TechQA.

Reset password don't work when login php

1k views Asked by At

I'm stuck with resetting password in php. I'm using password_hash for register, password_verify for login, everything seemed to work until I had the idea to implement the reset password thing. My plan was to have of course 3 fields:oldPassword, newPassword,confirmNewPassword.

First I check if the oldPassword is in db, if yes than after checking if the 2 new passwords are correct to update in db the newPassword. The problem is that I can update in my db the new hashed password but when I login again it can't recognize the password and can't log in. And I really can't understand why.

Here's my code:

For register (maybe it's useless but anyway)

if ($_POST['actiune'] == 'register') {
    $firstname = $_POST['firstName'];
    $lastname = $_POST['lastName'];
    $email = $_POST['email'];
    $_SESSION['username'] = $email;
    $password = $_POST['password'];
    $hash = password_hash($password, PASSWORD_BCRYPT);
    $age = $_POST['age'];
    $address = $_POST['address'];

    if(addUser($firstname, $lastname, $email, $hash, $age, $address)) {
        header("Location: index.php?page=profile");
    }
    else
        die("User didnt add in db.");
}

login:

if($_POST['actiune'] == 'login') {
    $email = $_POST['email'];
    $password = $_POST['password'];
    $pass = getPassword($email);

    $verify = password_verify($password, $pass);
    if ($verify) {
        $_SESSION['username'] = $email;
        header("Location: index.php?page=profile");
    } else {
        header("Location: index.php?page=login&msg=PleaseRegister");
        die();
    }
}

resetPassword:

if($_POST['actiune'] == 'resetPassword') {
    $oldPassword = $_POST['oldPassword'];
    $newPassword = $_POST['newPassword'];
    $confirmPassword = $_POST["confirmPassword"];

    $passwordDb = getPassword($_SESSION['username']);
    $verify = password_verify($oldPassword, $passwordDb);
    if($verify) {
        setPassword($newPassword, $_SESSION['username']);
        header("location: index.php?page=profile");
    }
}

function setPassword

function setPassword($password, $email) {
    include("connectionFile.php");

    $hash = password_hash($password, PASSWORD_BCRYPT); 
    try {
        $sql = $conn->prepare("update user set password = '$hash' where email='$email'");
        $sql->execute();
    } catch(Exception $e) {
        echo $e->getMessage();
        return false;
    }
    return true;
}

getPassword function used for login:

function getPassword($email) {
    include("connectionFile.php");

    $sql = $conn->prepare("select * from user where email='$email'");
    $sql->execute();
    $result = $sql;
    foreach($result as $row) {
        $pass= $row['password'];
    }
    return $pass;
}
php mysql authentication password-hash
Original Q&A
1

There are 1 answers

0
Funk Forty Niner On BEST ANSWER

As I wrote in comments:

setPassword($newPassword, $_SESSION['username']

You're using the wrong variable in:

function setPassword($password, $email)

...

password_hash($password,

The variable should have been $newPassword and not $password.

Your code failed on your silently since password_hash() did do its job, it just didn't hash the said/wanted variable.

This, and along with my other comments about your being open to an SQL injection.

Related Questions in PHP

Related Questions in MYSQL

Related Questions in AUTHENTICATION

Related Questions in PASSWORD-HASH

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions