View original (French)

Password hashing in a database

llaumegui -  
 llaumegui -

Hello,

I am taking over a project from someone on which I need to make some modifications and corrections, particularly regarding security. One of the tasks is to strengthen the password hashing, so I chose the password_hash() function instead of sha1(). I succeeded in hashing the password in the database for user creation, and it works for the login part as well.

However, when we want to reset a password, the app sends an email to the user with the new password, and thus, the password in the user table receives an UPDATE and modifies the hashed password. The problem is that the new password is hashed in sha1 while I am using the password_hash() hashing function.

Here are the pieces of code concerned:

Here I retrieve the new password which is in a table while the email is sent to the user; the record is deleted a little later to avoid keeping the password in plain text in the database.

$req = "SELECT id, id_user, new_password FROM reinit_passwd WHERE key_gen = '$key'"; $stmt = $this->getBdd()->prepare($req); $stmt->execute(); $resultat = $stmt->fetch(PDO::FETCH_ASSOC); $stmt->closeCursor();

So the new password is in the reinit_passwd table (not hashed in the table) as seen previously, I retrieve it, hash it (as you can see I also tried sha256 which doesn't work either, sha1() is the function used by default).

if ($resultat > 0) { $idtempo = $resultat['id_user']; $motdepassetemp = $resultat['new_password']; $motdepassehash = password_hash($motdepassetemp, PASSWORD_DEFAULT); //$motdepassehash = hash('sha256',$motdepassetemp); //$motdepassehash = sha1($motdepassetemp);

And it's at this point that I modify the password in the user table:

$req = "UPDATE user SET password = :password WHERE id = :id"; $stmt = $this->getBdd()->prepare($req); $stmt->bindValue(":id", $idtempo, PDO::PARAM_INT); $stmt->bindValue(":password", $motdepassehash, PDO::PARAM_STR); $resultat = $stmt->execute(); $stmt->closeCursor();

Even though I use the password_hash() function, the variable $motdepassehash inserts the password in sha1 in the user table.

If you have any ideas why this isn't working, I'd appreciate it.

Please be understanding; it's not always easy to take over someone else's code. Thank you in advance.

For your information, I am working on my localhost WAMP server which is connected to a remote server with the MySQL RDBMS.

Best regards

7 answers

Answer 1 / 7
jordane45 Posted messages 30426 Registration date   Status Moderator Last intervention   4 830
 

Hello,

Given the snippets of code you’re showing us, there’s no reason for it to be in sha1.

We can deduce that you are not modifying in the right place (or that you have forgotten some).

Instead of just including a few snippets of code, please paste the complete content of your file (don't forget to indicate its name in case there are multiple files).

.
Best regards,
Jordane
0
Answer 2 / 7
llaumegui
 

For your information, my error message appears when I try to log in with the account I reset because the UPDATE inserted the password in sha1 while I use password_verify() for login, which seems logical.

Here are my two functions that handle password reset:

- First, I fetch the ID and email that the user enters to request the reset of their password. Then, if it exists, I create a new password that I store in plain text in a table (reinit_passwd) so that I can retrieve it later (this record is later deleted), and then I send an email with a link that redirects back to the application with a message "your password has been reset" (if it worked), and subsequently, I receive another email with the new password.

public function motDePasseReinitValid($login, $mail) { $req = "SELECT id, mail, password FROM user WHERE login = '$login' AND mail = '$mail'"; $stmt = $this->getBdd()->prepare($req); $stmt->bindValue(":login", $login, PDO::PARAM_STR); $stmt->execute(); $resultat = $stmt->fetch(PDO::FETCH_ASSOC); $stmt->closeCursor(); if ($resultat == false) { Toolbox::ajouterMessageAlerte("Invalid Login / Email combination", Toolbox::COULEUR_ROUGE); header('Location: ' . URL . "users/motdepasse"); } else { $char = '1234567890abcdefghijklmnopqrstuvwxyz0123456789'; $key = str_shuffle($char); $longueur = '8'; $possible = '123456789abcdfghjkmnpqrtvwxyzABCDFGHJKLMNPQRTVWXYZ'; $mdp = ''; // this value will be used later $longueurMax = strlen($possible); if ($longueur > $longueurMax) { $longueur = $longueurMax; } $i = 0; while ($i < $longueur) { // take a random character $caractere = substr($possible, mt_rand(0, $longueurMax - 1), 1); $mdp .= $caractere; $i++; } $req = "INSERT INTO reinit_passwd(id_user, key_gen, new_passwd) VALUES(:id_user, :key_gen, :new_password)"; $stmt = $this->getBdd()->prepare($req); $stmt->bindValue(":id_user", $resultat['id'], PDO::PARAM_STR); $stmt->bindValue(":key_gen", $key, PDO::PARAM_STR); $stmt->bindValue(":new_password", $mdp, PDO::PARAM_STR); $stmt->execute(); $resultat = $stmt->fetch(PDO::FETCH_ASSOC); $stmt->closeCursor(); //=====Declaration of messages in text and HTML format. $passage_ligne = "\r\n"; $message_txt = "Hello, you have requested a new password for the Bl Portal."; $message_html = "<html><head></head><body>Hello,<br /><br /> You have requested a new password for <b>the Bl Portal</b>.<br /><br />To confirm the password reset, please click on the link below: <br /><br /><a href=\"http://dns.fr/portail/users/motdepassereinitvalid/" . $key . "\">http://dns.fr/portail/users/motdepassereinitvalid/" . $key . "<a/></body></html>"; //========== //=====Creating the boundary. $boundary = "-----=" . md5(rand()); $boundary_alt = "-----=" . md5(rand()); //========== //=====Defining the subject. $sujet = "Portal - Forgotten password". chr(233); //========= //=====Creating the email header. $header = "From: \"Portal Bl\"***@***>" . $passage_ligne; $header .= "Reply-to: \"Portal Bl \" ***@***>" . $passage_ligne; $header .= "MIME-Version: 1.0" . $passage_ligne; $header .= "Content-Type: multipart/mixed;" . $passage_ligne . " boundary=\"$boundary\"" . $passage_ligne; //========== //=====Creating the message. $message = $passage_ligne . "--" . $boundary . $passage_ligne; $message .= "Content-Type: multipart/alternative;" . $passage_ligne . " boundary=\"$boundary_alt\"" . $passage_ligne; $message .= $passage_ligne . "--" . $boundary_alt . $passage_ligne; //=====Adding the plain text message. $message .= "Content-Type: text/plain; charset=\"ISO-8859-1\"" . $passage_ligne; $message .= "Content-Transfer-Encoding: 8bit" . $passage_ligne; $message .= $passage_ligne . $message_txt . $passage_ligne; //========== $message .= $passage_ligne . "--" . $boundary_alt . $passage_ligne; //=====Adding the HTML message. $message .= "Content-Type: text/html; charset=\"ISO-8859-1\"" . $passage_ligne; $message .= "Content-Transfer-Encoding: 8bit" . $passage_ligne; $message .= $passage_ligne . $message_html . $passage_ligne; //========== //=====Closing the alternative boundary. $message .= $passage_ligne . "--" . $boundary_alt . "--" . $passage_ligne; $message .= $passage_ligne . "--" . $boundary . $passage_ligne; //========== if (mail($mail, $sujet, $message, $header)) { Toolbox::ajouterMessageAlerte("An email for password reset has been sent to you", Toolbox::COULEUR_VERTE); header('Location: ' . URL); } else { Toolbox::ajouterMessageAlerte("Failed to send the email. Please try again. If the problem persists, contact the IT department", Toolbox::COULEUR_ROUGE); } }

Here we begin by retrieving the new plaintext password, if it exists, and we retrieve the user's email. I then modify the user's password with an UPDATE that should normally store a hashed password using the password_hash() function and not hashed in sha1. We then delete the plaintext password in the reinit_passwd table and send the email with the new password.

