输入哈希以重置密码，而不是实际用户密码

Question

I have an update password page that won't let me enter the actual current password for the current password field. Instead, it wants the hashed password. Once changed however, the new one is then hashed, which is a good thing. I just need to be able to enter the actual password and not hashed.

Yes I know, no md5; this is more for testing is all.

changepassword.js

<script>
function validatePassword() {
var currentPassword,newPassword,confirmPassword,output = true;

currentPassword = document.frmChange.currentPassword;
newPassword = document.frmChange.newPassword;
confirmPassword = document.frmChange.confirmPassword;

if(!currentPassword.value) {
currentPassword.focus();
document.getElementById("currentPassword").innerHTML = "required";
output = false;
}
else if(!newPassword.value) {
newPassword.focus();
document.getElementById("newPassword").innerHTML = "required";
output = false;
}
else if(!confirmPassword.value) {
confirmPassword.focus();
document.getElementById("confirmPassword").innerHTML = "required";
output = false;
}
if(newPassword.value != confirmPassword.value) {
newPassword.value="";
confirmPassword.value="";
newPassword.focus();
document.getElementById("confirmPassword").innerHTML = "not same";
output = false;
}   
return output;
}
</script>   

updatepassword.php

<?php
    include 'core/login.php';    === this contains the connection, it's obviously good ===
    include 'includes/head.php';  === changepassword.js is linked in the head ===   
    if(count($_POST)>0) {
    $result = mysqli_query($link, "SELECT *from users WHERE id='" . $_SESSION["id"] . "'");
    $row = mysqli_fetch_array($result);
    if($_POST["currentPassword"] == $row["password"]) {
    mysqli_query($link, "UPDATE users set `password`='" .md5(md5($_POST['newPassword'])) . "' WHERE id='" . $_SESSION["id"] . "'");
    $message = "Password Changed";
    } else $errormessage = "Current Password is not correct";
    }
print_r($_SESSION);
?>

form on same page:

<div class="container">
            <div class="text-center">
                <h4>Change password below</h4>
            </div><br />

            <div class="message"><?php if(isset($message)) { echo $message; } ?></div>
            <div class="message"><?php if(isset($errormessage)) { echo $errormessage; } ?></div>

            <div class="col-md-4 col-md-offset-4">                                                      
                <form name="frmChange" method="post" action="" onSubmit="return validatePassword()">

                    <div class="form-group">
                        <label>Current Password*</label>  
                        <input type="text" name="currentPassword" class="form-control input-md" />
                    </div>
                    <div class="form-group">
                        <label>New Password*</label>  
                        <input type="text" name="newPassword" class="form-control input-md" />
                    </div>  
                    <div class="form-group">
                        <label>Confirm Password*</label>  
                        <input type="text" name="confirmPassword" class="form-control input-md" />
                    </div>                          
                    <br />                  
                    <div class="text-center"> 
                        <input type="submit" name="submit" class="btn btn-success" value="Submit" />        


                    </div>                                      
                </form>                 
            </div>
        </div>

Answer 1

Your problem is here:

if($_POST["currentPassword"] == $row["password"]) {

You are comparing the actual text version of the hash (say "password") to the hashed version of that password (say "213y789hwuhui1dh"). This evaluates out to:

if("password" == "213y789hwuhui1dh") {

Which obviously is never accurate. All you have to do to solve the problem is hash the password in the same way you did when you created it. If I understand your code properly, that should be:

if(md5(md5($_POST["currentPassword"]))==$row["password"]) {

SIDE NOTE ON SQL INJECTION

Please note that this code would be super easy to inject into. All a user would have to do is end the "currentPassword" POST value with '; SHOW DATABASE; '; SHOW DATABASE; and they would have unlimited access to your server's MySQL database. Consider learning to use MySQLi Prepared Statements. They are easy to understand, and easy to implement.

Answer 2

I went overboard. Your other question was closed. Juuuuust gonna leave this here... I'm using PHP version PHP 5.2.0.

• http://php.net/manual/en/faq.passwords.php
• http://php.net/manual/en/function.password-hash.php
• http://php.net/manual/en/function.password-verify.php

<?php

// so I don't actually have to test form submission, too... 
$_POST['current_password'] = 'Tacotaco'; 
$_POST['new_password']     = 'NINrocksOMG';
$_POST['confirmPassword']  = 'NINrocksOMG'; 
$_SESSION['id'] = 1;

// this is Tacotaco encrypted... update your db to test
// update users set password = '$2y$10$fc48JbA0dQ5dBB8MmXjVqumph1bRB/4zBzKIFOVic9/tqoN7Ui59e' where id=1


// the following is sooooo ugly... don't leave it this way 

if (!isset($_SESSION['id'])            or empty($_SESSION['id']) or
    !isset($_POST['current_password']) or empty($_POST['current_password']) or 
    !isset($_POST['new_password'])     or empty($_POST['new_password']) or 
    !isset($_POST['confirmPassword'])  or empty($_POST['confirmPassword']) ) {
   $message = 'Please enter your password';
}
else {
   $sid = $_SESSION['id'];

   $currpass = $_POST['current_password'];
   $newpass  = $_POST['new_password'];
   $conpass  = $_POST['confirmPassword'];

   $message  = validate_password($sid, $currpass, $newpass, $conpass);
}

print "<br/>$message<br/>";

function validate_password($sid, $currpass, $newpass, $conpass) {
   $mysqli = mysqli_connect('localhost','root','','test')
               or die('Error ' . mysqli_error($link));

   $stmt = $mysqli->prepare('select id, password from users where id = ?');
   $stmt->bind_param("s", $sid);
   $stmt->execute();
   $stmt->bind_result($userid, $userpass);

   $message = '';

   if ($stmt->fetch()) { 
      $stmt->close(); 

      if (strlen($newpass) < 8) {
         $message = 'Please enter a password with at least 8 characters';
      }
      elseif (!preg_match('`[A-Z]`', $newpass)) {
         $message = 'Please enter at least 1 capital letter';
      }
      elseif ($newpass !== $conpass) { 
         $message = 'Your passwords do not match.';
      }
      else {  
         if (password_verify($currpass, $userpass)) {  
            $hashed_new = password_hash($newpass, PASSWORD_BCRYPT);  
            $query = 'update users set password = ? where id = ?'; 
            $stmt_new = $mysqli->prepare($query); 

            $stmt_new->bind_param('ss', $hashed_new, $sid);
            if ($stmt_new->execute()) {
               $message = 'Password Changed';
            }
            else {
               $message = $mysqli->error;
            }
         }
         else $message = 'Current Password is not correct';
      }
   }
   else {
      $message = 'user not found for id $sid';
   }

   $mysqli->close(); 
   return $message;
}
?>