Validating Password

Hi All, I am trying to modify my code to calidate password criteria. I have the part checking the security code working fine, but I seem to be looping with the password validating. No matter what I type as password I get the error message. Can somone see what I am doing wrong here and suggest a fix. Its probably something simple but being new to this I cant see it.

<?php
require('edb.php'); 
$id=$_REQUEST['id'];
$SecurityCode=$_REQUEST['SecurityCode'];

$result=mysqli_query($conn, "SELECT * FROM `eusers` WHERE id = '".$_SESSION['uid']."'");
$test=mysqli_fetch_array($result);
if (!$result) 
        {
        die("Error: Data not found..");
        }
    $FirstName=$test['FirstName'];
    $LastName=$test['LastName'];
    $State=$test['State'];
    $Username=$test['Username'];
    $Password=$test['Password'];
    $Email=$test['Email'];
    $Active=$test['Active'];
    $SecurityCode=$test['SecurityCode'];
    $AdviserCode=$test['AdviserCode'];
    $UserType=$test['UserType'];
    
    if(isset($_POST['Submit']))
{    
    $Password_save=sha1($_POST['Password']);
    $Email_save=$_POST['Email'];
    $Active_save=$_POST['Active'];
    $SecurityCode_save=$_POST['SecurityCode'];
 
               //check if the password and confirm password match
                    if($SecurityCode != $SecurityCode_save){
                        //if not display error message
                        echo "<center>The <b>Security Code</b> you supplied did not match the file! Your password has not been updated.</center>";} else { 

// Validate password strength
$password = $Password_save;
$uppercase = preg_match('@[A-Z]@', $password);
$lowercase = preg_match('@[a-z]@', $password);
$number    = preg_match('@[0-9]@', $password);
$specialChars = preg_match('@[^\w]@', $password);

if(!$uppercase || !$lowercase || !$number || !$specialChars || strlen($password) <8) {
    echo 'Password should be at least 8 characters in length and should include at least one upper case letter, one number, and one special character.';
}else{
								// END PASSWORD CHECK
				           
mysqli_query($conn, "UPDATE `eusers` SET Password ='$Password_save' WHERE id ='".$_SESSION['uid']."' && SecurityCode ='$SecurityCode_save'")
                    or die(mysqli_error("Password change was not saved. You entered an incorrect Security Code")); 
    echo "Saved! Your password has been updated."; 
}}}
?>

Sorry to inform you but pretty much all that code needs to go.

You need to use Prepared Statements and learn about password_hash and password_verify.

Do not create variables for nothing. You are also overwriting variables. You need to check the REQUEST METHOD, not hope the name of a button is submitted in order for the code to work.

It also looks like you are trying to do everything at once, validate, verification and save all at the same time. That right there is a recipe for disaster.

The password validation logic you use in the password reset code should be identical to what you used in the ‘registration’ code.

If you echo $password; as a debugging tool, you will see why it doesn’t pass the validation.

You also apparently don’t understand the return value from the two queries, i.e. the $result variable and the or die(…) statement. If those queries fail due to an sql error, they will return a false value. If the select query executes, but doesn’t match a row, that isn’t an sql error. Likewise, if the update query executes, but doesn’t match a row, that isn’t an sql error. To detect if a select query didn’t match a row, you would test the result of the fetch statement. If the update query didn’t either match a row or the updated new value is the same as the old value, the number of affected rows will be zero (see the mysqli->affected_rows property or mysqli_affected_rows() function.)

I reviewed your most recent threads. While one was a couple of years ago (converting to PDO), the other was from earlier this year (a badly converted mysqli attempt.) It doesn’t appear like you saw and used any of the information in replies in those threads.

I’m no expert, but I have a simple, working PDO login. Students use an email and a password.

First, register. If the student number is not in my database, they don’t get in. Then write the email and password to the database.

else{
				//encrypt password using password_hash()
				$password = password_hash($password, PASSWORD_DEFAULT);

				//insert new user to our database
				$stmt = $pdo->prepare('UPDATE allstudents20BE1 SET email = :email, password = :password WHERE studentnr = :studentnr' );

				try{
					$stmt->execute(['email' => $email, 'password' => $password, 'studentnr' => $studentnr]);

					$_SESSION['register_success'] = '注册成功了！User verified. You can <a href="index.php">登陆 login</a> now';
				}

Then, at login, the first thing that gets checked is the email, if that doesn’t check out, they get bounced back. If the email is good, check the password

try{
			//check the password now
			if($stmt->rowCount() > 0){
				//get the row
				$user = $stmt->fetch();
				$studentnr = $user['studentnr'];
				$weeknr = 'Week19';
				//echo 'student number is' . $studentnr;
				//exit();
				// first check the password. If incorrect, bale out
				//validate the password with $user password
				if(!password_verify($password, $user['password'])){
					$_SESSION['loginerror'] = '密码不对的 Incorrect password!!';					
					//include 'index.php';
					header('location: index.php');
					exit();
				}
				//validate the password with $user password
				if(password_verify($password, $user['password'])){
					//action after a successful login
					//for now just message a successful login
					$_SESSION['success'] = 'User verification successful';
					$_SESSION['isloggedin'] = 'True';

I write other stuff to the database after this, because I have to keep track of the time of login (attendance). Then further down is:

header('location: 20BE1sW16.html.php');
exit();

Like I said, may not be perfect, but it works for me!

You can find a lot of information on the net about making a PDO login system. But doing it the first time can be confusing!