Update password script.

Teach

Hello.

To introduce our problem, we are using a flatfile database in a non requestable directory through the web on our web server which contains our usernames and passwords (in md5 hash).

The syntax of this 'users.txt' is:

username,md5password

We have made a script that will do the following:
- Check that the current password matches the one in the userx.txt.
- Checks that the new password and confirmed passwords from the password changing form match.
- If so, then it will update users.txt with the new password in md5 with immediate effect.

The problems we're having is that no errors are occuring, but it simply is showing the 'Sorry, the password you entered is not your current password.' even though it is.
Also, we wanted to add a new message to say 'Password successfully changed.' if the whole process is working okay.

I hope this makes sense...

The actual HTML form looks like:

        <form action="/account/pass.php" method="post">
          <table class="forms" cellpadding="5" cellspacing="0" border="1">
            <tr>
              <th><label>Current password:</label></th>
              <td><input type="password" name="nowpass" maxlength="100" /></td>
            </tr>

        <tr>
          <th><label>New password:</label></th>
          <td><input type="password" name="newpass" maxlength="100" /></td>
        </tr>

        <tr>
          <th><label>Confirm password:</label></th>
          <td><input type="password" name="newpass2" maxlength="100" /></td>
        </tr>

        <tr>
          <th><label>Human Verification:</label></th>
          <td><img src="/img/image.php" alt="Security Code" />
           <strong>Code to the left:</strong> <input type="text" name="securitycode" id="securitycode" size="10" maxlength="6" /></td>
        </tr>

        <tr>
          <th><label>Change password:</label></th>
          <td colspan="2"><input type="submit" name="submit" value="Update password" /> <input type="reset" value="Reset" /></td>
        </tr>
      </table>
    </form>

and pass.php:

<?php
session_start();

function output_error($text='')
{
    include_once('/home/us/account/header.php'); 
      echo "<p>Please correct the following:</p>\n<ul>\n" . $text . "\n</ul>\n";
    include_once('/home/us/account/footer.php');
    exit();
}

if (!isset($_SESSION['correctcode'])) {
    output_error('<li>Please enable cookies.</li>');
}

$correctcode = $_SESSION['correctcode'];
$securitycode = $_POST['securitycode'];
if ($securitycode != $correctcode) {
    output_error('<li>The human validation check failed, please try again.</li>');
}

if( md5($oldpass) == $nowpass )
{
  if( $newpass == $newpass2 )
  {
    $file = file( "/home/us/hidden/users.txt" );

// Scan the file for the right line, and replace it, at the same time, build the new file to be written

while( list($key,$val) = each($file) )
{
  if( ereg( $user, $val) )
  $val = $newpass;

  $newfile .= "$key,$val\n";
}

// Now we have a variable $newfile, which contains the contents of the new file to be written

// Write the file
$fp = fopen( "/home/us/hidden/users.txt", "w" );
fwrite( $fp, $newfile, strlen($newfile) );
fclose($fp);
  }
  else
  {
     output_error('<li>Sorry, the new and confirmed passwords did not match.</li>');
  }
}
else
{
  output_error('<li>Sorry, the password you entered is not your current password.</li>');
}
 ?>

Any help greatly appreciated.
Thanks.

halojoy

if( $newpass == $newpass2 ) 
  { 
    $file = file( "/home/us/hidden/users.txt" ); 

// Scan the file for the right line, and replace it, at the same time, build the new file to be written 

while( list($key,$val) = each($file) ) 
{ 
  if( ereg( $user, $val) ) 
  $val = $newpass; 

  $newfile .= "$key,$val\n"; 
} 

// Now we have a variable $newfile, which contains the contents of the new file to be written 

// Write the file 
$fp = fopen( "/home/us/hidden/users.txt", "w" ); 
fwrite( $fp, $newfile, strlen($newfile) ); 
fclose($fp); 
  } 
  else 
  { 
     output_error('<li>Sorry, the new and confirmed passwords did not match.</li>'); 
  } 
}

This is the part you should look at.
If is not executed, but ALWAYS else

I use flat file login systems myself
no need to use external DB
php has enough capacity to store data in itself

my 'www' DEMO below, uses one flat file with format:

encryted-username|encryted-password
encrypted-username2|encrypted-password2
encrypted-username3|encrypted-password3

Teach

Hi halojoy.
Thanks for your reply, much appreciated. 🙂

I'm a bit confused, can you explain what you meant a bit clearer for me to understand?

