Password changer.

Teach

Hello.

I hope you can help me please.
We are currently using this login.php, which works to protect a staff area by using an include on each php we want to protect:

include_once('/home/foo/htdocs/staff/protect.php');

There is also present a logout.php which obviously logs the user out, the included protect.php to ensure users are logged in to view a page, as well as the following login.php. Our users and passwords are not stored in a database, they are stored in a flatfile (as we cannot use SQL yet...):

<?php
session_start();

function output_error($text='')
{
    include_once('/home/foo/htdocs/header.php'); 
      echo "<p>Errors:</p>\n<ul>\n" . $text . "\n</ul>\n";
    include_once('/home/foo/htdocs/footer.php');
    exit();
}

if (!isset($_SESSION['correctcode'])) {
    output_error('<li>enable cookies.</li>');
}

$correctcode = $_SESSION['correctcode'];
$securitycode = $_POST['securitycode'];
if ($securitycode != $correctcode) {
    output_error('<li>human validation check failed.</li>');
}

$user_data = file("/home/foo/hidden/users.txt");
foreach($user_data as $val)
{
  list($user, $pwd) = explode(",", trim($val));
  $users[$user] = $pwd;
}

$username = $_POST['username'];
$password = md5($_POST['password']);

if (array_key_exists($username, $users))
{
    if ($password == $users[$username])
    {
      $_SESSION['logged'] = true;
      $_SESSION['username'] = $username;
      $_SESSION['password'] = $password;
      $_SESSION['ip'] = $_SERVER['REMOTE_ADDR'];
      setcookie('logindate', date('d/m/Y'));
      setcookie('logintime', date('H:i:s'));
      header ("Location: [url]http://www.domain.com/staff/home.php[/url]");
      exit();
    }
    else
    {
      output_error('<li>password has been entered incorrectly.</li>');
    }
}
else
{
    output_error('<li>username has not been recognised.</li>');
}
?>

Basically, what we want to accomplish is a 'pass.php' which will do the following:

a) Confirm that the old password is correct before proceeding.
b) Confirm a new and confirmed password field match before continuing.
c) Make an MD5 hash of the password and update our users.txt.

The syntax of our users.txt is:

name,md5hashpass

Obviously to achieve this... I realise I would need to use a standard form which would post to a pass.php, but can you advise what field names we'd need?

So far, for the actual pass.php I have the following, can you suggest improvements to actually get it to achieve the above list?

Any help is MUCH appreciated, thank you!

pass.php:

<?php
 include_once('/home/foo/htdocs/staff/protect.php');

function output_error($text='')
{
    include_once('/home/foo/htdocs/header.php'); 
      echo "<ul>\n" . $text . "\n</ul>\n";
    include_once('/home/foo/htdocs/footer.php');
    exit();
}

if( md5($oldpass) == $nowpass )
{
  if( $newpass == $newpass2 )
  {
    $file = file( "/path/to/users.txt" );

// Scan the file for the right line, and replace it, at the same time, build the new file to be written

while( list($key,$val) = each($file) )
{
  if( ereg( $user, $val) )
  $val = $newpass;

  $newfile .= "$key,$val\n";
}

// Now we have a variable $newfile, which contains the contents of the new file to be written

// Write the file
$fp = fopen( "/path/to/users.txt", "w" );
fwrite( $fp, $newfile, strlen($newfile) );
fclose($fp);
  }
  else
  {
     output_error('<li>the new and confirmed passwords did not match.</li>');
  }
}
else
{
  output_error('<ul>the password you entered is not your current password.</li>');
}
 ?>

Teach

Any ideas, please? 🙂

Installer

Try this for a start (untested):

session_start();

if (!$_SESSION['logged']) {
    exit('Not logged in.');
} elseif (!isset($_POST['submit'])) {
    if (isset($_GET['err'])) {
        switch ($_GET['err']) {
            case 'wrong':
                echo 'Wrong old password.<br />';
                break;
            case 'mismatched':
                echo 'New password not confirmed.<br />';
                break;
            case 'invalid':
                echo 'Invalid password.<br />';
                break;
            default:
                echo 'You did something wrong.<br />';
        }
        echo 'Try again.<br />';
    }
    echo '<form action="' . $_SERVER['PHP_SELF'] . '" method="post">
          Old Password: <input type="text" name="old_pw" /><br />
          New Password: <input type="text" name="new_pw" /><br />
          Reenter New Password: <input type="text" name="confirmed_new_pw" /><br />
          <input type="submit" name="submit" value="submit" />
          </form>';
} else {
    if (md5($_POST['old_pw']) != $_SESSION['password']) {
        header('Location: ' . $_SERVER['PHP_SELF'] . '?err=wrong');
        exit;
    } elseif ($_POST['new_pw'] != $_POST['confirmed_new_pw']) {
        header('Location: ' . $_SERVER['PHP_SELF'] . '?err=mismatched');
        exit;
    } elseif (!pw_validate($_POST['new_pw'])) {
        header('Location: ' . $_SERVER['PHP_SELF'] . '?err=invalid');
        exit;
    } else {
        $pw_lines = file('users.txt');
        foreach ($pw_lines as $key => $line) {
            list($user) = explode(',', $line);
            if ($user == $_SESSION['username']) { 
                $new_pw_line = $_SESSION['username'] . ',' . md5($_POST['new_pw'] . "\n"); 
                array_splice($pw_arr, $key, 1, $new_pw_line); 
                break; 
            } 
        }
        $fp = fopen('users.txt', 'w');
        foreach ($pw_lines as $line) {
            fwrite($fp, $line);
        }
        fclose($fp);
    }
}

function pw_validate($str)
{
    if (strlen($str) < 7) {  // Substitute your validation code
        return false;
    } else {
        return true;
    }
}

Edit: Several mistakes corrected. Others may remain.

SumitGupta

Hi,

I think you have return the good script for the purpose.

The logic is quite good in the script. About the field name in the HTML form you need to give the same name as your variable in php like newpass , newpass2

Your script will work The way you have give it...

It first check the user is login or not YOu did t
Than check the old password in File (not sure where you did that) Alterabtively check for the session variable For password.

Than replace the old password with new..

so where is the confusion ???😕

Teach

Thank you. 🙂
Okay, thank you for your comments.

How could we also echo the message regarding the password being successfully changed?

Installer

Just insert an "echo" line after the "fclose()" line:

...
        } 
        fclose($fp);
        echo 'Success.'; 
    }
...

madwormer2

When working with a protecting include, its usually best to use require() rather than include_once(), because if the file goes missing, or get an access error or something, everyone will be able to access your protected paged

Just a tip.

Teach

Thank you. I have taken all those comments on board, and actioned those - thanks!

Lastly, for the actual form itself to submit to pass.php, what would my input names have to be for the old password, new password and confirmed password?

on the <input name=".." I mean...
Thanks!

Installer

If you're using the script I posted, you don't need to post anything to it. It's all self-contained. Just link to it however you want, e.g.:

echo '<a href="pass.php">Click here</a> to change your password.';

You will need to have the session elements set, however ('username', 'password', 'logged'), and maybe add a little error-checking here and there.

I hope I don't sound pedantic, but I wrote the script hoping it would be something you could learn from, use, and adapt, without just slapping it into your site. (And I try to learn at least a lilttle something from every piece of code I write--usually it's more than a little. That's half of why I'm here.) 🙂