Vote count:
0
I'm doing this as a proof of concept to test my ability, I am aware that MD5 is not secure to use for passwords.
I have a login page which works fine by creating a MD5 has of the entered password and checking the hash against the value stored in the database.
I have created a page where the user can change there username (email address) and in order for this to happen firstly:
- The ID for that user is placed in the $_SESSION[id] variable. This is sent with the UPDATE SQL command to ensure the correct users email address is changed.
The password has to be re-entered for extra authentication. This isn't a problem however the value is in plain text and not MD5 so the UPDATE SQL command fails and 0 rows are updated. I have used md5($_POST['password'] (See line 17 of code)
<?php
require_once __DIR__ . ('/../config/init.php');
if($_SESSION['login'] != 1)
{
header('Location: /login/');
}
if($_POST){
$mysqli = new mysqli($db['hostname'], $db['username'], $db['password'], $db['database']);
/* check connection */
if ($mysqli->connect_errno) {
printf("Connect failed: %s\n", $mysqli->connect_error);
exit();
}
$result = $mysqli->query("UPDATE users SET email = '" . mysqli_real_escape_string($mysqli, $_POST['email']) . "' WHERE password = '" . mysqli_real_escape_string($mysqli, md5($_POST['password'])) . "' AND id = '" . $_SESSION['id'] . "'");
if($result == 1)
{
echo "Email successfully updated. Please attempt to log in with your existing password";
print_r($_POST);
print_r($_SESSION);
echo md5($_POST['password']);
}
else{
echo "epic fail";
}
}
?>
<!DOCTYPE html>
<html>
<head>
<?php
include INCLUDES . 'head_tags.php';
?>
</head>
<body>
<div class='container'>
<?php
include INCLUDES . 'header.php';
include INCLUDES . 'nav.php';
?>
<div class='two-thirds column'>
<h2>User control panel</h2>
<p>Welcome to the secure page <?php echo $_SESSION['forename'], " ", $_SESSION['surname'];?></p>
<p>You are currently registered with email address <?php echo $_SESSION['email'];?></p>
<h2>Change user details</h2>
<p>If you would like to change your email address. Please complete the form below</p>
<form action='#' method='post'>
<div>
<label for="email">E-mail address:</label>
<input type="email" id="email" name="email" placeholder="Email address" autocomplete="on" required>
<label for="password">Password:</label>
<input type="password" id="password" name="password" placeholder="Existing Password" autocomplete="on" required>
</div>
<input type='submit' value='submit'>
</form>
</div>
</div>
<?php
include INCLUDES . 'footer.php';
?>
These lines would not normally be in the code but I have been trying to debug.
print_r($_POST);
print_r($_SESSION);
echo md5($_POST['password'])
on print_r($_POST) it is in plain text in the array echoing the $_POST['password'] as md5 returns the password as MD5. It is an exact match as whats in the database.
Any help will be great :).
$_POST variable does not encode as MD5 hash when updating database
Aucun commentaire:
Enregistrer un commentaire