etsted Posted May 15, 2014 Share Posted May 15, 2014 (edited) why does this cript keep logging me out when i change my password? $errorPass = $successPass = $oldPass = $newPass = $repeatNewPass=""; // this is used to change someones password if(isset($_POST['changePass'])){ // check to make sure they have written in their old password if(empty($_POST['oldPass'])){ $errorPass .= "Fill out Old password field<br>"; } else { $oldPass = mysqli_real_escape_string($con, $_POST['oldPass']); } // check to make sure they have written in their new password if(empty($_POST['newPass'])){ $errorPass .= "Fill out New password field<br>"; } else { $newPass = mysqli_real_escape_string($con, $_POST['newPass']); } // check to make sure they have reapeated their new password if(empty($_POST['repeatNewPass'])){ $errorPass .= "Fill out Repeat new password field<br>"; } else { $repeatNewPass = mysqli_real_escape_string($con, $_POST['repeatNewPass']); // check to make sure that $newPass and $repeatNewPass matches if($newPass != $repeatNewPass){ $errorPass .= "Your new passwords does not match<br>"; } } // hash the password, before testing it against the DB function protect_pass($val) { return md5($val); } if(empty($errorPass)){ $pass_hash = protect_pass($oldPass); // check to make sure their old password is correct $sql = "SELECT password FROM register WHERE password='$pass_hash'"; $query = mysqli_query($con, $sql); $numrows = mysqli_num_rows($query); if($numrows < 1){ $errorPass .= "Your old password is not correct<br>"; } else { $pass_hash = protect_pass($newPass); $sql = "UPDATE register SET password='$pass_hash' WHERE u_name='$log_username'"; $query = mysqli_query($con, $sql); if($query == true){ $successPass = "Your password has been changed<br>"; } else { $errorPass .= "Some unexpected error occured while trying to change your password<br>"; } } } Edited May 15, 2014 by etsted Link to comment Share on other sites More sharing options...
birbal Posted May 15, 2014 Share Posted May 15, 2014 Is it the all code? I cant see anything in this code which can do like it. Link to comment Share on other sites More sharing options...
etsted Posted May 15, 2014 Author Share Posted May 15, 2014 this is the form you have to fill out <form action="" method="post" name="changePass" id="changePass"> Old password: <input type="password" name="oldPass" style="margin-left: 50px;"> <br> New password: <input type="password" name="newPass" style="margin-left: 43px;"> <br> Repeat new password: <input type="password" name="repeatNewPass" style="margin-left: 1px;"> <br><br> <input type="submit" name="changePass" value="Change password"> </form> Link to comment Share on other sites More sharing options...
Ingolme Posted May 15, 2014 Share Posted May 15, 2014 Where's the code that's making sure you're logged in? Something with session_start() in it. Link to comment Share on other sites More sharing options...
etsted Posted May 15, 2014 Author Share Posted May 15, 2014 I think i fixed it Link to comment Share on other sites More sharing options...
etsted Posted May 17, 2014 Author Share Posted May 17, 2014 (edited) actually i dint fix it here is the updated code: $errorPass = $successPass = $oldPass = $newPass = $repeatNewPass=""; // this is used to change someones password if(isset($_POST['changePass'])){ // check to make sure they have written in their old password if(empty($_POST['oldPass'])){ $errorPass .= "Fill out Old password field<br>"; } else { $oldPass = mysqli_real_escape_string($con, $_POST['oldPass']); } // check to make sure they have written in their new password if(empty($_POST['newPass'])){ $errorPass .= "Fill out New password field<br>"; } else { $newPass = mysqli_real_escape_string($con, $_POST['newPass']); } // check to make sure they have reapeated their new password if(empty($_POST['repeatNewPass'])){ $errorPass .= "Fill out Repeat new password field<br>"; } else { $repeatNewPass = mysqli_real_escape_string($con, $_POST['repeatNewPass']); // check to make sure that $newPass and $repeatNewPass matches if($newPass != $repeatNewPass){ $errorPass .= "Your new passwords does not match<br>"; } } // hash the password, before testing it against the DB function protect_pass($val) { return md5($val); } if(empty($errorPass)){ $password = protect_pass($oldPass); // check to make sure their old password is correct $sql = "SELECT password FROM register WHERE password='$password'"; $query = mysqli_query($con, $sql); $numrows = mysqli_num_rows($query); if($numrows < 1){ $errorPass .= "Your old password is not correct<br>"; } else { $password = protect_pass($newPass); $sql = "UPDATE register SET password='$password' WHERE u_name='$log_username'"; $query = mysqli_query($con, $sql); if($query == true){ $successPass = "Your password has been changed<br>"; // make a new cookie with their password, else they will be logged out $expire=time()+60*60*24*30; setcookie("password", $password, $expire); } else { $errorPass .= "Some unexpected error occured while trying to change your password<br>"; } } } Here is the script that checks to see if the user is logged in <?php session_start(); // include DB connection include_once "connect.php"; // This script checks to see if a user is logged in $user_status = false; $log_username = ""; $log_password = ""; function eval_user($con, $user, $pass) { $sql = "SELECT u_name, password FROM register WHERE u_name='$user' AND password='$pass' AND activated='1' "; $query = mysql_query($sql); $numrows = mysql_num_rows($query); if($numrows > 0){ return true; } } if(isset($_SESSION['username']) && isset($_SESSION['password'])) { $log_username = preg_replace('#[^a-z0-9]#i', '', $_SESSION['username']); $log_password = preg_replace('#[^a-z0-9.!#%&]#i', '', $_SESSION['password']); // verify the user $user_status = eval_user($con, $log_username, $log_password); } else if(isset($_COOKIE['username']) && isset($_COOKIE['password'])) { $_SESSION['username'] = preg_replace('#[^a-z0-9]#i', '', $_COOKIE['username']); $_SESSION['password'] = preg_replace('#[^a-z0-9.!#%&]#i', '', $_COOKIE['password']); $log_username = $_SESSION['username']; $log_password = $_SESSION['password']; // verify the user $user_status = eval_user($con, $log_username, $log_password); }?> Edited May 17, 2014 by etsted Link to comment Share on other sites More sharing options...
davej Posted May 17, 2014 Share Posted May 17, 2014 It isn't clear to me that you know what a session variable is or what it is for. Why is the password assigned to a session variable? Why is the password assigned to a cookie? Link to comment Share on other sites More sharing options...
justsomeguy Posted May 19, 2014 Share Posted May 19, 2014 Never put a password in a cookie. A cookie with a username/password pair is exactly the same as someone having the password. If that cookie gets stolen then the attacker has access. If you're going to use cookies like that then you need to store a unique token that ties the cookie to that computer so that it can't be stolen and used elsewhere.I also don't see a reason to store the password in the session either. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now