//Function to validate the password reset public function motDePasseReinitValidation($key) { $req = "SELECT id, id_user, new_passwd FROM reinit_passwd WHERE key_gen = '$key'"; $stmt = $this->getBdd()->prepare($req); $stmt->execute(); $resultat = $stmt->fetch(PDO::FETCH_ASSOC); $stmt->closeCursor(); if ($resultat > 0) { $idtempo = $resultat['id_user']; $motdepassetemp = $resultat['new_passwd']; $motdepassehash = password_hash($motdepassetemp, PASSWORD_DEFAULT); //$motdepassehash = hash('sha256',$motdepassetemp); //$motdepassehash = sha1($motdepassetemp); $req = "SELECT mail FROM user WHERE id = $idtempo"; $stmt = $this->getBdd()->prepare($req); $stmt->execute(); $resultatmail = $stmt->fetch(PDO::FETCH_ASSOC); $stmt->closeCursor(); $mailtest = $resultatmail['mail']; $req = "UPDATE user SET password = :password WHERE id = :id"; $stmt = $this->getBdd()->prepare($req); $stmt->bindValue(":id", $idtempo, PDO::PARAM_INT); $stmt->bindValue(":password", $motdepassehash, PDO::PARAM_STR); $resultat = $stmt->execute(); $stmt->closeCursor(); $req = " DELETE FROM reinit_passwd WHERE id_user = $idtempo "; $stmt = $this->getBdd()->prepare($req); $stmt->bindValue(":id_user", $idtempo, PDO::PARAM_INT); $resultatdelete = $stmt->execute(); $stmt->closeCursor(); //=====Declaration of messages in text and HTML format. $passage_ligne = "\r\n"; $message_txt = "Hello, you have reset your password for the Portal."; $message_html = "<html><head></head><body>Hello,<br /><br /> You have reset your password.<br /><br /> New password: " . $motdepassetemp . "<a/></body></html>"; //========== //=====Creating the boundary. $boundary = "-----=" . md5(rand()); $boundary_alt = "-----=" . md5(rand()); //========== //=====Defining the subject. $sujet = "Portal - New password"; //========= //=====Creating the email header. $header = "From: \"Portal\"<***@***>" . $passage_ligne; $header .= "Reply-to: \"Portal\"<***@***>" . $passage_ligne; $header .= "MIME-Version: 1.0" . $passage_ligne; $header .= "Content-Type: multipart/mixed;" . $passage_ligne . " boundary=\"$boundary\"" . $passage_ligne; //========== //=====Creating the message. $message = $passage_ligne . "--" . $boundary . $passage_ligne; $message .= "Content-Type: multipart/alternative;" . $passage_ligne . " boundary=\"$boundary_alt\"" . $passage_ligne; $message .= $passage_ligne . "--" . $boundary_alt . $passage_ligne; //=====Adding the plain text message. $message .= "Content-Type: text/plain; charset=\"ISO-8859-1\"" . $passage_ligne; $message .= "Content-Transfer-Encoding: 8bit" . $passage_ligne; $message .= $passage_ligne . $message_txt . $passage_ligne; //========== $message .= $passage_ligne . "--" . $boundary_alt . $passage_ligne; //=====Adding the HTML message. $message .= "Content-Type: text/html; charset=\"ISO-8859-1\"" . $passage_ligne; $message .= "Content-Transfer-Encoding: 8bit" . $passage_ligne; $message .= $passage_ligne . $message_html . $passage_ligne; //========== //=====Closing the alternative boundary. $message .= $passage_ligne . "--" . $boundary_alt . "--" . $passage_ligne; $message .= $passage_ligne . "--" . $boundary . $passage_ligne; //========== //=====Sending the email. if (mail($mailtest, $sujet, $message, $header) && ($resultatdelete != false) && ($resultat != false) && ($resultatmail != false)) { Toolbox::ajouterMessageAlerte("Your password has been successfully reset", Toolbox::COULEUR_VERTE); header('Location: ' . URL); } else { Toolbox::ajouterMessageAlerte("Password reset failed - Error code: #UM01", Toolbox::COULEUR_ROUGE); header('Location: ' . URL . "users/motdepasse"); } } else { Toolbox::ajouterMessageAlerte("The link was not approved by our site. Please try again. Error code: #UM02", Toolbox::COULEUR_ROUGE); header('Location: ' . URL . "users/motdepasse"); } }

I want to say that these two functions are on the same page and are actually next to each other.

Well, that's quite a bit of reading for the brave ones, thank you in advance!
0
jordane45 Posted messages 30426 Registration date   Status Moderator Last intervention   4 830
 

I don't see anything unusual.

We'll have to see how you're doing the authentication now....

Are you using password_verify?

0
llaumegui > jordane45 Posted messages 30426 Registration date   Status Moderator Last intervention  
 

The problem is that I see him changing the password in the table and I can see that it is stored in sha1

But yes, I am indeed going through the password_verify() function:

// Function that compares the password in the database and the one entered by the user public function isCombinaisonValide($login, $password) { //$password = hash('sha256',$password); //$password = sha1($password); $passwordBD = $this->getPasswordUser($login); // Error code: #UM04 if (password_verify($password, $passwordBD)) { return true; } else { // to uncomment when moving to prod and comment the line below Toolbox::ajouterMessageAlerte("Failed to connect", Toolbox::COULEUR_ROUGE); Toolbox::ajouterMessageAlerte("Comparison failed - Error code: #UM04", Toolbox::COULEUR_ROUGE); return false; } }

Here as a parameter of the function I retrieve the user input.

Moreover, it works when I connect because as long as I do not reset my password, everything works fine.

The real problem (I think) is why when resetting the password it inserts it as sha1 into my table??

0
jordane45 Posted messages 30426 Registration date   Status Moderator Last intervention   4 830 > llaumegui
 

The verification code also seems good to me.

Are you sure it's updating the password in your table correctly?

A simple test...

You delete the existing password in the database.

You run your code to change it...

You check your database to see if there is a new value recorded.

Don't hesitate to also add some echo / var_dump of your variables in your code to see where your code is executing and if it's going through the functions you showed us.

This will also allow you to see the hashed password... if it matches what you expect.

By the way, while I'm thinking about it, also check the size of the field that is supposed to hold the hashed password in your database. Is it large enough?

By the way... You are obviously using PDO.

It would be good to enable PDO error handling in your database connection AND FOR EVERY QUERY.

https://forums.commentcamarche.net/forum/affich-37584941-php-pdo-gerer-les-erreurs

0
llaumegui > jordane45 Posted messages 30426 Registration date   Status Moderator Last intervention  
 

I just tried once more and yes, I am sure that my password is being updated in my table; it changes the hashed password with password_hash() to the new hashed password sent by email hashed in sha1 (I use a site afterwards to encrypt in sha1 and verify that the hashing of the new password is indeed sha1)

As for the PDO errors, my connection to the database: 

private static function setBdd(){ // PROD DB self::$pdo = new PDO("mysql:host=xxx;dbname=xxxx;charset=utf8","xxxx","password"); self::$pdo->setAttribute(PDO::ATTR_ERRMODE,PDO::ERRMODE_WARNING); }

I tried to put var_dump() but I think I'm putting them in the wrong places because I haven't seen anything.

I also added this at the top of my page but no change: 

error_reporting(E_ALL); ini_set('display_errors', TRUE); ini_set('display_startup_errors', TRUE);

To give you an idea of the error:

and the code that handles this behind: 

// Function that compares the password in the DB and the one entered by the user public function isCombinaisonValide($login, $password) { //$password = hash('sha256',$password); //$password = sha1($password); $passwordBD = $this->getPasswordUser($login); if (password_verify($password, $passwordBD)) { var_dump($passwordBD); //the var_dump here did not show anything at login return true; } else { // to uncomment when going to prod and comment the line below Toolbox::ajouterMessageAlerte("Login failed", Toolbox::COULEUR_ROUGE); Toolbox::ajouterMessageAlerte("Comparison failed - Error code: #UM04", Toolbox::COULEUR_ROUGE); var_dump($passwordBD); //the var_dump here did not show anything at the login attempt return false; }

I really don't understand where the sha1 is coming from...

0
Answer 3 / 7
jordane45 Posted messages 30426 Registration date   Status Moderator Last intervention   4 830
 

How do you call your functions?

Isn't it ajax?

Once again .. if you only provide us with snippets of code and not the complete files ... we cannot know the flow of the code ...

.
Best regards,
Jordane
0
llaumegui
 

No, it's not AJAX; it's pure PHP.

