I'm not sure if the procedure of allowing the user to change his password is correct.
The Ajax
works fine, because it shows me errors, like the following errors:
Notice: Undefined variable: password in C:\xampp\htdocs\users\changepass.php on line 48 Warning: password_hash() expects at least 2 parameters, 1 given in C:\xampp\htdocs\users\changepass.php on line 48 Fatal error: Call to a member function bind_param() on boolean in C:\xampp\htdocs\users\changepass.php on line 65
Can you explain me how to allow the user to change his password correctly. It is necessary that the form is hidden, and show the message Password changed successfully!
changepass.php
if (isset($_POST['password_change'])) {
$hash = password_hash($password);
$username = strip_tags($_POST['username']);
$password = strip_tags($_POST['old_password']);
$old_password = $hash;
$newpassword = strip_tags($_POST['new_password']);
$new_password = $hash;
$confirmnewpassword = strip_tags($_POST['con_newpassword']);
$con_newpassword = $hash;
$stmtUsers=$con->prepare("SELECT COUNT(*) FROM users where username=? limit 1");
$stmtUsers->bind_param("s",$username);
if($stmtUsers->execute()) {
$hash = $stmtUsers->fetch();
if ($password == $hash['password']){
if($newpassword == $confirmnewpassword) {
$stmtUpdate=$con->prepare("UPDATE `users` SET `password` = ? WHERE `username` = ?");
$stmtUpdate->bind_param("ss",$newpassword,$username);
if($stmtUpdate->execute()){
echo "¡Contraseña cambiada con éxito!";
} else{
echo "La contraseña no se pudo actualizar";
}
} else {
echo "¡Las contraseñas no coinciden!";
}
} else {
echo "Por favor, escriba su contraseña actual con precisión!";
}
} else {
echo "Nombre de usuario incorrecto";
}
}
Form
<form name="resetform" action="changepass.php" id="resetform" class="passform" method="post" role="form">
<h3>Change Your Password</h3>
<br />
<input type="hidden" name="username" value="<?php echo $username; ?>" ></input>
<label>Enter Old Password</label>
<input type="password" class="form-control" name="old_password" id="old_password">
<label>Enter New Password</label>
<input type="password" class="form-control" name="new_password" id="new_password">
<label>Confirm New Password</label>
<input type="password" class="form-control" name="con_newpassword" id="con_newpassword" />
<br>
<input type="submit" class="btn btn-warning" name="password_change" id="submit_btn" value="Change Password" />
</form>
<!--display success/error message-->
<div id="message"></div>
Ajax
<script type="text/javascript">
$(document).ready(function() {
var frm = $('#resetform');
frm.submit(function(e){
e.preventDefault();
var formData = frm.serialize();
formData += '&' + $('#submit_btn').attr('name') + '=' + $('#submit_btn').attr('value');
$.ajax({
type: frm.attr('method'),
url: frm.attr('action'),
data: formData,
success: function(data){
$('#message').html(data).delay(3000).fadeOut(3000);
},
error: function(jqXHR, textStatus, errorThrown) {
$('#message').html(textStatus).delay(2000).fadeOut(2000);
}
});
});
});
</script>
In this answer I gave some time ago you can see the use of
password_verify
andpassword_hash
https://es.stackoverflow.com/a/166704/38103Based on that let's review your code: