Page 1 of 1

password checking problems

Posted: Thu Jun 17, 2010 5:26 pm
by Smudly
I'm creating a profile page that allows users to change their first name, last name, email or password.

Everything is working fine, except the password part.

On one of the else statements, it says "Old passwords do not match".

That is the message i get when I try changing the password. It could be an MD5 error

MySQL version: 5.0.19
I'm not getting any mysql errors

Here's the code:

Code: Select all

<?php

session_start();
include('inc/connect.php');

$username = $_SESSION['username'];

if ($username)
{
	//if user is logged in

$sql = mysql_query("SELECT * FROM `users` WHERE `username`='".$username."'");
$row = mysql_fetch_assoc($sql);

$fname = $row['fname'];
$lname = $row['lname'];
$email = $row['email'];
$edit = ($_POST['edit']);

// Edit variables
$fnamenew = ucfirst(strip_tags($_POST['fname']));
$lnamenew = ucfirst(strip_tags($_POST['lname']));
$emailnew = strip_tags($_POST['email']);
$password = strip_tags(md5($_POST['password']));
$passwordnew = strip_tags(md5($_POST['passwordnew']));
$passwordconf = strip_tags(md5($_POST['passwordconf']));


if($edit){

// check password against database

$oldpassworddb = $row['password'];

// check passwords
if($password==$oldpassworddb)
{
	//check two new passwords
	if($passwordnew==$passwordconf)
	{
		// success
		// change password in database
		$edit = "UPDATE users SET `fname`='$fnamenew', `lname`='$lnamenew', `email`='$emailnew', `password`='$passwordnew' WHERE username='$username'";
		mysql_query($edit);

		$fname = ucfirst(strip_tags($_POST['fname']));
		$lname = ucfirst(strip_tags($_POST['lname']));
		$email = strip_tags($_POST['email']);
		
		$submitted = "Changes Submitted";
		
	
	}
	else
		die("New Passwords Don't Match!");

}
else
	die("Old Password doesn't match!");

}
}
else
	header("Location: index.php");

?>

<html>
<head>
<title>Profile</title>
</head>
<body>

<form action="profile.php" method="POST">
	Username: <input type="text" value="<?php echo $username; ?>" readonly="readonly"><br />
	First Name: <input type="text" maxlength="25" name="fname" value="<?php echo $fname; ?>"><br />
	Last Name: <input type="text" maxlength="25" name="lname" value="<?php echo $lname; ?>"><br />
	Email: <input type="text" maxlength="64" name="email" value="<?php echo $email; ?>"><br />
	Password: <input type="password" maxlength="32" name="password"><br />
	New Password: <input type="password" maxlength="32" name="passwordnew"><br />
	Confirm Password: <input type="password" maxlength="32" name="passwordconf"><br />
	
	<input type="submit" name="edit" value="Submit Changes">
	<?php echo $submitted; ?>
</form>
</body>
</html>

[/php]

Re: password checking problems

Posted: Thu Jun 17, 2010 8:42 pm
by JakeJ
Look at your existing password creation code. Did you use a salt along with MD5 to create it? If so, you're going to have to duplicate that function in order to change passwords.

If you still can't figure it out, post the code that is used to create the password when the user account is created. They have to have identical parameters.

Re: password checking problems

Posted: Thu Jun 17, 2010 8:48 pm
by Smudly
Nope, I didn't use salt, just MD5.

I'm lost.

Here's the code for register.php
Thanks again.

Code: Select all

<?php

echo "<h1>Register</h1>";

$submit = $_POST['submit'];

$username = strtolower(strip_tags($_POST['username']));
$password = strip_tags($_POST['password']);
$confpassword = strip_tags($_POST['confpassword']);
$email = strip_tags($_POST['email']);
$fname = strtolower(strip_tags($_POST['fname']));
//$ref = strip_tags($_POST['ref']);
$joindate = date("Y-m-d");
//I should only give the 50 credits once the user has surfed OR activated email?
$credits = 50.000;
$ip = $_SERVER['REMOTE_ADDR'];
$level = 1;



if ($submit)
{
  include('inc/connect.php');

  $namecheck = mysql_query("SELECT username FROM users WHERE username='$username'");
  $usernamecount = mysql_num_rows($namecheck);
  $emailcheck = mysql_query("SELECT email FROM users WHERE email='$email'");
  $emailcount = mysql_num_rows($emailcheck);

  if ($usernamecount!=0)
  {
   die("Username already taken!");
  }
  if ($emailcount!=0)
  {
   die("E-mail already being used");
   }
  