In my project, I call functions from Controllers:

<?php require_once "models/UserManager.class.php"; class UserController { public $userManager; public function __construct() { $this->userManager = new UserManager; $this->userManager->chargementUsers(); } public function afficherUsers() { $users = $this->userManager->getUser(); require "views/user/users.view.php"; } public function modificationUser($id) { $user = $this->userManager->getUserById($id); require "views/user/updateUser.view.php"; } public function ajoutUser() { require "views/user/createUser.view.php"; } public function motDePasseOublie() { require "views/motDePasseOublie.view.php"; } public function ajoutuserValidation() { if ($_POST['bl'] != 'on') { $_POST['bl'] = 0; } else { $_POST['bl'] = 1; } if ($_POST['dist'] != 'on') { $_POST['dist'] = 0; } else { $_POST['dist'] = 1; } if ($_POST['admin'] != 'on') { $_POST['admin'] = 0; } else { $_POST['admin'] = 1; } if ($_POST['demandevalidation'] != 'on') { $_POST['demandevalidation'] = 0; } else { $_POST['demandevalidation'] = 1; } if ($_POST['pilote'] != 'on') { $_POST['pilote'] = 0; } else { $_POST['pilote'] = 1; } if ($_POST['rs'] != 'on') { $_POST['rs'] = 0; } else { $_POST['rs'] = 1; } if ($_POST['password'] === $_POST['passwordverif']) { $this->userManager->ajoutUserBd( $_POST['login'], $_POST['password'], $_POST['mail'], $_POST['admin'], $_POST['bl'], $_POST['dist'], $_POST['NomPrenom'], $_POST['demandevalidation'], $_POST['pilote'], $_POST['rs'] ); header('Location: ' . URL . "users"); } else { Toolbox::ajouterMessageAlerte("The passwords do not match", Toolbox::COULEUR_ROUGE); } } public function modificationUserValidation() { if ($_POST['bl'] != 'on') { $_POST['bl'] = 0; } else { $_POST['bl'] = 1; } if ($_POST['dist'] != 'on') { $_POST['dist'] = 0; } else { $_POST['dist'] = 1; } if ($_POST['admin'] != 'on') { $_POST['admin'] = 0; } else { $_POST['admin'] = 1; } if ($_POST['demandevalidation'] != 'on') { $_POST['demandevalidation'] = 0; } else { $_POST['demandevalidation'] = 1; } if ($_POST['pilote'] != 'on') { $_POST['pilote'] = 0; } else { $_POST['pilote'] = 1; } if ($_POST['rs'] != 'on') { $_POST['rs'] = 0; } else { $_POST['rs'] = 1; } $this->userManager->modificationUserBd( $_POST['id'], $_POST['login'], $_POST['mail'], $_POST['admin'], $_POST['bl'], $_POST['dist'], $_POST['NomPrenom'], $_POST['demandevalidation'], $_POST['pilote'], $_POST['rs'] ); Toolbox::ajouterMessageAlerte("The modification was successfully completed", Toolbox::COULEUR_VERTE); header('Location: ' . URL . "users"); } public function motDePasseReinit() { if ((!empty($_POST['login'])) && (!empty($_POST['mail']))) { $this->userManager->motDePasseReinitValid( $_POST['login'], $_POST['mail'] ); } else { Toolbox::ajouterMessageAlerte("Invalid Login / Mail combination", Toolbox::COULEUR_ROUGE); header('Location: ' . URL . "users/motdepasse"); } } public function motDePasseReinitValid($key) { $this->userManager->motDePasseReinitValidation($key); } public function login() { require "views/login.view.php"; } public function validation_login($login, $password) { if ($this->userManager->isCombinaisonValide($login, $password)) { Toolbox::ajouterMessageAlerte("Welcome back to the portal " . $login . "! ADDING FILTER SYSTEM FOR INCIDENTS" , Toolbox::COULEUR_VERTE); $_SESSION['profil'] = [ "login" => $login, ]; $datas = $this->userManager->getUserInformation($_SESSION['profil']['login']); $_SESSION['profil']["bl"] = $datas['bl']; $_SESSION['profil']["dist"] = $datas['dist']; $_SESSION['profil']["admin"] = $datas['admin']; $_SESSION['profil']["demandevalidation"] = $datas['demandevalidation']; $_SESSION['profil']["pilote"] = $datas['pilote']; $_SESSION['profil']["rs"] = $datas['rs']; if (Securite::estConnecte() && Securite::estBl()) { header("Location: " . URL . "tngs"); } else { header("Location: " . URL . "accueil"); } } else { Toolbox::ajouterMessageAlerte("Invalid Login / Password combination", Toolbox::COULEUR_ROUGE); header("location: " . URL); } } public function profil() { $datas = $this->userManager->getUserInformation($_SESSION['profil']['login']); $_SESSION['profil']["bl"] = $datas['bl']; $_SESSION['profil']["dist"] = $datas['dist']; $_SESSION['profil']["admin"] = $datas['admin']; $_SESSION['profil']["demandevalidation"] = $datas['demandevalidation']; $_SESSION['profil']["pilote"] = $datas['pilote']; $_SESSION['profil']["rs"] = $datas['rs']; } public function deconnexion() { $domain = ($_SERVER['HTTP_HOST'] != 'localhost') ? $_SERVER['HTTP_HOST'] : false; Toolbox::ajouterMessageAlerte("Logout is complete", Toolbox::COULEUR_VERTE); unset($_SESSION['profil']); setcookie(Securite::COOKIE_NAME,"",time() - 3600, '/', $domain, false, true); header("Location: " . URL); } public function deleteUser($id) { $this->userManager->deleteUserBd($id); header('Location: ' . URL . "users"); } }

In this Controller, I call the password reset functions.

By the way, I don't really know what these lines do? (I remind you that I'm taking over a project from someone with no documentation):

public function motDePasseReinitValid($key) { $this->userManager->motDePasseReinitValidation($key); }

PS: the app is still quite substantial, so throwing all the code wouldn't be very useful; plus, it's a business project, so I have to be careful about what I send.

0
jordane45 Posted messages 30426 Registration date   Status Moderator Last intervention   4 830 > llaumegui
 

ok.

However, you can't see your echoes and var_dumps because you need to disable all redirects.

 header('Location: ...
0
llaumegui > jordane45 Posted messages 30426 Registration date   Status Moderator Last intervention  
 

Hi, I did another test (spoiler: same problem, it's giving me the password in sha1)

I added var_dump() and removed the header(), the 2 functions motDePasseReinitValid() and motDePasseReinitValidation() like this:

