Enrico Enrico - 1 year ago 81
PHP Question

PHP update password form not working

I'm trying to make a form for users to change their password.

<div class="panel panel-primary">
<div class="panel-heading">
<h3 class="panel-title"><?php echo $errormessage;?></h3>
<div class="panel-body">
<form method="post" name="passwordchange" id="passwordchange">
<div class="row">
<div class="col-md-6">
<div class="row">
<div class="col-md-3"><label>Password</label></div>
<div class="col-md-5"><input class="form-control" name="pass1" id="pass1" type="text" required value=""></div>
<div class="col-md-6">
<div class="row">
<div class="col-md-3"><label>Confirm Password</label></div>
<div class="col-md-5"><input class="form-control" name="pass2" id="pass2" type="text" required value=""></div>
<input type="submit" class="btn btn-primary pull-right" name="submit" value="submit">

$new_password = $_POST['pass1'];
$new_password2 = $_POST['pass2'];


$errormessage="Passwords do not match.";


$salt = dechex(mt_rand(0, 2147483647)) . dechex(mt_rand(0, 2147483647));
$password = hash('sha256', $new_password . $salt);
for($round = 0; $round < 65536; $round++)
$password = hash('sha256', $password . $salt);

$query = "
update users
password = :password,
hash = :hash
WHERE id = '$userid'";

// The parameter values
$query_params = array(
':password' => $password,
':salt' => $salt

// Execute the query against the database
$stmt = $db->prepare($query);
$result = $stmt->execute($query_params);
catch(PDOException $ex)

//die("Failed to run query: " . $ex->getMessage());
die("update error");

header("Location: account.php?success");




When I submit the form the page reloads and nothing happens. When I enter two different passwords I get the error message 'Passwords do not match.'

I also get a weird behavior when the form reloads, the navigation on my site stops working after the form reload.

I tried playing with the input type name, form name, using isset _request instead of isset _POST. But nothing seems to help.

What did I do wrong?

edit:I mixed up SALT and HASH. Wooops..

Answer Source

In the query you have hash and password, in the prepare SALT and password. There is no salt in your query.

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download