-8
<?php
    if(isset($_POST['re_password']))

    if (isset($_GET["token"]) && isset($_GET["email"])) {
        $connection = new mysqli("localhost", "id4767104_root1", "Deepak@1", 
    "id4767104_phpusernameconfirmation");

        $email = $connection->real_escape_string($_GET["email"]);
        $token = $connection->real_escape_string($_GET["token"]);

        $data = $connection->query("SELECT id FROM users WHERE email='$email' 
    AND token='$token'");

        if ($data->num_rows > 0) {
        $old_pass=$_POST['cpass'];
        $new_pass=$_POST['newpass'];
        echo "$old_pass";
        $re_pass=$_POST['newpass1'];
        $chg_pwd=mysqli_query("select id, password from users where 
    email='$email'");
        $chg_pwd1=mysqli_fetch_array($chg_pwd);
        echo "$chg_pwd1";
        $data_pwd=$chg_pwd1['password'];

    if($data_pwd==$old_pass){

    if($new_pass==$re_pass){
            $hashedPassword = password_hash($new_pass, PASSWORD_BCRYPT);
            $update_pwd=mysql_query("UPDATE users SET password='$new_pass', 
    token = '' WHERE email='$email'");
            echo "<script>alert('Update Sucessfully'); 
    window.location='index.php'</script>";
        }

    else{
            echo "<script>alert('Your new and Retype Password is not match'); 
    window.location='index.php'</script>";
        }
        }

    else
        {
        echo "<script>alert('Your old password is wrong'); 
    window.location='register.php'</script>";
        }


            } else {
            echo "Please check your link!";
        }
    } else {
        header("Location: login.php");
        exit();
    }
?>
B. Desai
  • 16,414
  • 5
  • 26
  • 47
Dee Boxer
  • 1
  • 1
  • is $data_pwd a hashed password? – Ende Apr 04 '18 at 06:23
  • Your script is at risk of [SQL Injection Attack](https://stackoverflow.com/q/60174/5914775). Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/). Even [if you are escaping inputs, its not safe!](https://stackoverflow.com/q/5741187/5914775). Use [prepared parameterized statements](https://php.net/manual/en/mysqli.quickstart.prepared-statements.php) instead. – Tom Udding Apr 04 '18 at 06:27
  • yes $data_pwd is a hashed password – Dee Boxer Apr 04 '18 at 06:42
  • Than you need to use [password_verify](https://php.net/manual/en/function.password-verify.php) to let it compare with your new password – Ende Apr 04 '18 at 06:45
  • hi J.Ende, As Iam a begginer could you elaborate plz, as Iam stuck with this code for a couple of days, thx ! – Dee Boxer Apr 04 '18 at 06:46
  • Maybe you should read yourself more about [password_verify](https://php.net/manual/en/function.password-verify.php) and [hashing passwords](https://php.net/manual/en/function.password-hash.php). I hope you will understand better what your mistake is otherwise look at B.Desai his comment – Ende Apr 04 '18 at 06:58
  • plz modify the code and post it, glad if you can :-) – Dee Boxer Apr 04 '18 at 07:03
  • code has been posted as large body of a question in this recent deleted candiate: https://stackoverflow.com/q/49645524/367456 – hakre Apr 04 '18 at 08:01
  • hakre what do you mean ? – Dee Boxer Apr 04 '18 at 08:04
  • @DeeBoxer: What do you mean? – hakre Apr 04 '18 at 08:07
  • hakre plz modify the code and post it, glad if you can :-) – Dee Boxer Apr 04 '18 at 08:18

1 Answers1

3

As you are storing password using password_hash. You need to compare passowrd with password_verify. change your condition if($data_pwd==$old_pass){ as below:

if(password_verify($old_pass,$data_pwd)){
B. Desai
  • 16,414
  • 5
  • 26
  • 47
  • As Iam a begginer could you elaborate plz ! – Dee Boxer Apr 04 '18 at 06:30
  • As I already mentioned whenever you stored password using `password_hash` method. It will be stored in **hash**, It will not stored as normal text. So you need to use `password_verify` while you have to compare passwords. You can get inform http://php.net/manual/en/function.password-verify.php and http://php.net/manual/en/function.password-hash.php – B. Desai Apr 04 '18 at 06:35