0

I want to make a password check where the javascript variable is the password that the user has written. I want to check if it is correct and I did that by comparing what the user wrote to my php variable which stores the actual value.

This is not a secure solution. How can I change it. I want the if statement to be at the same place as before?

Her is my code:

            var password=$("#password").val();

            if(password!='<?php echo "$password"; ?>'){
            alert("No changes has been made due to wrong password.");
            }
            else{
                $.ajax({
                    type: "POST",
                    url: "modify_profile.php",
                  data: {"firstname":firstname,"lastname":lastname},
                    success: function( data){     
                    }
                }); 
            }
            });

Here is modify_profile.php. 

<?php
    require("../db/connect.php");
    $email='test@gmail.com';

    $written_password=( $_POST['firstname']);




    if( isset($_POST['firstname'])) 
{

    $firstname=( $_POST['firstname']);
    $query=mysqli_query($dbcon, "UPDATE user SET first_name='$firstname' WHERE email='$email'");
     $result = mysqli_query($dbcon,$query);

}

    if( isset($_POST['lastname'])) {
    $lastname=( $_POST['lastname']); 
    $query=mysqli_query($dbcon, "UPDATE user SET last_name='$lastname' WHERE email='$email'");
    $result = mysqli_query($dbcon,$query);


}


require("../db/close.php")
?>
Filip Eriksson
  • 975
  • 7
  • 30
  • 47
  • 1
    You would have to send the password off to another file and compare it on the server, this would stop the real password being seen in the source. If that's what you meant by un-secure? – Dale Aug 31 '13 at 13:09
  • In PHP exmaple codes on Stackoverflow please never use short-open tags, please see [Are PHP short tags acceptable to use?](http://stackoverflow.com/q/200640/367456) – hakre Aug 31 '13 at 13:41
  • right-click + inspect element = Ahh so that's the password! – Jo E. Aug 31 '13 at 13:49

1 Answers1

4

You cannot have an if statement of that style and be secure. Security requires that you don't store the password.

To be secure you must:

  1. Only store the password in hashed form with a salt
  2. Send the submitted password to your server over SSL
  3. (On the server) hash the submitted password with the same salt and compare it to the stored hashed password

Even if that wasn't the case, asking the browser (which is under the control of the user) to check if the password is right would be insecure because the user could look at the JavaScript and make the HTTP request in the else statement directly.

You would need to do something like:

$.ajax({
  type: "POST",
  url: "modify_profile.php",
  data: {"firstname":firstname,"lastname":lastname, password: password},
   success: function( data){ }
})
Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • Well the thing is that I want to check it before entering modify_profile.php because I want some actions in case the password is wrong. Maybe I don't want the particular alert message but I want to be able to change the text to red. – Filip Eriksson Aug 31 '13 at 13:27
  • above answer is the right one, you can always do something afterwards. – kangoroo Aug 31 '13 at 13:30
  • Then you need `modify_profile.php` to return a response indicating that the password was wrong, and then your error handler can change the text colour (and hopefully other things that are a lot more obvious). – Quentin Aug 31 '13 at 13:31
  • That's good Quentin. How do I return that response from modify_profile.php? – Filip Eriksson Aug 31 '13 at 13:38
  • security is always relative, and even if it's not secure enough for Quentin, it might be secure enough for Filip. So I would be very carful with such answers. – hakre Aug 31 '13 at 13:42
  • Well a good first step for me is not to use:if(password!='') since you can see the correct password. – Filip Eriksson Aug 31 '13 at 13:51
  • @FilipEriksson — `echo $someResponse` – Quentin Aug 31 '13 at 13:56
  • I still don't understand how to handle that response Quentin. I posted modify_profile.php. Let's say that I will check if the password is correct and it's either true or false(I haven't done that yet). What do I need to write in modify_profile.php to give that response and how do I handle that after the ajax function in my main file? – Filip Eriksson Aug 31 '13 at 14:14
  • You echo some text out of the php program, then you examine it using the variable that is the argument to the success or error function. – Quentin Aug 31 '13 at 14:18
  • Quentin- Can u please write a short code example of what to write in both files? – Filip Eriksson Aug 31 '13 at 14:45
  • `echo "Oh no!";` and `success: function (data) { if (data === "Oh no!") { /* Change to red */ } else { /* do something else */ }` – Quentin Aug 31 '13 at 15:02
  • Sorry, I just noticed that the if statement doesn't work for me. It never enters it.Is it wrong? – Filip Eriksson Aug 31 '13 at 15:46