I'm writing a PHP file to allow the user to change their password, but I'm having a strange problem. I require the old password to confirm the account and the new password. Given that the credentials are correct, this page always returns me that the user's password is incorrect and therefore returns the echo in line 12 "Old password wrong". If I launch a "select * from utente" in the pgAdmin query tool to see the password, I don't see any changes in the box of password. Then if I go back to the form to change the password and if I enter in the old password box the new password that I would have liked to change before, but that seemed not to have been accepted because the old one was not recognized before, the procedure is successful. I swear I can't understand why. I thought it was a bug in md5, but it doesn't go with sha1 either. I am aware that both are unsafe, but now I have to use one of them. How can I solve it? Thanks in advance
<?php
$dbconn = pg_connect("host=localhost port=5432 dbname=progetto user=postgres password=password")
or die('Could not connect:' . pg_last_error());
if(!(isset($_POST['changeButton']))){
header("Location: utente.php");
}else{
$email = $_COOKIE["cookieEmail"];
$oldPassword = sha1($_POST['oldpassword']);
$q1="select * from utente where email = $1 and password = $2";
$result=pg_query_params($dbconn,$q1,array($email, $oldPassword));
if($line=pg_fetch_array($result ,null ,PGSQL_ASSOC)){
echo "<h1>Old password wrong</h1>
<a href=formCambiaPassword.php>Click here</a>";
}else{
$newPassword = sha1($_POST['newpassword']);
$q2 = "update utente set password=$1 where email=$2";
$result=pg_query_params($dbconn, $q2, array($newPassword, $email));
if($result==true){
$q3="select * from utente where email = $1 and password = $2";
$result=pg_query_params($dbconn,$q3,array($email, $newPassword));
if($line=pg_fetch_array($result ,null ,PGSQL_ASSOC)){
echo "<h1>Error</h1>
<a href=formCambiaPassword.php>Click here</a>";
}else{
header("Location: utente.php");
}
}else{
echo "<h1>Error 2</h1>
<a href=formCambiaPassword.php>Click here</a>";
}
}
}
?>
Your if statement is looking for true when it should be checking for false.
if(!pg_fetch_array($result ,null ,PGSQL_ASSOC)){
Your code should be as follows:
<?php
$dbconn = pg_connect("host=localhost port=5432 dbname=progetto user=postgres password=password")
or die('Could not connect:' . pg_last_error());
if(!(isset($_POST['changeButton']))){
header("Location: utente.php");
}else{
$email = $_COOKIE["cookieEmail"];
$oldPassword = sha1($_POST['oldpassword']);
$q1="select * from utente where email = $1 and password = $2";
$result=pg_query_params($dbconn,$q1,array($email, $oldPassword));
if(!pg_fetch_array($result ,null ,PGSQL_ASSOC)){
echo "<h1>Old password wrong</h1>
<a href=formCambiaPassword.php>Click here</a>";
}else{
$newPassword = sha1($_POST['newpassword']);
$q2 = "update utente set password=$1 where email=$2";
$result=pg_query_params($dbconn, $q2, array($newPassword, $email));
if($result==true){
$q3="select * from utente where email = $1 and password = $2";
$result=pg_query_params($dbconn,$q3,array($email, $newPassword));
if($line=pg_fetch_array($result ,null ,PGSQL_ASSOC)){
echo "<h1>Error</h1>
<a href=formCambiaPassword.php>Click here</a>";
}else{
header("Location: utente.php");
}
}else{
echo "<h1>Error 2</h1>
<a href=formCambiaPassword.php>Click here</a>";
}
}
}
?>