jwalkerman jwalkerman - 1 month ago 6
PHP Question

can't update my password to db

after fetching the password from db to check the password if is matches, but still i can't update my db with the new password.

I will appreciate if someone could help me with this issue. Thanks.

here the html code:

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Settings</title>
<link rel="stylesheet" type="text/css" href="../css/loginstyle.css" />
<link href="https://fonts.googleapis.com/css?family=Comfortaa" rel="stylesheet">
</head>
<body>

<?php if(!empty($message)): ?>
<p><?=$message ?></p>
<?php endif; ?>

<h2 class="page-header">Settings</h2>
<p>Please edit the information</p>

<form action="settings.php" method="post">

<input type="text" placeholder="Enter your email" name="email">
<input type="password" placeholder="Enter your current password" name="old_password">
<input type="password" placeholder="Enter your new password" name="new_password">
<input type="password" placeholder="Confirm password" name="confirm_password">

<input type="submit" name="submit" value="reset">
</form>

</body>
</html>


here the php code:

<?php

//start the session
session_start();

require 'database.php';

//$message='';

if (isset($_POST['submit'])){

//check field
$oldpassword = $_POST['old_password'];
$newpassword = $_POST['new_password'];
$confirmpassword = $_POST['confirm_password'];

$message = '';

//query to get password
$query = $conn->prepare('SELECT password FROM users WHERE email = :email') or die("Query did'nt work");
$query->bindParam(':email', $_POST['email']);
$query->execute();
$results = $query->fetch(PDO::FETCH_ASSOC);

$oldpassworddb = $results['password'];

//Check password
if(count($results) > 0 && password_verify($oldpassword, $results['password']))
{

//check two new password
if($newpassword==$confirmpassword)
{
//change password in database
//echo "Success";

//enter new user and database
$sql = ('UPDATE users SET password="$newpassword" WHERE email = :email');
$query = $conn->prepare($sql);

$query->bindParam(':email', $_POST['email']);
$query->bindParam(':password',$newpassword);
$newpassword = password_hash($newpassword, PASSWORD_BCRYPT);

//$querychange->execute();

session_destroy();
die("Your password has been changed. <a href='index.php'>Return</a>to the main page.");


}
else{
die("New password don't match");
}
}
else
{
die("old password doesn't match");
}
}
else
{

}

?>

Answer

You never executed your prepared statement so the query would have never been run. You also didn't setup the :password parameter in your statement.

        // Setup :password as a parameter, don't place variable in your statements
        $sql = ('UPDATE users SET password=:password WHERE email = :email');
        $query = $conn->prepare($sql);

        $query->bindParam(':email', $_POST['email']);
        $query->bindParam(':password',$newpassword);
        $newpassword = password_hash($newpassword, PASSWORD_BCRYPT);

        // Execute statement
        $query->execute();

Another thing that jumped out at me though is the order of your password hashing. Even though you bind $newpassword as a reference, it isn't very readable to have the hashing occur after the parameter binding. Keep readability in mind.

Comments