PHP If statement in input tag value, and form not processing

Question

My form isn't processing. Once I've entered details or even if not, I'm getting the else statement echo "Your password reset key is invalid" on line 95. The key is correct but...

I think there's an issue with the if statement on lines 160-164 for the value of the input tag. I think it needs wrapping in a php tag, but am not sure what's wrong...?

Hope someone can help. Thanks.

<?php

$objForm = new Form();
$objValid = new Validation($objForm);
$objUser = new User();


// