-1

I want to change the password by verifying/validating first it with the old password first. I don't know how to validate the old password because I'm not good at PHP. Please help me thank you in advance! Below are the code.

HTML:

<form name="frm" class="post-form-wrapper" action="app/new-pass.php" method="POST">

    <div class="row gap-20">
        <?php include 'constants/check_reply.php'; ?>
        <?php
                                                           require '../constants/db_config.php';
                                                           try {
                                                           $conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
                                                           $conn->setAttribute(PDO::ATTR_ERRMODE,
        PDO::ERRMODE_EXCEPTION);


        $stmt = $conn->prepare("SELECT login FROM tbl_users WHERE member_no='$myid'");
        $stmt->execute();
        $result = $stmt->fetchAll();

        foreach($result as $row)
        {
        $oldpass = $row['login'];

        }


        }catch(PDOException $e)
        {

        }

        ?>
        <div class="col-sm-6 col-md-4">

            <!-- <div class="form-group">
                    <label>Old Password <?php echo "$oldpass"; ?> </label>
                    <input type="password" class="form-control" name="oldpassword" required  placeholder="Enter your old password">
                    
                </div> -->

            <div class="form-group">
                <label>New Password</label>
                <input type="password" class="form-control" name="password" required
                       placeholder="Enter your new password">
            </div>

        </div>

        <div class="clear"></div>

        <div class="col-sm-6 col-md-4">

            <div class="form-group">
                <label>Confirm Password</label>
                <input type="password" class="form-control" name="confirmpassword" required
                       placeholder="Confirm your new password">
            </div>

        </div>

        <div class="col-sm-12 mt-10">
            <button type="submit" onclick="return check_passwords();" class="btn btn-primary">Update</button>
            <button type="reset" class="btn btn-primary btn-inverse">Cancel</a>
        </div>

    </div>

</form>

I think it would be validated using JavaScript but I'm not really sure. JavaScript:

function check_passwords() {
        // if(md5(frm.oldpassword.value) != $oldpass )
        // {
        //  alert("Invalid Old Password");
        //  frm.oldpassword.focus(); 
        //  return false;
        // }

        if (frm.password.value == "") {
            alert("Enter the Password.");
            frm.password.focus();

            return false;
        }

        if ((frm.password.value).length < 8) {
            alert("Password should be minimum 8 characters.");
            frm.password.focus();
            return false;
        }

        if (frm.confirmpassword.value == "") {
            alert("Enter the Confirmation Password.");
            return false;
        }
        if (frm.confirmpassword.value != frm.password.value) {
            alert("Password confirmation does not match.");
            return false;
        }


        return true;
    } <

This is the PHP code for changing the password. PHP:


$new_password = md5($_POST['password']);

    try {
    $conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
    $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

    
    $stmt = $conn->prepare("UPDATE tbl_users SET login = :newpassword WHERE member_no='$myid'");
    $stmt->bindParam(':newpassword', $new_password);
    $stmt->execute();
    header("location:../change-password.php?r=9564");     
    }catch(PDOException $e)
    {
    echo "Connection failed: " . $e->getMessage();
    }
Chaosfire
  • 2,113
  • 2
  • 5
  • 18
Gary Holland
  • 1
  • 1
  • You should take a couple steps back and learn a lot of basic things. Such as "You should never trust any JS validation as they can be spoofed". Or "Passwords must be always hashed using a dedicated function". And "How to select user info from database", because validation the old password is essentially selecting it from database and comparing it with password entered – Your Common Sense May 17 '22 at 12:45
  • `I think it would be validated using JavaScript`...no, definitely not, because the user could easily interfere with that process if they knew what they were doing. You cannot trust anything which happens on the client-side. – ADyson May 17 '22 at 12:45
  • Anyway basically you must use password_verify() to check a previously hashed password - that's assuming it was hashed using password_hash() of course. However you seem to be using the outdated, insecure `md5` algorithm. It has been proven to be easily crackable in recent years. Switch to using a modern algorithm via password_hash() – ADyson May 17 '22 at 12:47
  • Also, your SQL query is potentially vulnerable because you have not fully parameterised it. You should use parameters for _all_ inputs into it. I cannot understand why you managed to parameterise `:newpassword` but didn't bother to do it for `$myid`. Be consistent, and make sure your queries are fully protected - in this scenario, doing half a job is as bad as not doing it at all! – ADyson May 17 '22 at 12:48
  • @ADyson could you help me with the right code to solve this? please. – Gary Holland May 17 '22 at 12:50
  • The duplicate in the blue box above already gives some code samples and explanations. There's also https://stackoverflow.com/questions/26536293/php-password-hash-password-verify, and [How to use PHP's password_hash to hash and verify passwords](https://stackoverflow.com/questions/30279321/how-to-use-phps-password-hash-to-hash-and-verify-passwords) and the relevant section of the PHP manual: [password hashing](https://www.php.net/manual/en/faq.passwords.php). Have a read, and try and apply your new knowledge, and then ask if you're still stuck on something specific after that. – ADyson May 17 '22 at 12:53

0 Answers0