public function motDePasseReinitValid($login, $mail) { $req = "SELECT id, mail, password FROM user WHERE login = '$login' AND mail = '$mail'"; $stmt = $this->getBdd()->prepare($req); $stmt->bindValue(":login", $login, PDO::PARAM_STR); $stmt->execute(); $resultat = $stmt->fetch(PDO::FETCH_ASSOC); $stmt->closeCursor(); if ($resultat == false) { Toolbox::ajouterMessageAlerte("Invalid Login / Mail combination", Toolbox::COULEUR_ROUGE); //header('Location: ' . URL . "users/motdepasse"); var_dump($resultat); } else { $char = '1234567890abcdefghijklmnopqrstuvwxyz0123456789'; $key = str_shuffle($char); $longueur = '8'; $possible = '123456789abcdfghjkmnpqrtvwxyzABCDFGHJKLMNPQRTVWXYZ'; $mdp = ''; // this value will be used later $longueurMax = strlen($possible); if ($longueur > $longueurMax) { $longueur = $longueurMax; } $i = 0; while ($i < $longueur) { // takes a random character $caractere = substr($possible, mt_rand(0, $longueurMax - 1), 1); $mdp .= $caractere; $i++; } $req = "INSERT INTO reinit_passwd(id_user, key_gen, new_passwd) VALUES(:id_user, :key_gen, :new_passwd)"; $stmt = $this->getBdd()->prepare($req); $stmt->bindValue(":id_user", $resultat['id'], PDO::PARAM_STR); $stmt->bindValue(":key_gen", $key, PDO::PARAM_STR); $stmt->bindValue(":new_passwd", $mdp, PDO::PARAM_STR); $stmt->execute(); $resultat = $stmt->fetch(PDO::FETCH_ASSOC); $stmt->closeCursor(); var_dump($resultat); //=====Declaration of messages in text format and HTML format. $passage_ligne = "\r\n"; $message_txt = "Hello, you have requested a new password for the portal."; $message_html = "<html><head></head><body>Hello,<br /><br /> You have requested a new password for <b>the portal</b>.<br /><br />To confirm the password reset, please click on the link below: <br /><br /><a href=\"http://dns.fr/portail/users/motdepassereinitvalid/" . $key . "\">http://dns.fr/portail/users/motdepassereinitvalid/" . $key . "<a/></body></html>"; //========== //=====Creating the boundary. $boundary = "-----=" . md5(rand()); $boundary_alt = "-----=" . md5(rand()); //========== //=====Defining the subject. $sujet = "portal - Forgotten password". chr(233); //========= //=====Creating the email header. $header = "From: \"portal\"<***@***>" . $passage_ligne; $header .= "Reply-to: \"portal \" <***@***>" . $passage_ligne; $header .= "MIME-Version: 1.0" . $passage_ligne; $header .= "Content-Type: multipart/mixed;" . $passage_ligne . " boundary=\"$boundary\"" . $passage_ligne; //========== //=====Creating the message. $message = $passage_ligne . "--" . $boundary . $passage_ligne; $message .= "Content-Type: multipart/alternative;" . $passage_ligne . " boundary=\"$boundary_alt\"" . $passage_ligne; $message .= $passage_ligne . "--" . $boundary_alt . $passage_ligne; //=====Adding the message in text format. $message .= "Content-Type: text/plain; charset=\"ISO-8859-1\"" . $passage_ligne; $message .= "Content-Transfer-Encoding: 8bit" . $passage_ligne; $message .= $passage_ligne . $message_txt . $passage_ligne; //========== $message .= $passage_ligne . "--" . $boundary_alt . $passage_ligne; //=====Adding the message in HTML format. $message .= "Content-Type: text/html; charset=\"ISO-8859-1\"" . $passage_ligne; $message .= "Content-Transfer-Encoding: 8bit" . $passage_ligne; $message .= $passage_ligne . $message_html . $passage_ligne; //========== //=====Closing the alternative boundary. $message .= $passage_ligne . "--" . $boundary_alt . "--" . $passage_ligne; $message .= $passage_ligne . "--" . $boundary . $passage_ligne; //========== if (mail($mail, $sujet, $message, $header)) { Toolbox::ajouterMessageAlerte("An email for password reset has just been sent to you", Toolbox::COULEUR_VERTE); //header('Location: ' . URL); } else { Toolbox::ajouterMessageAlerte("Failed to send the email. Please try again. If the problem persists, contact the IT department", Toolbox::COULEUR_ROUGE); } } } //Function to validate the password reset public function motDePasseReinitValidation($key) { $req = "SELECT id, id_user, new_passwd FROM reinit_passwd WHERE key_gen = '$key'"; $stmt = $this->getBdd()->prepare($req); $stmt->execute(); $resultat = $stmt->fetch(PDO::FETCH_ASSOC); $stmt->closeCursor(); if ($resultat > 0) { $idtempo = $resultat['id_user']; $motdepassetemp = $resultat['new_passwd']; $motdepassehash = password_hash($motdepassetemp, PASSWORD_DEFAULT); //$motdepassehash = hash('sha256',$motdepassetemp); //$motdepassehash = sha1($motdepassetemp); $req = "SELECT mail FROM user WHERE id = $idtempo"; $stmt = $this->getBdd()->prepare($req); $stmt->execute(); $resultatmail = $stmt->fetch(PDO::FETCH_ASSOC); $stmt->closeCursor(); $mailtest = $resultatmail['mail']; $req = "UPDATE user SET password = :password WHERE id = :id"; $stmt = $this->getBdd()->prepare($req); $stmt->bindValue(":id", $idtempo, PDO::PARAM_INT); $stmt->bindValue(":password", $motdepassehash, PDO::PARAM_STR); $resultat = $stmt->execute(); $stmt->closeCursor(); var_dump($motdepassehash); $req = " DELETE FROM reinit_passwd WHERE id_user = $idtempo "; $stmt = $this->getBdd()->prepare($req); $stmt->bindValue(":id_user", $idtempo, PDO::PARAM_INT); $resultatdelete = $stmt->execute(); $stmt->closeCursor(); //=====Declaration of messages in text format and HTML format. $passage_ligne = "\r\n"; $message_txt = "Hello, you have reset your password for the portal."; $message_html = "<html><head></head><body>Hello,<br /><br /> You have reset your password.<br /><br /> New password: " . $motdepassetemp . "<a/></body></html>"; //========== //=====Creating the boundary. $boundary = "-----=" . md5(rand()); $boundary_alt = "-----=" . md5(rand()); //========== //=====Defining the subject. $sujet = "portal - New password"; //========= //=====Creating the email header. $header = "From: \"portal\"<***@***>" . $passage_ligne; $header .= "Reply-to: \"portal\"<***@***>" . $passage_ligne; $header .= "MIME-Version: 1.0" . $passage_ligne; $header .= "Content-Type: multipart/mixed;" . $passage_ligne . " boundary=\"$boundary\"" . $passage_ligne; //========== //=====Creating the message. $message = $passage_ligne . "--" . $boundary . $passage_ligne; $message .= "Content-Type: multipart/alternative;" . $passage_ligne . " boundary=\"$boundary_alt\"" . $passage_ligne; $message .= $passage_ligne . "--" . $boundary_alt . $passage_ligne; //=====Adding the message in text format. $message .= "Content-Type: text/plain; charset=\"ISO-8859-1\"" . $passage_ligne; $message .= "Content-Transfer-Encoding: 8bit" . $passage_ligne; $message .= $passage_ligne . $message_txt . $passage_ligne; //========== $message .= $passage_ligne . "--" . $boundary_alt . $passage_ligne; //=====Adding the message in HTML format. $message .= "Content-Type: text/html; charset=\"ISO-8859-1\"" . $passage_ligne; $message .= "Content-Transfer-Encoding: 8bit" . $passage_ligne; $message .= $passage_ligne . $message_html . $passage_ligne; //========== //=====Closing the alternative boundary. $message .= $passage_ligne . "--" . $boundary_alt . "--" . $passage_ligne; $message .= $passage_ligne . "--" . $boundary . $passage_ligne; //========== //=====Sending the email. if (mail($mailtest, $sujet, $message, $header) && ($resultatdelete != false) && ($resultat != false) && ($resultatmail != false)) { Toolbox::ajouterMessageAlerte("Your password has been successfully reset", Toolbox::COULEUR_VERTE); //header('Location: ' . URL); } else { Toolbox::ajouterMessageAlerte("Failed to reset the password - Error code: #UM01", Toolbox::COULEUR_ROUGE); //header('Location: ' . URL . "users/motdepasse"); } } else { Toolbox::ajouterMessageAlerte("The link was not approved by our site. Please try again. Error code: #UM02", Toolbox::COULEUR_ROUGE); //header('Location: ' . URL . "users/motdepasse"); } }

And I therefore reset the password and still got an error when I submitted the password reset form (the form: id and mail of the user):

line 309 in the function motDePasseReinitValid($login, $mail): 

 $resultat = $stmt->fetch(PDO::FETCH_ASSOC);

an error on the variable that I dumped

But despite this error, I do receive the reset email, I click on the reset link that opens two pages:

The first:

A password reset page (the one where I enter my id and email to request the password reset) with this error:

The second:

it redirects me back to the login page with the message confirming the reset. Which is true because I receive the second email with the new password.

So to finish, I try to log in with the new password but it doesn't work because I'm using password_verify() (to test if the password matches what the user enters) while it is hashed in sha1 at the update of the user table...

0
jordane45 Posted messages 30426 Registration date   Status Moderator Last intervention   4 830 > llaumegui
 

You have an error here:

$req = "SELECT id, mail, password FROM user WHERE login = '$login' AND mail = '$mail'"; $stmt = $this->getBdd()->prepare($req); $stmt->bindValue(":login", $login, PDO::PARAM_STR); $stmt->execute(); $resultat = $stmt->fetch(PDO::FETCH_ASSOC); $stmt->closeCursor();

To be corrected to

$req = "SELECT id, mail, password FROM user WHERE login = :login AND mail = :mail "; $stmt = $this->getBdd()->prepare($req); $stmt->bindValue(":login", $login, PDO::PARAM_STR); $stmt->bindValue(":mail ", $mail , PDO::PARAM_STR); $stmt->execute(); $resultat = $stmt->fetch(PDO::FETCH_ASSOC); $stmt->closeCursor();
0
llaumegui > jordane45 Posted messages 30426 Registration date   Status Moderator Last intervention  
 

I modified it as you told me, what you said makes sense to me too, I hadn't paid attention but I have an error.

I have properly modified what you told me:

 $req = "SELECT id, mail, password FROM user WHERE login = :login AND mail = :mail "; $stmt = $this->getBdd()->prepare($req); $stmt->bindValue(":login", $login, PDO::PARAM_STR); $stmt->bindValue(":mail ", $mail , PDO::PARAM_STR); $stmt->execute(); $resultat = $stmt->fetch(PDO::FETCH_ASSOC); $stmt->closeCursor();

When the form is submitted, I get this error displayed:

line 274 (in the function motDePasseReinitValid($login, $mail)):

 $stmt->execute();

And so afterwards, I do not have an email for the reset and therefore no UPDATE either in my table.

