php - change password bug

Security and PHP
#1

Hey guys,

I create this code to change the user password.

But the “CurrentPassword” is not working with the NEw Password & Re-New Password.

So, if you put the New password & Re-Newpassword the code change the password and dont need the “Current Password”.

Can someone tell me where i’m wrong?.. I’m confused…

[php] $currentPassword = preg_replace(’/\s+/’, ‘’, $_POST[‘currentPassword’]);
$newPassword = preg_replace(’/\s+/’, ‘’, $_POST[‘newPassword’]);
$ConfirmPassword = preg_replace(’/\s+/’, ‘’, $_POST[‘ConfirmPassword’]);
$oldpass = IrBuscarPassword($_SESSION[‘user’][‘username’]);
$saltcode = IrBuscarSalt($_SESSION[‘user’][‘username’]);
$change = False;

    if(!empty($_POST)) 
	{ 
		$formEncriptedPass = hash('sha256', $currentPassword . $saltcode); 
			for($round = 0; $round < 65536; $round++) 
			{ 
				$formEncriptedPass = hash('sha256', $formEncriptedPass . $saltcode); 
			} 
		
		//Check if the password is on DB
		if($oldpass != $formEncriptedPass)
		{	
		
		//Check if is 6 caracters				
			if(strlen($_POST['currentPassword']) < 6)
			{
				echo "<div class='warning'><span class='icon-warning'></span><span class='mls'> Your password should contain at least 6 characters.</span></div>";
			} else {
		
		//Check if the password is correct
			echo "<div class='warning'><span class='icon-warning'></span><span class='mls'> Your Current Password is incorrect.</span></div>";
			}

		}
		
		//Check if the password is 6 caracters
		if(strlen($_POST['newPassword']) < 6)
			{
				echo "<div class='warning'><span class='icon-warning'></span><span class='mls'> Your New-Password should contain at least 6 characters.</span></div>";
			} else 
		{ 
			
			//Verify & Confirm 			
			if(hash('sha256',$_POST['newPassword'])) 
			{
					if($newPassword == '' || !isset($newPassword))
				{
					$change = False;
				
				} 
				else
				{
					if($ConfirmPassword == $newPassword) 
					{
						//changing for the new password
						$change = True;
						changePass($newPassword, $_SESSION['user']['username']);
						echo "<div class='success'><span class='icon-success'></span> Your password has been successfully changed.<span class='mls'> </span></div>";
					} else {
						//Error do not match
						$change = False;
						echo "<div class='warning'><span class='icon-warning'></span> The New-Password do not match.<span class='mls'> </span></div>";
					}
				}	
			}
		}	
	}[/php]
#2

Your whole code is junk and insecure. You need to trash it and start from scratch with current coding standards.

#3

humm how can i do it?

#4

Look into password_hash and password_verify, it’s very simple so your code will be much much shorter.

#5

To save you a little time, here is a short tutorial on how to handle those functions: ( Might Help! )

http://www.sitepoint.com/hashing-passwords-php-5-5-password-hashing-api/

Sponsor our Newsletter | Privacy Policy | Terms of Service