character not valid in local part unless 
         // local part is quoted
         if (!preg_match('/^"(\\\\"|[^"])+"$/',
             str_replace("\\\\","",$local)))
         {
            $isValid = false;
         }
      }
      if ($isValid && !(checkdnsrr($domain,"MX") || checkdnsrr($domain,"A")))
      {
         // domain not found in DNS
         $isValid = false;
      }
   }
   return $isValid;
}

 // Check for filled out form
 if ($username&&$password&&$confpassword&&$email&&$fname)
 {
  
  //Encrypt password

  if ($password==$confpassword)
  {
    if (strlen($username)>25)
    {
     echo "Max limit for Username is 25 characters";
    }         
    if (strlen($password)>32||strlen($password)<6)
    {
     echo "Password must be between 6 and 32 characters";
    }
    else
    {
      //Register the user
      $password = md5($password);
      $confpassword = md5($confpassword);
      echo "Success!";
      

	$usersquery = "INSERT INTO users VALUES ('','$username','$email','$fname','','','','$joindate','$password','$ip')";
	$userstatsquery = "INSERT INTO userstats VALUES ('','$username','$level','','$credits','','','','')";

	mysql_query($usersquery);
	mysql_query($userstatsquery);
	

	//header("Location: index.php");
      die("You have been registered! Return to <a href='index.php'>Login</a> page.");

    }
    if (strlen($email)>25)
    {
     echo "Max limit for E-mail is 64 characters";
    }
  
    if (strlen($fname)>25)
    {
     echo "Max limit for First Name is 25 characters";
    }
    /*if (strlen($lname)>25)
    {
     echo "Max limit for Last Name is 25 characters";
    }*/
  }
  else
  echo "Your passwords do not match!";
  }
else
    echo "Please fill in <strong>all</strong> fields!";




}



?>

<html>
<head>
<link rel="stylesheet" type="text/css" href="style.css" />
<script type="text/javascript" language="javascript">
function inputLimiter(e,allow) {
var AllowableCharacters = '';

if (allow == 'FirstNameChar'){AllowableCharacters='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';}
if (allow == 'UsernameChar'){AllowableCharacters='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890';}

var k;

k=document.all?parseInt(e.keyCode): parseInt(e.which);

if (k!=13 && k!=8 && k!=0){

if ((e.ctrlKey==false) && (e.altKey==false)) {

return (AllowableCharacters.indexOf(String.fromCharCode(k))!=-1);

} else {

return true;

}

} else {

return true;

}

}

</script>
</head>
<body>

<form action="register.php" method="POST">
      <div id="register">
           Username: <input type="text" id="UsernameChar" onkeypress="return inputLimiter(event,'UsernameChar')" name="username" maxlength="25" value="<?php echo $username ?>"><br />
           Password: <input type="password" maxlength="32" name="password" ><br />
           Confirm Password: <input type="password" maxlength="32" name="confpassword"><br />
           First Name: <input type="text" id="FirstNameChar" onkeypress="return inputLimiter(event,'FirstNameChar')" name="fname" maxlength="25" value="<?php echo $fname ?>"><br />
		   E-mail: <input type="text" name="email" maxlength="64" value="<?php echo $email ?>"><br />
		   
           <input type="submit" name="submit" value="Register">
      </div>
</form>

</body>
</html>
Phoenixheart
Forum Contributor
Posts: 123
Joined: Tue Nov 16, 2004 7:46 am
Contact:

Re: password checking problems

Post by Phoenixheart »

Try var_dump() $oldpassworddb and $row['password'] and see.
Btw, you don't need to strip_tags() a md5 string.
User avatar
flying_circus
Forum Regular
Posts: 732
Joined: Wed Mar 05, 2008 10:23 pm
Location: Sunriver, OR

Re: password checking problems

Post by flying_circus »

In your register code, you strip tags and then MD5. In your change profile code, you MD5 then strip tags. Why?

print out the value of $oldpassworddb and $password, to make sure they are populated.
Smudly
Forum Commoner
Posts: 71
Joined: Wed Jun 09, 2010 10:09 pm

Re: password checking problems

Post by Smudly »

Alright, When I try echoing $oldpassworddb, it returns blank.
Echoing out $password shows the md5 of the password
Post Reply