Enrico Enrico - 1 year ago 55
PHP Question

PHP update password form not working

I'm trying to make a form for users to change their password.

<div class="panel panel-primary">
<div class="panel-heading">
<h3 class="panel-title"><?php echo $errormessage;?></h3>
<div class="panel-body">
<form method="post" name="passwordchange" id="passwordchange">
<div class="row">
<div class="col-md-6">
<div class="row">
<div class="col-md-3"><label>Password</label></div>
<div class="col-md-5"><input class="form-control" name="pass1" id="pass1" type="text" required value=""></div>
<div class="col-md-6">
<div class="row">
<div class="col-md-3"><label>Confirm Password</label></div>
<div class="col-md-5"><input class="form-control" name="pass2" id="pass2" type="text" required value=""></div>
<input type="submit" class="btn btn-primary pull-right" name="submit" value="submit">

$new_password = $_POST['pass1'];
$new_password2 = $_POST['pass2'];


$errormessage="Passwords do not match.";


$salt = dechex(mt_rand(0, 2147483647)) . dechex(mt_rand(0, 2147483647));
$password = hash('sha256', $new_password . $salt);
for($round = 0; $round < 65536; $round++)
$password = hash('sha256', $password . $salt);

$query = "
update users
password = :password,
hash = :hash
WHERE id = '$userid'";

// The parameter values
$query_params = array(
':password' => $password,
':salt' => $salt

// Execute the query against the database
$stmt = $db->prepare($query);
$result = $stmt->execute($query_params);
catch(PDOException $ex)

//die("Failed to run query: " . $ex->getMessage());
die("update error");

header("Location: account.php?success");




When I submit the form the page reloads and nothing happens. When I enter two different passwords I get the error message 'Passwords do not match.'

I also get a weird behavior when the form reloads, the navigation on my site stops working after the form reload.

I tried playing with the input type name, form name, using isset _request instead of isset _POST. But nothing seems to help.

What did I do wrong?

edit:I mixed up SALT and HASH. Wooops..

Answer Source

In the query you have hash and password, in the prepare SALT and password. There is no salt in your query.