0
Answer 4 / 7
llaumegui
 

Yeah sorry, it definitely seems obvious with the code in front of you^^

 public function motDePasseReinitValid($login, $mail) { $req = "SELECT id, mail, password FROM user WHERE login = :login AND mail = :mail "; $stmt = $this->getBdd()->prepare($req); $stmt->bindValue(":login", $login, PDO::PARAM_STR); $stmt->bindValue(":mail", $mail , PDO::PARAM_STR); $stmt->execute(); //line 274 $resultat = $stmt->fetch(PDO::FETCH_ASSOC); $stmt->closeCursor();
0
jordane45 Posted messages 30426 Registration date   Status Moderator Last intervention   4 830
 

There are extra spaces in the email bind

0
Answer 5 / 7
llaumegui
 

Well spotted regarding the spaces, I modified it like this: 

$req = "SELECT id, mail, password FROM user WHERE login = :login AND mail = :mail"; $stmt = $this->getBdd()->prepare($req); $stmt->bindValue(":login", $login, PDO::PARAM_STR); $stmt->bindValue(":mail", $mail , PDO::PARAM_STR); $stmt->execute(); $resultat = $stmt->fetch(PDO::FETCH_ASSOC); $stmt->closeCursor();

Then when sending the password reset form, I get this error:

line 310: 

 $req = "INSERT INTO reinit_passwd(id_user, key_gen, new_passwd) VALUES(:id_user, :key_gen, :new_password)"; $stmt = $this->getBdd()->prepare($req); $stmt->bindValue(":id_user", $resultat['id'], PDO::PARAM_STR); $stmt->bindValue(":key_gen", $key, PDO::PARAM_STR); $stmt->bindValue(":new_password", $mdp, PDO::PARAM_STR); $stmt->execute(); $resultat = $stmt->fetch(PDO::FETCH_ASSOC); //line 310 $stmt->closeCursor(); var_dump($resultat);

And there I do receive the email for resetting the password, without errors

Then the second email with the new password and so the same problem is that it is updated in sha1 in my user table.
0
jordane45 Posted messages 30426 Registration date   Status Moderator Last intervention   4 830
 

You cannot perform a fetch on anything other than a SELECT query.

However... you put it on an insert...

0
llaumegui > jordane45 Posted messages 30426 Registration date   Status Moderator Last intervention  
 

So if I understand correctly, this line:

$resultat = $stmt->fetch(PDO::FETCH_ASSOC); //line 310

is incorrect, and it is also useless, so I can delete it?

0
jordane45 Posted messages 30426 Registration date   Status Moderator Last intervention   4 830 > llaumegui
 

Yes

0
llaumegui > jordane45 Posted messages 30426 Registration date   Status Moderator Last intervention  
 

Okay, I retook a test by removing this line, I have no more errors!

We can finally see my var_dump():

So following the submission of the password reset form, it displays my variable $resultat that I dump here:

/Function to reset the password public function motDePasseReinitValid($login, $mail) { $req = "SELECT id, mail, password FROM user WHERE login = :login AND mail = :mail"; $stmt = $this->getBdd()->prepare($req); $stmt->bindValue(":login", $login, PDO::PARAM_STR); $stmt->bindValue(":mail", $mail , PDO::PARAM_STR); $stmt->execute(); $resultat = $stmt->fetch(PDO::FETCH_ASSOC); $stmt->closeCursor(); if ($resultat == false) { Toolbox::ajouterMessageAlerte("Invalid Login / Mail combination", Toolbox::COULEUR_ROUGE); //header('Location: ' . URL . "users/motdepasse"); var_dump($resultat); //the dump from the screen above

As we can see, it is indeed the hashed password with password_hash() that I retrieve

0
jordane45 Posted messages 30426 Registration date   Status Moderator Last intervention   4 830 > llaumegui
 

So it's good...

0
Answer 6 / 7
llaumegui
 

In my first message:

I have always said that the problem is the UPDATE of the user table with the new password. Additionally, in every message, I stress that the problem is that it inserts it in sha1 at the update (you can verify).

So the problem is why it is inserting it in sha1 at the update of my user table?
0
jordane45 Posted messages 30426 Registration date   Status Moderator Last intervention   4 830
 

Dump the variable $motdepasshash before the update

and also do a dump of $resultat after the update

 $motdepassetemp = $resultat['new_passwd']; $motdepassehash = password_hash($motdepassetemp, PASSWORD_DEFAULT); //$motdepassehash = hash('sha256',$motdepassetemp); //$motdepassehash = sha1($motdepassetemp); echo "<br> Password coming from the database: " . $motdepassetemp; echo "<br> Hashed password: " . $motdepassehash; // password hashed correctly? /* apparently.. this code is useless here.. might as well move it to where it serves! $req = "SELECT mail FROM user WHERE id = $idtempo"; $stmt = $this->getBdd()->prepare($req); $stmt->execute(); $resultatmail = $stmt->fetch(PDO::FETCH_ASSOC); $stmt->closeCursor(); $mailtest = $resultatmail['mail']; */ try{ $req = "UPDATE user SET password = :password WHERE id = :id"; $stmt = $this->getBdd()->prepare($req); $stmt->bindValue(":id", $idtempo, PDO::PARAM_INT); $stmt->bindValue(":password", $motdepassehash, PDO::PARAM_STR); $resultat = $stmt->execute(); $stmt->closeCursor(); var_dump($resultat); // should display true or false .. true if updated! }catch(Exception $e){ echo "Error: " . $e->getMessage(); exit; }
0
llaumegui > jordane45 Posted messages 30426 Registration date   Status Moderator Last intervention  
 

I copied your code like this:

//Function to validate password reset public function motDePasseReinitValidation($key) { $req = "SELECT id, id_user, new_password FROM reinit_passwd WHERE key_gen = '$key'"; $stmt = $this->getBdd()->prepare($req); $stmt->execute(); $resultat = $stmt->fetch(PDO::FETCH_ASSOC); $stmt->closeCursor(); if ($resultat > 0) { $idtempo = $resultat['id_user']; $motdepassetemp = $resultat['new_password']; $motdepassehash = password_hash($motdepassetemp, PASSWORD_DEFAULT); //$motdepassehash = hash('sha256',$motdepassetemp); //$motdepassehash = sha1($motdepassetemp); echo "<br> Password from the database: " . $motdepassetemp; echo "<br> Hashed password: " . $motdepassehash; // Is the password hashed correctly? /* apparently.. this code is useless here.. might as well move it to where it is useful! $req = "SELECT mail FROM user WHERE id = $idtempo"; $stmt = $this->getBdd()->prepare($req); $stmt->execute(); $resultatmail = $stmt->fetch(PDO::FETCH_ASSOC); $stmt->closeCursor(); $mailtest = $resultatmail['mail']; */ try{ $req = "UPDATE user SET password = :password WHERE id = :id"; $stmt = $this->getBdd()->prepare($req); $stmt->bindValue(":id", $idtempo, PDO::PARAM_INT); $stmt->bindValue(":password", $motdepassehash, PDO::PARAM_STR); $resultat = $stmt->execute(); $stmt->closeCursor(); var_dump($resultat); // should display true or false .. true if updated! }catch(Exception $e){ echo "Error: " . $e->getMessage(); exit; } // $req = "SELECT mail FROM tng_user WHERE id = $idtempo"; // $stmt = $this->getBdd()->prepare($req); // $stmt->execute(); // $resultatmail = $stmt->fetch(PDO::FETCH_ASSOC); // $stmt->closeCursor(); // $mailtest = $resultatmail['mail']; // $req = "UPDATE user // SET password = :password // WHERE id = :id"; // $stmt = $this->getBdd()->prepare($req); // $stmt->bindValue(":id", $idtempo, PDO::PARAM_INT); // $stmt->bindValue(":password", $motdepassehash, PDO::PARAM_STR); // $resultat = $stmt->execute(); // $stmt->closeCursor(); // var_dump($motdepassehash);

What’s strange is that I removed what you said was useless here and there was no error.

I just saw the same var_dump() displayed as before after submitting the password reset form.

I still received the 2 emails and an UPDATE of the password in sha1 in my user table.

I think I won’t be able to get back to you before Monday as I don’t have my work equipment at home, but on Monday we can continue, please feel free to reply now or as soon as you see this message. I’ll get back to you on Monday! Thanks again for the help. ;)

0
jordane45 Posted messages 30426 Registration date   Status Moderator Last intervention   4 830 > llaumegui
 

Do you see the echoes I've added?