I need to get that script working to check the old pass matches the current md5 in users.txt, match the new and confirmed password and then if all matches, update users.txt with the new md5 password and then echo out a message saying 'Password successfully changed.'

Sorry to be a pain. 🙂

halojoy

As you say always is displayed "Sorry, .."
This line is never TRUE
if( $newpass == $newpass2 )

$newpass is never == $newpass2
What you should do is to check out, if those 2 variables get their correct values:
$newpass, $newpass2

now maybe you understand

I prefer to help you solve your problem.
Instead of I solve YOUR problem.

there is a distinction.
isnt it?
🙂
When prople can gain knowledge, to solve their problems,
they are better off.
than if having to depend on, somebody else always should solve their problems.

Maybe I have my own problems to solve, too.

Drakla

Originally posted by halojoy
Maybe I have my own problems to solve, too.

Admitting you have a problem is halfway to being cured. Good for you.

halojoy

Originally posted by Drakla
Admitting you have a problem is halfway to being cured. Good for you.

Could you help us solve this
newpass == newpass2 problem, Drakula?
I see you have many postings ( 750 ) and should be very experienced.

I guess you wales people also have a big problems
with this ....
😃

halojoy - swedish newcomer and upcomer at phpbuilder.com
has not learned to stay put in his place, yet

leatherback

Hi Teach,

When people login, is there a problem then too?
What I mean is: Are you sure the variables are passed to the script properly. In 'newer' versions of PhP the security settings have changed a bit, forcing you to mention that you want to extract variables from extwernal sources.

SO if you post a form, typically, you would need to do this:

$newpass = $_POST['newpass'];

for each variable you have in the form.

If you pass variables throug the link, you would do the same, but with $_GET
.
[edit]

If taht is not the problem, place an echo after each 'if' statement for debuggin, preferably including the variables used in the if statement, to see what is being compared, and what the output is.

halojoy

Originally posted by leatherback
you would need to do this:
$newpass = $_POST['newpass'];

This is what I have pointed at.
Since my very first line in my very first Reply in this Topic:
if ( $newpass == $newpass2 )

thanks for helping me get my message through, leatherback
:bemused:

Weedpacket

md5($oldpass) == $nowpass

Sorry; is the user supposed to remember the MD5 of their password? And what is $oldpass, anyway? I wonder what would happen if you entered d41d8cd98f00b204e9800998ecf8427e in the "nowpass" field?

Teach

Hiya.

They're meant to just remember their plain old pass...is that wrong what I did then?🙂 Sorry...quite new to this.

I also tried adding in the $_POST stuff but this also didn't solve anything...

Thanks.

halojoy

To say it does not work ..
is not enough according to Forum Rules and Guidelines.

Run your current version of script with maximal error_reporting - both php / mysql
Tell us your results:
a) What did page put out? - See HTML Source in browser
b) What errors did PHP report, at what line numbers?
c) What errors did MySQL report?
Repost Current PHP Code you did run
I guess your script is somewhat changed ... by our advices

I wait here, for your results 🆒

Regards
halojoy - sitting in sweden in his room by his pc
waiting for Teach

Teach

Hi halojoy.

As you're aware by the above posts, it does not use any SQL - it's flatfile.
The code has not changed at all, so it's the same as above, and still the same error as described above.

Weedpacket

Originally posted by Teach
Hiya.

They're meant to just remember their plain old pass...is that wrong what I did then?🙂 Sorry...quite new to this.

It's just that you're comparing the text that the user entered ($nowpass) with the MD5 hash of $oldpass. That's only going to work if $nowpass - the text they entered - is an MD5 hash.

And you still haven't answered: what is $oldpass?

halojoy

Originally posted by Teach
Hi halojoy.
As you're aware by the above posts, it does not use any SQL - it's flatfile.
The code has not changed at all, so it's the same as above,
and still the same error as described above.

1. Flat Text File - Better to use in 19 cases of 20
--- Less problems, Faster, Easier. Good choice, Teach! halojoy is with you!

If code is not changed, no wonder you get the same error.
🙂

You might listen to us,
and make some changes.........
See you again tomorrow, Teach.

Teach

Hi again.
Sorry about that.

Okay, the only instance of 'oldpass' is on this line in the pass.php:

if( md5($oldpass) == $nowpass )

Is this what is causing problems?
On the acutal HTML form submitting to pass.php, it's nowpass in the field name...