function validEmail($email)
{
   $isValid = true;
   $atIndex = strrpos($email, "@");
   if (is_bool($atIndex) && !$atIndex)
   {
      $isValid = false;
   }
   else
   {
      $domain = substr($email, $atIndex+1);
      $local = substr($email, 0, $atIndex);
      $localLen = strlen($local);
      $domainLen = strlen($domain);
      if ($localLen < 1 || $localLen > 64)
      {
         // local part length exceeded
         $isValid = false;
      }
      else if ($domainLen < 1 || $domainLen > 255)
      {
         // domain part length exceeded
         $isValid = false;
      }
      else if ($local[0] == '.' || $local[$localLen-1] == '.')
      {
         // local part starts or ends with '.'
         $isValid = false;
      }
      else if (preg_match('/\\.\\./', $local))
      {
         // local part has two consecutive dots
         $isValid = false;
      }
      else if (!preg_match('/^[A-Za-z0-9\\-\\.]+$/', $domain))
      {
         // character not valid in domain part
         $isValid = false;
      }
      else if (preg_match('/\\.\\./', $domain))
      {
         // domain part has two consecutive dots
         $isValid = false;
      }
      else if
(!preg_match('/^(\\\\.|[A-Za-z0-9!#%&`_=\\/$\'*+?^{}|~.-])+$/',
                 str_replace("\\\\","",$local)))
      {
         // character not valid in local part unless 
         // local part is quoted
         if (!preg_match('/^"(\\\\"|[^"])+"$/',
             str_replace("\\\\","",$local)))
         {
            $isValid = false;
         }
      }
      if ($isValid && !(checkdnsrr($domain,"MX") || checkdnsrr($domain,"A")))
      {
         // domain not found in DNS
         $isValid = false;
      }
   }
   return $isValid;
}

 // Check for filled out form
 if ($username&&$password&&$confpassword&&$email&&$fname)
 {
  
  //Encrypt password

  if ($password==$confpassword)
  {
    if (strlen($username)>25)
    {
     echo "Max limit for Username is 25 characters";
    }         
    if (strlen($password)>32||strlen($password)<6)
    {
     echo "Password must be between 6 and 32 characters";
    }
    else
    {
      //Register the user
      $password = md5($password);
      $confpassword = md5($confpassword);
      echo "Success!";
      

	$usersquery = "INSERT INTO users VALUES ('','$username','$email','$fname','','','','$joindate','$password','$ip')";
	$userstatsquery = "INSERT INTO userstats VALUES ('','$username','$level','','$credits','','','','')";

	mysql_query($usersquery);
	mysql_query($userstatsquery);
	

	//header("Location: index.php");
      die("You have been registered! Return to <a href='index.php'>Login</a> page.");

    }
    if (strlen($email)>25)
    {
     echo "Max limit for E-mail is 64 characters";
    }
  
    if (strlen($fname)>25)
    {
     echo "Max limit for First Name is 25 characters";
    }
    /*if (strlen($lname)>25)
    {
     echo "Max limit for Last Name is 25 characters";
    }*/
  }
  else
  echo "Your passwords do not match!";
  }
else
    echo "Please fill in <strong>all</strong> fields!";




}



?>

<html>
<head>
<link rel="stylesheet" type="text/css" href="style.css" />
<script type="text/javascript" language="javascript">
function inputLimiter(e,allow) {
var AllowableCharacters = '';

if (allow == 'FirstNameChar'){AllowableCharacters='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';}
if (allow == 'UsernameChar'){AllowableCharacters='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890';}

var k;

k=document.all?parseInt(e.keyCode): parseInt(e.which);

if (k!=13 && k!=8 && k!=0){

if ((e.ctrlKey==false) && (e.altKey==false)) {

return (AllowableCharacters.indexOf(String.fromCharCode(k))!=-1);

} else {

return true;

}

} else {

return true;

}

}

</script>
</head>
<body>

<form action="register.php" method="POST">
      <div id="register">
           Username: <input type="text" id="UsernameChar" onkeypress="return inputLimiter(event,'UsernameChar')" name="username" maxlength="25" value="<?php echo $username ?>"><br />
           Password: <input type="password" maxlength="32" name="password" ><br />
           Confirm Password: <input type="password" maxlength="32" name="confpassword"><br />
           First Name: <input type="text" id="FirstNameChar" onkeypress="return inputLimiter(event,'FirstNameChar')" name="fname" maxlength="25" value="<?php echo $fname ?>"><br />
		   E-mail: <input type="text" name="email" maxlength="64" value="<?php echo $email ?>"><br />
		   
           <input type="submit" name="submit" value="Register">
      </div>
</form>

</body>
</html>

Re: password checking problems

Posted: Thu Jun 17, 2010 10:50 pm
by Phoenixheart
Try var_dump() $oldpassworddb and $row['password'] and see.
Btw, you don't need to strip_tags() a md5 string.

Re: password checking problems

Posted: Fri Jun 18, 2010 11:57 am
by flying_circus
In your register code, you strip tags and then MD5. In your change profile code, you MD5 then strip tags. Why?

print out the value of $oldpassworddb and $password, to make sure they are populated.

Re: password checking problems

Posted: Fri Jun 18, 2010 5:43 pm
by Smudly
Alright, When I try echoing $oldpassworddb, it returns blank.
Echoing out $password shows the md5 of the password