If you don't see them... it's because you're not passing through this function...

If you do see them.. could you paste what they display for you and confirm that the encoding is correct?

0
llaumegui > jordane45 Posted messages 30426 Registration date   Status Moderator Last intervention  
 

Hi again,

I did a test this morning with the same code as in my last message.

So I send the reset form, I have my var_dump that displays:

I receive the first email that takes me to an error message and I don’t receive the second email with the new password.

It's an error message in the management of my routes in my index.php.

As for the echoes, I can’t see them, but it’s still strange because the update was done in the table even if it wasn't the right one.

0
jordane45 Posted messages 30426 Registration date   Status Moderator Last intervention   4 830 > llaumegui
 

it's not possible that you don't see the echoes... unless you've forgotten to remove a redirect....

At the limit, place an exit after the echoes.

If you still don't see them... it means you're not passing through that function!

0
Answer 7 / 7
llaumegui
 

I redid the test with an exit at this level:

if ($resultat > 0) { $idtempo = $resultat['id_user']; $motdepassetemp = $resultat['new_password']; $motdepassehash = password_hash($motdepassetemp, PASSWORD_DEFAULT); //$motdepassehash = hash('sha256',$motdepassetemp); //$motdepassehash = sha1($motdepassetemp); echo "<br> Password from the database: " . $motdepassetemp; echo "<br> Hashed password: " . $motdepassehash; //is the password hashed correctly? exit;

No changes, I didn't see any echo (same result as the test above).

I was wondering if perhaps this could be a problem, in my controller where I call these functions, I instantiate a function that has the same name as another in my user manager:

My controller:

 public function motDePasseReinitValid($key) { $this->userManager->motDePasseReinitValidation($key); }

My userManager:

 public function motDePasseReinitValid($login, $mail) { $req = "SELECT id, mail, password FROM user WHERE login = :login AND mail = :mail"; $stmt = $this->getBdd()->prepare($req); $stmt->bindValue(":login", $login, PDO::PARAM_STR); $stmt->bindValue(":mail", $mail , PDO::PARAM_STR); $stmt->execute(); $resultat = $stmt->fetch(PDO::FETCH_ASSOC); $stmt->closeCursor(); if ($resultat == false) { Toolbox::ajouterMessageAlerte("Invalid Login / Mail combination", Toolbox::COULEUR_ROUGE); //header('Location: ' . URL . "users/motdepasse"); var_dump($resultat); } else { $char = '1234567890abcdefghijklmnopqrstuvwxyz0123456789'; $key = str_shuffle($char); $longueur = '8'; $possible = '123456789abcdfghjkmnpqrtvwxyzABCDFGHJKLMNPQRTVWXYZ'; $mdp = ''; // this value will be used later $longueurMax = strlen($possible); if ($longueur > $longueurMax) { $longueur = $longueurMax; } $i = 0; while ($i < $longueur) { // takes a random character $caractere = substr($possible, mt_rand(0, $longueurMax - 1), 1); $mdp .= $caractere; $i++; } $req = "INSERT INTO reinit_passwd(id_user, key_gen, new_password) VALUES(:id_user, :key_gen, :new_password)"; $stmt = $this->getBdd()->prepare($req); $stmt->bindValue(":id_user", $resultat['id'], PDO::PARAM_STR); $stmt->bindValue(":key_gen", $key, PDO::PARAM_STR); $stmt->bindValue(":new_password", $mdp, PDO::PARAM_STR); $stmt->execute(); $stmt->closeCursor(); var_dump($resultat); //=====Declaration of messages in text and HTML format. $passage_ligne = "\r\n"; $message_txt = "Hello, you have requested a new password for the Portal."; $message_html = "<html><head></head><body>Hello,<br /><br /> You have requested a new password for <b>the Portal</b>.<br /><br />To confirm the password reset, please click on the link below: <br /><br /><a href=\"http://dns.fr/portail_/users/motdepassereinitvalid/" . $key . "\">http://dns.fr/portail_/users/motdepassereinitvalid/" . $key . "<a/></body></html>"; //========== //=====Creation of the boundary. $boundary = "-----=" . md5(rand()); $boundary_alt = "-----=" . md5(rand()); //========== //=====Definition of the subject. $sujet = "Portal - Forgotten password" . chr(233); //========= //=====Creation of the email header. $header = "From: \"Portal Bl\"<mail.xxx.com>" . $passage_ligne; $header .= "Reply-to: \"Portal \" <mail.xxx.com>" . $passage_ligne; $header .= "MIME-Version: 1.0" . $passage_ligne; $header .= "Content-Type: multipart/mixed;" . $passage_ligne . " boundary=\"$boundary\"" . $passage_ligne; //========== //=====Creation of the message. $message = $passage_ligne . "--" . $boundary . $passage_ligne; $message .= "Content-Type: multipart/alternative;" . $passage_ligne . " boundary=\"$boundary_alt\"" . $passage_ligne; $message .= $passage_ligne . "--" . $boundary_alt . $passage_ligne; //=====Adding the message in text format. $message .= "Content-Type: text/plain; charset=\"ISO-8859-1\"" . $passage_ligne; $message .= "Content-Transfer-Encoding: 8bit" . $passage_ligne; $message .= $passage_ligne . $message_txt . $passage_ligne; //========== $message .= $passage_ligne . "--" . $boundary_alt . $passage_ligne; //=====Adding the message in HTML format. $message .= "Content-Type: text/html; charset=\"ISO-8859-1\"" . $passage_ligne; $message .= "Content-Transfer-Encoding: 8bit" . $passage_ligne; $message .= $passage_ligne . $message_html . $passage_ligne; //========== //=====We close the alternative boundary. $message .= $passage_ligne . "--" . $boundary_alt . "--" . $passage_ligne; $message .= $passage_ligne . "--" . $boundary . $passage_ligne; //========== if (mail($mail, $sujet, $message, $header)) { Toolbox::ajouterMessageAlerte("An email for password reset has just been sent to you", Toolbox::COULEUR_VERTE); //header('Location: ' . URL); } else { Toolbox::ajouterMessageAlerte("Failed to send the email. Please try again. If the problem persists, contact the IT department", Toolbox::COULEUR_ROUGE); } } }

I don't know if this could have an impact since they don't have the same parameters, moreover it is not this function that I use to update my user table.
0
jordane45 Posted messages 30426 Registration date   Status Moderator Last intervention   4 830
 

So... once again... just with small bits of code... it's impossible to get a complete picture of how your code works...

You should provide us with the entirety of your files, indicating their names for each of them!

But I insist... if you don't see the echoes... it's because you are not entering that function. So it's normal that it doesn't update as you want!

0
llaumegui > jordane45 Posted messages 30426 Registration date   Status Moderator Last intervention  
 

Okay

here is the entire content of my userManager.class.php page:

