Click here to Skip to main content
14,029,167 members
Rate this:
Please Sign up or sign in to vote.
See more:
I am creating PHP stmt hash password updating script this script not updating password. every time display Your old password is incorrect message I want check fetch old password from database and new password should be updated I have lot of tried to do that's but not working

What I have tried:

Here is my code

$old_password = $_POST['old_password'];
$new_password = $_POST['new_password'];
$con_password = $_POST['con_password'];
$stmt = $con->prepare('SELECT * FROM users WHERE user_id= ?');
$stmt->bind_param('s', $_POST['user_id']);
if ($stmt->num_rows >0){
$hash = password_hash($_POST['old_password'], PASSWORD_DEFAULT);
 if(password_verify($_POST['old_password'],  $hash)){
 if ($new_password == $con_password) {
        $stmt = $con->prepare("UPDATE users SET password = ? WHERE user_id = ?");

         echo "Updated Sucessfully";
    } else {
        echo "Your new Password is not match ";
  }else {
    echo "Your old password is incorrect";

This is my HTML form

<form name="form1" method="post" action="">
<input name="old_password" type="password" id="old_password" value="" placeholder="Current Password" required>
<input name="new_password" type="password" id="new_password" value="" placeholder="New Password" required>
<input name="con_password" type="password" id="con_password" value="" placeholder="confirm new password" required>
 <input type="submit" name="changePass" value="change password" class="submit2" />
Updated 12-Feb-19 11:28am
Richard MacCutchan 12-Feb-19 15:16pm
I do not think that $con->prepare updates the database; it requires an execute command. You are also missing the values required for the update to actually do anything. And, like so many other people, you post a "success" message, without checking that your update actually succeeded.
Richard Deeming 14-Feb-19 10:55am
$hash = password_hash($_POST['old_password'], PASSWORD_DEFAULT);
if(password_verify($_POST['old_password'],  $hash)){

password_verify[^] takes the entered password and the stored hash of the current password.

You are passing in the entered password and the calculated hash of the entered password.

You are asking whether the "old password" which the user entered matches itself. You are NOT checking whether it matches the user's current password.

1 solution

Rate this: bad
Please Sign up or sign in to vote.

Solution 1

I am creating PHP stmt hash password updating script this script not updating password.

When are you executing this SQL command ?
$stmt = $con->prepare("UPDATE users SET password = ? WHERE user_id = ?");

When are you setting the parameters ?

Example from your code
// prepare SQL command
$stmt = $con->prepare('SELECT * FROM users WHERE user_id= ?');
// set parameters
$stmt->bind_param('s', $_POST['user_id']);
// execute command
Member 14148208 13-Feb-19 12:28pm
I have tried to do but same results display any one can edit this code.please
Member 14148208 14-Feb-19 14:28pm
I changed it but not working old password incorrect message display anyone can help me I have very tried to do can you edit this code please
Patrice T 14-Feb-19 16:58pm
Update the question with your new code.
Use Improve question to update your question.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month

Advertise | Privacy | Cookies | Terms of Service
Web05 | 2.8.190419.4 | Last Updated 12 Feb 2019
Copyright © CodeProject, 1999-2019
All Rights Reserved.
Layout: fixed | fluid

CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100