0

So I have a DB where I store users information for them to log in or to reset their password. And the problem is that the reset password works only for one user and it doesn't for any other.

I've tried comparing the two users to find out what the user that it doesn't work on has or hasn't that the working one does although I didn't see any difference and here's a picture of my DB to visualize it: https://gyazo.com/f231937058bc4c99ffa6bf1f9a5f7631

The reset password code:

$email = $_GET['email'];
$token = $_GET['token'];

$stmt = $connection->prepare("SELECT email FROM users WHERE token = ? AND tokenexpire > NOW()");
$stmt->bind_param('s', $token);
$stmt->execute();
$result = $stmt->get_result();
$row = $result->fetch_array(MYSQLI_ASSOC);

if ($result->num_rows > 0 && md5($row['email']) == $email) {
    $hash = $algorithm->create_hash($_POST['password']) // the create hash function comes from a PBKDF2 class from github

    $token = ''; 
    $normal_email = $row['email']; // the email on the top is a hashed email with md5

    $query = $connection->prepare("UPDATE users SET hash = ?, token = ? WHERE email = ?");
    $query->bind_param('sss', $hash, $token, $normal_email);
    $query->execute(); // thats the line that does get executed on the 'nex' account but it doesn't on the 'veruz' account

There are no error messages

Veruz
  • 11
  • 2
  • The problem is most likely in your input parameters. Hard to debug from here. Do you enter the `if`-part? My guess would be case-sensitivity of your email (because of the hashing), maybe you entered it differently. If the values in the picture are placeholders for the actual values, your webpage might use lowercase or something before hashing the input, and your database doesn't match that. Is the email address unique in your database? Otherwise your update might affect more than one user. – Solarflare Jun 16 '19 at 16:02
  • @Solarflare all the emails are unique and lowercase and I enter the if statement – Veruz Jun 16 '19 at 17:09
  • I've also noticed that the user that had been created first is the one that works. Maybe its something with the ID? – Veruz Jun 16 '19 at 17:19
  • If you have verified that you entered the `if`-part, and you have verified that you got no error, then "the line" will be executed. So you either actually have an error and e.g. do not display it (see [How do I get PHP errors to display?](https://stackoverflow.com/q/1053424)), or the line gets executed but doesn't do what you think it does. Print out all your variables and check if they are what you think they are. Maybe "token" is not unique (e.g. an error in creating it might set it for *all* users, and the first statement always grabs the first row/user). Debugging should clear things up. – Solarflare Jun 16 '19 at 17:19
  • I've printed out all the variables and they seem to match the ones in the DB the tokens are unique but even if they weren't MySQL wouldn't allow to insert them as I've set it to be unique in the DB by default. As of the errors, there are none again and I've checked the post you've linked me but still, none are displayed – Veruz Jun 16 '19 at 17:28
  • Your code works for some input parameters. It doesn't work for some others. So the problem seems to be the input parameters (which only you know). And such problems should become clear when you debug them. I cannot do this for you. If you print out `$normal_email` directly infront of `$query->execute()` and it matches the email, AND `$query->execute()` doesn't return an error (try e.g. additionally [checking the return value](https://stackoverflow.com/q/2304894)), it should do what you describe. Maybe clarify how you verified that "the line" did get executed or not. – Solarflare Jun 16 '19 at 17:57

0 Answers0