<?php use LDAP\Result; require_once 'Model.class.php'; require_once 'User.class.php'; class UserManager extends Model { private $user; // Array of users public function ajoutUser($user) { $this->users[] = $user; } public function getUser() { return $this->users; } // Function that loads all users from the database. public function chargementUsers() { $req = $this->getBdd()->prepare( 'SELECT id, login,password, mail, admin, bl, dist, NomPrenom, demandevalidation , pilote, rs FROM user' ); $req->execute(); $donnees = $req->fetchAll(PDO::FETCH_ASSOC); $req->closeCursor(); // Error code: #UM01 if (!empty($donnees)) { foreach ($donnees as $donnees_users) { $q = new User( $donnees_users['id'], $donnees_users['login'], $donnees_users['password'], $donnees_users['mail'], $donnees_users['admin'], $donnees_users['bl'], $donnees_users['dist'], $donnees_users['NomPrenom'], $donnees_users['demandevalidation'], $donnees_users['pilote'], $donnees_users['rs'] ); $this->ajoutUser($q); } } else { Toolbox::ajouterMessageAlerte("Failed to load users - Error code: #UM01", Toolbox::COULEUR_ROUGE); header('Location: ' . URL); } } // Function for getting a user by their ID public function getUserById($id) { for ($i = 0; $i < count($this->users); $i++) { if ($this->users[$i]->getId() === $id) { return $this->users[$i]; } } } // Function to get a user's password based on their login private function getPasswordUser($login) { $req = "SELECT password FROM user WHERE login = :login"; $stmt = $this->getBdd()->prepare($req); $stmt->bindValue(":login", $login, PDO::PARAM_STR); $stmt->execute(); $resultat = $stmt->fetch(PDO::FETCH_ASSOC); $stmt->closeCursor(); // Error code: #UM03 if ($resultat != false) { return $resultat['password']; } else { // uncomment this line in production and comment the line below Toolbox::ajouterMessageAlerte("Request failure", Toolbox::COULEUR_ROUGE); Toolbox::ajouterMessageAlerte("Request failure - Error code: #UM03", Toolbox::COULEUR_ROUGE); header("location: " . URL); } } // Function that compares the database password and the one entered by the user public function isCombinaisonValide($login, $password) { //$password = hash('sha256',$password); //$password = sha1($password); $passwordBD = $this->getPasswordUser($login); // Error code: #UM04 if (password_verify($password, $passwordBD)) { return true; } else { // uncomment this line in production and comment the line below Toolbox::ajouterMessageAlerte("Connection failed", Toolbox::COULEUR_ROUGE); Toolbox::ajouterMessageAlerte("Comparison failed - Error code: #UM04", Toolbox::COULEUR_ROUGE); return false; } } // Function that adds a user to the database public function ajoutUserBd( $login, $password, $mail, $admin, $bl, $dist, $NomPrenom, $demandevalidation, $pilote, $rs ) { $login = strip_tags($login); $password = strip_tags($password); $mail = strip_tags($mail); $admin = strip_tags($admin); $bl = strip_tags($bl); $dist = strip_tags($dist); $NomPrenom = strip_tags($NomPrenom); $demandevalidation = strip_tags($demandevalidation); $pilote = strip_tags($pilote); $rs = strip_tags($rs); $hashed_password = password_hash($password, PASSWORD_DEFAULT); //$password = hash('sha256',$password); //$password = sha1($password); $req = "INSERT INTO user(login, password, mail, admin, bl, dist, NomPrenom, demandevalidation, pilote, rs) VALUES(:login, :password, :mail, :admin, :bl, :dist, :NomPrenom, :demandevalidation, :pilote, :rs)"; $stmt = $this->getBdd()->prepare($req); $stmt->bindValue(":login", $login, PDO::PARAM_STR); $stmt->bindValue(":password", $hashed_password, PDO::PARAM_STR); $stmt->bindValue(":mail", $mail, PDO::PARAM_STR); $stmt->bindValue(":admin", $admin); $stmt->bindValue(":bl", $bl); $stmt->bindValue(":dist", $dist, PDO::PARAM_STR); $stmt->bindValue(":NomPrenom", $NomPrenom, PDO::PARAM_STR); $stmt->bindValue(":demandevalidation", $demandevalidation, PDO::PARAM_STR); $stmt->bindValue(":pilote", $pilote, PDO::PARAM_STR); $stmt->bindValue(":rs", $rs, PDO::PARAM_STR); $resultat = $stmt->execute(); $stmt->closeCursor(); // Error code: #UM05 if ($resultat > 0) { $user = new User( $this->getBdd()->lastInsertId(), $login, $password, $mail, $admin, $bl, $dist, $NomPrenom, $demandevalidation, $pilote, $rs ); $this->ajoutUser($user); Toolbox::ajouterMessageAlerte("User addition successful", Toolbox::COULEUR_VERTE); } else { Toolbox::ajouterMessageAlerte("User addition failed - Error code: #UM05", Toolbox::COULEUR_ROUGE); header('Location: ' . URL . "users"); } } // Function for modifying a user public function modificationUserBd( $id, $login, $mail, $admin, $bl, $dist, $NomPrenom, $demandevalidation, $pilote, $rs ) { $login = strip_tags($login); $mail = strip_tags($mail); $admin = strip_tags($admin); $bl = strip_tags($bl); $dist = strip_tags($dist); $NomPrenom = strip_tags($NomPrenom); $demandevalidation = strip_tags($demandevalidation); $pilote = strip_tags($pilote); $rs = strip_tags($rs); $req = "UPDATE user set login = :login, mail = :mail, admin = :admin, bl = :bl, dist = :dist, NomPrenom = :NomPrenom, demandevalidation = :demandevalidation, pilote = :pilote, rs = :rs WHERE id = :id"; $stmt = $this->getBdd()->prepare($req); $stmt->bindValue(":id", $id, PDO::PARAM_INT); $stmt->bindValue(":login", $login, PDO::PARAM_STR); $stmt->bindValue(":mail", $mail, PDO::PARAM_STR); $stmt->bindValue(":admin", $admin, PDO::PARAM_STR); $stmt->bindValue(":bl", $bl); $stmt->bindValue(":dist", $dist); $stmt->bindValue(":NomPrenom", $NomPrenom, PDO::PARAM_STR); $stmt->bindValue(":demandevalidation", $demandevalidation); $stmt->bindValue(":pilote", $pilote); $stmt->bindValue(":rs", $rs); $resultat = $stmt->execute(); $stmt->closeCursor(); if ($resultat > 0) { $this->getUserById($id)->setLogin($login); $this->getUserById($id)->setMail($mail); $this->getUserById($id)->setAdmin($admin); $this->getUserById($id)->setBl($bl); $this->getUserById($id)->setDist($dist); $this->getUserById($id)->setNomPrenom($NomPrenom); $this->getUserById($id)->setDemandeValidation($demandevalidation); $this->getUserById($id)->setPilote($pilote); $this->getUserById($id)->setRs($rs); } } public function getUserInformation($login) { $req = "SELECT * FROM user WHERE login = :login"; $stmt = $this->getBdd()->prepare($req); $stmt->bindValue(":login", $login, PDO::PARAM_STR); $stmt->execute(); $resultat = $stmt->fetch(PDO::FETCH_ASSOC); $stmt->closeCursor(); return $resultat; } public function deleteUserBd($id) { $req = " Delete from `user` where `id` = " . $id . " "; $stmt = $this->getBdd()->prepare($req); $stmt->bindValue(":id", $id, PDO::PARAM_INT); $stmt->execute(); $stmt->closeCursor(); Toolbox::ajouterMessageAlerte("Deletion has been completed", Toolbox::COULEUR_VERTE); } //Function for resetting password public function motDePasseReinitValid($login, $mail) { $req = "SELECT id, mail, password FROM user WHERE login = :login AND mail = :mail"; $stmt = $this->getBdd()->prepare($req); $stmt->bindValue(":login", $login, PDO::PARAM_STR); $stmt->bindValue(":mail", $mail , PDO::PARAM_STR); $stmt->execute(); $resultat = $stmt->fetch(PDO::FETCH_ASSOC); $stmt->closeCursor(); if ($resultat == false) { Toolbox::ajouterMessageAlerte("Invalid Login / Mail combination", Toolbox::COULEUR_ROUGE); //header('Location: ' . URL . "users/motdepasse"); var_dump($resultat); } else { $char = '1234567890abcdefghijklmnopqrstuvwxyz0123456789'; $key = str_shuffle($char); $longueur = '8'; //Does not work if set to 12 $possible = '123456789abcdfghjkmnpqrtvwxyzABCDFGHJKLMNPQRTVWXYZ'; $mdp = ''; // this value will be used later $longueurMax = strlen($possible); if ($longueur > $longueurMax) { $longueur = $longueurMax; } $i = 0; while ($i < $longueur) { // pick a random character $caractere = substr($possible, mt_rand(0, $longueurMax - 1), 1); $mdp .= $caractere; $i++; } $req = "INSERT INTO reinit_passwd(id_user, key_gen, new_password) VALUES(:id_user, :key_gen, :new_password)"; $stmt = $this->getBdd()->prepare($req); $stmt->bindValue(":id_user", $resultat['id'], PDO::PARAM_STR); $stmt->bindValue(":key_gen", $key, PDO::PARAM_STR); $stmt->bindValue(":new_password", $mdp, PDO::PARAM_STR); $stmt->execute(); $stmt->closeCursor(); var_dump($resultat); //=====Declaration of messages in text and HTML format. $passage_ligne = "\r\n"; $message_txt = "Hello, you have requested a new password for the Portal."; $message_html = "<html><head></head><body>Hello,<br /><br /> You have requested a new password for <b>the Portal</b>.