1

I am pretty new to PHP, so debugging isn't really something I am familiar with when it comes to PHP.

I am using php/javascript(ajax) to change a users password for my website. So basically, when I log in and try to change my password. The code breaks at the first echo. So the password that I am entering into the form does not match the password in the database. But, I am using the same hash method and everything. If anyone has any ideas, let me know. Thanks!

if(isset($_POST["u"])) {
    $u = preg_replace('#[^a-z0-9]#i', '', $_GET['u']);
    $oldpasshash = md5($_POST["cp"]);
    $newpasshash = md5($_POST["cnp"]);
    $sql = "SELECT id, username, password FROM users WHERE username='$u' LIMIT 1";
    $query = mysqli_query($db_conx, $sql);
    $row = mysqli_fetch_row($query);
    $db_id = $row["id"];
    $db_username = $row["username"];
    $db_password = $row["password"];
    if($db_password != $oldpasshash){
        echo "no_exist";
        exit();
    } else {
        $sql = "UPDATE users SET password='$newpasshash', WHERE username='$db_username' LIMIT 1";
        $query = mysqli_query($db_conx, $sql);
    }
    $sql = "SELECT id, username, password FROM users WHERE username='$db_username' LIMIT 1";
    $query = mysqli_query($db_conx, $sql);
    $row = mysqli_fetch_row($query);
    $db_newpass = $row[3];
    if($db_newpass == $newpasshash) {
    echo "success";
    exit();
    } else {
        echo "pass_failed";
        exit();
    }
}
Improve this question
5
  • 1
    Make sure error logging is on, and go find your PHP error log file. Use var_dump() and print_r() to inspect variables at various places. Finally, you have potentially opened yourself up to SQL injection vulnerabilities. Use prepared queries to avoid this problem entirely. Commented Jun 26, 2014 at 18:19
  • 2
    You may get hounded for using md5() to encode passwords. If able to, look into hashing your password Commented Jun 26, 2014 at 18:20
  • 1
    Basic debugging always involves making a hypothesis about what value a certain variable should have at a certain point, then testing that hypothesis. The most basic way is by doing var_dump($var); on that variable at that point (just write it in your source code and run it again). That way you slowly pinpoint the spot where your actual code diverges from your expectations and where you need to fix something. Commented Jun 26, 2014 at 18:21
  • Quick question on the sql injection. If the variables are coming through AJAX script before they get to the php, will it still cause vulnerability to SQL injection? Commented Jun 26, 2014 at 18:42
  • I am having trouble displaying the variables at certain points in the script. Is there a specific way to do this? I am basically echoing them somewhere on the page. So I assign the variable $dump to the var_dump($username);. It just isn't showing up on the site. Commented Jun 26, 2014 at 21:31

2 Answers 2

Reset to default
1

Look at your first two lines of code:

if(isset($_POST["u"])) {
    $u = preg_replace('#[^a-z0-9]#i', '', $_GET['u']);

You check if $_POST['u'] isset then you use $_GET['u'].

FYI, you are injecting $u directly into the mysql statement, don't do this.

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

What would be the proper way to insert a variable into the mysql statement?
Could you give me an example of what I might do with my code? I'm not quite sure I understand the principle.
Look at the examples on php doc page I linked to. Using bound parameters prevents SQL injection. You can look at the answer on this also: stackoverflow.com/questions/60174/…
Ok, that makes some sense. Could I not just use the real_escape function on the newpass variable?
Could you? Yes. Should you? No.
1

You are using mysqli_fetch_row and accessing the table fields via field name. That is wrong.

mysqli_fetch_row fetches one row of data from the result set and returns it as an enumerated array, where each column is stored in an array offset starting from 0 (zero).

So you have to use

$db_id = $row[0];
$db_username = $row[1];
$db_password = $row[2];
Improve this answer

1 Comment

I wish I could check mark both yours and @Pitchinnate 's answers. Both helped extremely!

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.