Get password hash to work on a password reset script

Question

0.00/5 (No votes)

See more:

I am trying to hash the password from the password reset scripts but it does not hash so if you can tell me where i am supposed to put it on the script. thank you very much

PHP

<?php
session_start();

$servername = "localhost";
$username = "root";
$password = "";
$dbname = "vuyanii";

$conn = null;
try {
    $conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
    // set the PDO error mode to exception
    $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
    
    }
catch(PDOException $e)
    {
    echo $e->getMessage();
    }
    
    if(isset($_POST['submit'])){
    $username           = strip_tags($_POST['username']);
    $npassword      = ($_POST['password']); 
    $cpassword  = ($_POST['cpassword']);    
    //echo $username;exit();
    $message ="";

        try{
    $query = "SELECT * FROM users WHERE username= '".$username."'";
    $stmt = $conn->prepare($query);
    $stmt->execute();
    if($stmt->rowCount() < 1){
    $message = '<p style="color:red;">Incorrect username entered</p>';
    }else if($npassword != $cpassword){
        $message = '<p style="color:red;">New password does not match confirm password</p>';
        
    }
    else{
        $password = password_hash($npassword, PASSWORD_DEFAULT);
        $query = "UPDATE users SET 
        password        =  '$npassword' 
        WHERE username  =  '$username'";
        $stmt2 = $conn->prepare($query);

        if ($stmt2->execute()){

            $message = '<p style="color:red;">Password Changed Successfully</p>';
            header('location:index.php');
            
        }else{
            $message = '<p style="color:red;">Password Not Changed</p>';
            
        }
    }
    }catch(PDOException $e){ echo $e->getMessage();}
    }

?>

What I have tried:

tutorials and edited my script a couple of times

Posted 4-Feb-20 1:58am

gavin_daCEO

Updated 4-Feb-20 21:26pm

Herman<T>.Instance

v2

Add a Solution

Comments

Richard Deeming 4-Feb-20 8:05am

Your code is vulnerable to SQL Injection[^]. NEVER use string concatenation to build a SQL query. ALWAYS use a parameterized query.

PHP: SQL Injection - Manual[^]

gavin_daCEO 4-Feb-20 8:31am

i will check it thank you very much

phil.o 4-Feb-20 14:33pm

As a side note, telling the world whether this is the account name or the password which is incorrect is a security flaw, imho. You should issue a generic 'Invalid credentials' message for both cases.

gavin_daCEO 5-Feb-20 6:38am

thank you. i will do that

gavin_daCEO 5-Feb-20 6:38am

thank you. i will do that

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Richard Deeming · Answer 1 · 2020-02-04T02:08:00

Solution 1

Quote:

PHP

$password = password_hash($npassword, PASSWORD_DEFAULT);
$query = "UPDATE users SET
password = '$npassword'
WHERE username = '$username'";
$stmt2 = $conn->prepare($query);

You store the hashed password in $password (the hashed password), but you set the password in the database to $npassword (the plain-text password).

But you really need to sort out the SQL Injection vulnerabilities[^] in your code. Until you do, you might as well not have any authentication on your site.

Posted 4-Feb-20 2:08am

Richard Deeming

Comments

gavin_daCEO 4-Feb-20 8:16am

i did try it but it does not hash the password

Richard Deeming 4-Feb-20 8:20am

Because you're inserting the plain-text password ($npassword), not the hashed password ($password).

Your code hashes the password, and then throws away the hashed password and uses the plain-text password instead.

gavin_daCEO 4-Feb-20 8:42am

thank you for showing me my mistake

jimmson 4-Feb-20 8:46am

5!