1

I'm currently a 3th year web-dev student, and for a school project we have to build a website with a change password function using PDO and hashes, however I have run into a problem I cannot solve on my own, I also haven't found any similar questions on both google and stackoverflow.

we have to store 2 passwords in the database, the old password (which is the password the user has lastly used); and their current password (which will be used to login.)

all of the passwords are stored with a standard PHP hash (the password_hash() method)

When changing the user's password, I have to get the current password (the one used to login) from the database, and move it to the oldpassword (the last used password) column while putting the new hashed password into the database.

the problem is: I can't seem to use a hashed password in a PDO query, i do need to point out that I have never worked with PDO before, but after googling a bit I don't think I have an error in my query, but in the data being passed to that query.

this is where i get all the current data from the database

/*prepare and execute a query*/
$sqlStatement = $this->db->prepare("SELECT username, password, oldpassword FROM users WHERE username = :username");
$sqlStatement->bindParam(":username", $username, PDO::PARAM_STR);
$sqlStatement->execute();

/*Fetch the query results*/
$values = $sqlStatement->fetch(PDO::FETCH_ASSOC);

And this is where I try to store the data into the database using a PDO SQL query

/*Create variables to use in querys*/
$queryPassword = password_hash($password, PASSWORD_DEFAULT);

/*Update the passwords*/
$sqlStatement2 = $this->db->prepare("UPDATE password, oldPassword VALUES (:password, :oldpassword)");
$sqlStatement2->bindParam(":password", $queryPassword, PDO::PARAM_STR);
$sqlStatement2->bindParam(":oldpassword", $values["password"] , PDO::PARAM_STR);
$sqlStatement2->execute();

$password and $username are variables passed from a form, to the function to change the user's password.

public function updateUserPasswords($username, $password){

What I find odd is: if i do a var_dump on $values["password"] I get the following data:
string(60) "$2y$10$BBCpJxgPa8K.iw9ZporxzuW2Lt478RPUV/JFvKRHKzJhIwGhd1tpa"

Where my query error gives me the following data:
$2y$10$

it's as if only the hash is being sent to the query.

==EDIT==

The SQL error being sent to the browser is:

Uncaught exception 'PDOException' with message 'SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'VALUES ('$2y$10$AC.aMG/gNV9zwGB/v/g7keW9jsZ80kuejrSh693DPuhOYChFxA6wu', '$2y$10$' at line 1' in /srv/jip/www/www.jip.nl/classes/user.class.php:92 Stack trace: #0 /srv/jip/www/www.jip.nl/classes/user.class.php(92): PDOStatement->execute() #1 /srv/jip/www/www.jip.nl/pages/first_login.php(26): User->updateUserPasswords('username', 'password') #2 {main} thrown in /srv/jip/www/www.jip.nl/classes/user.class.php on line 92
Improve this question
17
  • 1
    you are updateing all tehe passwords in your table Commented Oct 15, 2015 at 10:51
  • 3
    What is your max length on your password field in the database? I'm guessing it's 7 Commented Oct 15, 2015 at 10:51
  • 1
    @noobie-php Why would you use MySQL hashing functions? PHP has much more secure hashing functions available than MySQL does (for instance password_hash() uses bcrypt with multiple rounds). Commented Oct 15, 2015 at 10:52
  • 2
    User inputs password in form > form is sent > PHP hashes input from form > PHP stores hash in database. Everything's fine here. Commented Oct 15, 2015 at 10:56
  • 1
    What is that "query error" you are talking about? Commented Oct 15, 2015 at 10:58

2 Answers 2

Reset to default
5

Don't retrieve the data using the hashed password, because password_hash() generates a new hash with a different salt whenever it's used

Retrieve the record using just the username, then use password_verify() to validate the password

EDIT

Your update query references columns, but no table, and without a WHERE clause:

$sqlStatement2 = $this->db->prepare("UPDATE users SET password=:password, oldPassword=:oldpassword WHERE username = :username");
$sqlStatement2->bindParam(":password", $queryPassword, PDO::PARAM_STR);
$sqlStatement2->bindParam(":oldpassword", $values["password"] , PDO::PARAM_STR);
$sqlStatement2->bindParam(":username", $username, PDO::PARAM_STR);
$sqlStatement2->execute();

binding with the appropriate values

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

allright, thanks for your quick response, i'll give it a try and check back when I have done so.
Well explained and quite logical
the where clause is indeed missing, haven't added it yet because the table only has a single result for testing at the moment.. As for the table, it's included in the $this->db
1

Turned out my query was indeed incorrect, it's been a while since i last made an update query and I put it in the same format as an insert query.

Mark Baker's solution also fixed the problem with retrieving the old password from the database. retrieving the information using just the username has worked.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.