What would I rewrite that to to check that $nowpass is the same (plain text) as in the users.txt even though the passwords into the user flat file are md5?
I only want the user to have to enter their password in plain text...

Also, for the new message of 'Password successfully changed.' would that go here like this, the full paste is above...

    fwrite( $fp, $newfile, strlen($newfile) );
    fclose($fp);
    output_error('<li>Password successfully changed.</li>');
  }

Thanks in advance.
Sorry about all the confusion.

Teach

Still no luck on this unfortunately, I've tried playing around with it, any ideas form my previous post ?

thanks.

konsu

Hello, the code that you posted initially uses these variables:

$oldpass
$nowpass
$newpass
$newpass2

the code does not initialise them. please make sure they are initialised before they are used. i would also turn on all error reporting to see cases where an uninitialised variable is used.

Teach

Hiya.
Thanks for the reply.

The HTML which submits to 'pass.php' contains :

nowpass for the old password.
newpass for the new password.
newpass2 for the confirmed new password.

I have added:

 $nowpass = $_POST['nowpass'];
 $newpass = $_POST['newpass'];
 $newpass2 = $_POST['newpass2'];

above:

if( md5($oldpass) == $nowpass )
{
  if( $newpass == $newpass2 )
  {

(the rest of the code is on one of my first posts to this thread).

What I need to get rid of is $oldpass as it's doing nothing, but the nowpass needs to be checked against the flatfile users.txt that the password matches - but the user will submit in plain text and the flatfile is in md5...

Also was the code on the previous page for the successful change message okay?

Thanks for your continued support.

konsu

would you post the complete page? $oldpass still remains uninitialised. i guess that you need to read it from the file.

Teach

Absolutely; thanks!

Here it is.

The HTML submitting to pass.php:

        <form action="/account/pass.php" method="post">
          <table class="forms" cellpadding="5" cellspacing="0" border="1">
            <tr>
              <th><label>Current password:</label></th>
              <td><input type="password" name="nowpass" maxlength="100" /></td>
            </tr>

        <tr>
          <th><label>New password:</label></th>
          <td><input type="password" name="newpass" maxlength="100" /></td>
        </tr>

        <tr>
          <th><label>Confirm password:</label></th>
          <td><input type="password" name="newpass2" maxlength="100" /></td>
        </tr>

        <tr>
          <th><label>Human Verification:</label></th>
          <td><img src="/img/image.php" alt="Security Code" />
           <strong>Code to the left:</strong> <input type="text" name="securitycode" id="securitycode" size="10" maxlength="6" /></td>
        </tr>

        <tr>
          <th><label>Change password:</label></th>
          <td colspan="2"><input type="submit" name="submit" value="Update password" /> <input type="reset" value="Reset" /></td>
        </tr>
      </table>
    </form>

pass.php:

<?php
session_start();

function output_error($text='')
{
    include_once('/home/us/account/protect.php');
    include_once('/home/us/account/header.php'); 
      echo "<p>Please correct the following:</p>\n<ul>\n" . $text . "\n</ul>\n";
    include_once('/home/us/footer.php');
    exit();
}

if (!isset($_SESSION['correctcode'])) {
    output_error('<li>Please enable cookies.</li>');
}

$correctcode = $_SESSION['correctcode'];
$securitycode = $_POST['securitycode'];
if ($securitycode != $correctcode) {
    output_error('<li>The human validation check failed, please try again.</li>');
}

 $nowpass = $_POST['nowpass'];
 $newpass = $_POST['newpass'];
 $newpass2 = $_POST['newpass2'];

if( md5($oldpass) == $nowpass )
{
  if( $newpass == $newpass2 )
  {
    $file = file( "/home/us/hidden/users.txt" );

// Scan the file for the right line, and replace it, at the same time, build the new file to be written

while( list($key,$val) = each($file) )
{
  if( ereg( $user, $val) )
  $val = $newpass;

  $newfile .= "$key,$val\n";
}

// Now we have a variable $newfile, which contains the contents of the new file to be written

// Write the file
$fp = fopen( "/home/us/hidden/users.txt", "w" );
fwrite( $fp, $newfile, strlen($newfile) );
fclose($fp); 
output_error('<li>Password successfully changed.</li>'); 
  }
  else
  {
     output_error('<li>Sorry, the new and confirmed passwords did not match.</li>');
  }
}
else
{
  output_error('<li>Sorry, the password you entered is not your current password.</li>');
}
 ?>

I'm guessing oldpass needs to go?