<br /><br />To confirm the password reset, please click on the link below : <br /><br /><a href=\"http://dns.fr/portail/users/motdepassereinitvalid/" . $key . "\">http://dns.fr/portail/users/motdepassereinitvalid/" . $key . "<a/></body></html>"; //========== //=====Creation of the boundary. $boundary = "-----=" . md5(rand()); $boundary_alt = "-----=" . md5(rand()); //========== //=====Defining the subject. $sujet = "Portal - Forgotten password". chr(233); //========= //=====Creating the email header. $header = "From: \"Portal\"<mail.xxx.com>" . $passage_ligne; $header .= "Reply-to: \"Portal \" <mail.xxx.com>" . $passage_ligne; $header .= "MIME-Version: 1.0" . $passage_ligne; $header .= "Content-Type: multipart/mixed;" . $passage_ligne . " boundary=\"$boundary\"" . $passage_ligne; //========== //=====Creating the message. $message = $passage_ligne . "--" . $boundary . $passage_ligne; $message .= "Content-Type: multipart/alternative;" . $passage_ligne . " boundary=\"$boundary_alt\"" . $passage_ligne; $message .= $passage_ligne . "--" . $boundary_alt . $passage_ligne; //=====Adding the message in text format. $message .= "Content-Type: text/plain; charset=\"ISO-8859-1\"" . $passage_ligne; $message .= "Content-Transfer-Encoding: 8bit" . $passage_ligne; $message .= $passage_ligne . $message_txt . $passage_ligne; //========== $message .= $passage_ligne . "--" . $boundary_alt . $passage_ligne; //=====Adding the message in HTML format. $message .= "Content-Type: text/html; charset=\"ISO-8859-1\"" . $passage_ligne; $message .= "Content-Transfer-Encoding: 8bit" . $passage_ligne; $message .= $passage_ligne . $message_html . $passage_ligne; //========== //=====We close the alternative boundary. $message .= $passage_ligne . "--" . $boundary_alt . "--" . $passage_ligne; $message .= $passage_ligne . "--" . $boundary . $passage_ligne; //========== if (mail($mail, $sujet, $message, $header)) { Toolbox::ajouterMessageAlerte("An email for resetting the password has been sent to you", Toolbox::COULEUR_VERTE); //header('Location: ' . URL); } else { Toolbox::ajouterMessageAlerte("Failed to send the email. Please try again. If the problem persists, contact the IT department", Toolbox::COULEUR_ROUGE); } } } //Function to validate the password reset public function motDePasseReinitValidation($key) { $req = "SELECT id, id_user, new_password FROM reinit_passwd WHERE key_gen = '$key'"; $stmt = $this->getBdd()->prepare($req); $stmt->execute(); $resultat = $stmt->fetch(PDO::FETCH_ASSOC); $stmt->closeCursor(); if ($resultat > 0) { $idtempo = $resultat['id_user']; $motdepassetemp = $resultat['new_password']; $motdepassehash = password_hash($motdepassetemp, PASSWORD_DEFAULT); //$motdepassehash = hash('sha256',$motdepassetemp); //$motdepassehash = sha1($motdepassetemp); echo "<br> Password from the database: " . $motdepassetemp; echo "<br> Hashed password: " . $motdepassehash; // is the password hashed correctly? exit; /* apparently.. this code is useless here.. might as well move it where it is needed! $req = "SELECT mail FROM user WHERE id = $idtempo"; $stmt = $this->getBdd()->prepare($req); $stmt->execute(); $resultatmail = $stmt->fetch(PDO::FETCH_ASSOC); $stmt->closeCursor(); $mailtest = $resultatmail['mail']; */ try{ $req = "UPDATE user SET password = :password WHERE id = :id"; $stmt = $this->getBdd()->prepare($req); $stmt->bindValue(":id", $idtempo, PDO::PARAM_INT); $stmt->bindValue(":password", $motdepassehash, PDO::PARAM_STR); $resultat = $stmt->execute(); $stmt->closeCursor(); var_dump($resultat); // should display true or false .. true if updated! }catch(Exception $e){ echo "Error: " . $e->getMessage(); exit; } // $req = "SELECT mail FROM user WHERE id = $idtempo"; // $stmt = $this->getBdd()->prepare($req); // $stmt->execute(); // $resultatmail = $stmt->fetch(PDO::FETCH_ASSOC); // $stmt->closeCursor(); // $mailtest = $resultatmail['mail']; // $req = "UPDATE user // SET password = :password // WHERE id = :id"; // $stmt = $this->getBdd()->prepare($req); // $stmt->bindValue(":id", $idtempo, PDO::PARAM_INT); // $stmt->bindValue(":password", $motdepassehash, PDO::PARAM_STR); // $resultat = $stmt->execute(); // $stmt->closeCursor(); // var_dump($motdepassehash); $req = " DELETE FROM reinit_passwd WHERE id_user = $idtempo "; $stmt = $this->getBdd()->prepare($req); $stmt->bindValue(":id_user", $idtempo, PDO::PARAM_INT); $resultatdelete = $stmt->execute(); $stmt->closeCursor(); //=====Declaration of messages in text and HTML format. $passage_ligne = "\r\n"; $message_txt = "Hello, you have reset your password for the Portal."; $message_html = "<html><head></head><body>Hello,<br /><br /> You have reset your password.<br /><br /> New password: " . $motdepassetemp . "<a/></body></html>"; //========== //=====Creation of the boundary. $boundary = "-----=" . md5(rand()); $boundary_alt = "-----=" . md5(rand()); //========== //=====Defining the subject. $sujet = "Portal - New password"; //========= //=====Creating the email header. $header = "From: \"Portal\"<mail.xxx.com>" . $passage_ligne; $header .= "Reply-to: \"Portal\"<mail.xxx.com>" . $passage_ligne; $header .= "MIME-Version: 1.0" . $passage_ligne; $header .= "Content-Type: multipart/mixed;" . $passage_ligne . " boundary=\"$boundary\"" . $passage_ligne; //========== //=====Creating the message. $message = $passage_ligne . "--" . $boundary . $passage_ligne; $message .= "Content-Type: multipart/alternative;" . $passage_ligne . " boundary=\"$boundary_alt\"" . $passage_ligne; $message .= $passage_ligne . "--" . $boundary_alt . $passage_ligne; //=====Adding the message in text format. $message .= "Content-Type: text/plain; charset=\"ISO-8859-1\"" . $passage_ligne; $message .= "Content-Transfer-Encoding: 8bit" . $passage_ligne; $message .= $passage_ligne . $message_txt . $passage_ligne; //========== $message .= $passage_ligne . "--" . $boundary_alt . $passage_ligne; //=====Adding the message in HTML format. $message .= "Content-Type: text/html; charset=\"ISO-8859-1\"" . $passage_ligne; $message .= "Content-Transfer-Encoding: 8bit" . $passage_ligne; $message .= $passage_ligne . $message_html . $passage_ligne; //========== //=====We close the alternative boundary. $message .= $passage_ligne . "--" . $boundary_alt . "--" . $passage_ligne; $message .= $passage_ligne . "--" . $boundary . $passage_ligne; //========== //=====Sending the email. if (mail($mailtest, $sujet, $message, $header) && ($resultatdelete != false) && ($resultat != false) && ($resultatmail != false)) { Toolbox::ajouterMessageAlerte("Your password has been successfully reset", Toolbox::COULEUR_VERTE); //header('Location: ' . URL); } else { Toolbox::ajouterMessageAlerte("Failed to reset the password - Error code: #UM01", Toolbox::COULEUR_ROUGE); //header('Location: ' . URL . "users/motdepasse"); } } else { Toolbox::ajouterMessageAlerte("The link has not been approved by our site. Please try again. Error code: #UM02", Toolbox::COULEUR_ROUGE); //header('Location: ' . URL . "users/motdepasse"); } } }

My userController.php page:

 <?php require_once "models/UserManager.class.php"; class UserController { public $userManager; public function __construct() { $this->userManager = new UserManager; $this->userManager->chargementUsers(); } public function afficherUsers() { $users = $this->userManager->getUser(); require "views/user/users.view.php"; } public function modificationUser($id) { $user = $this->userManager->getUserById($id); require "views/user/updateUser.view.php"; } public function ajoutUser() { require "views/user/createUser.view.php"; } public function motDePasseOublie() { require "views/motDePasseOublie.view.php"; } public function ajoutuserValidation() { if ($_POST['bl'] != 'on') { $_POST['bl'] = 0; } else { $_POST['bl'] = 1; } if ($_POST['dist'] != 'on') { $_POST['dist'] = 0; } else { $_POST['dist'] = 1; } if ($_POST['admin'] != 'on') { $_POST['admin'] = 0; } else { $_POST['admin'] = 1; } if ($_POST['demandevalidation'] != 'on') { $_POST['demandevalidation'] = 0; } else { $_POST['demandevalidation'] = 1; } if ($_POST['pilote'] != 'on') { $_POST['pilote'] = 0; } else { $_POST['pilote']
0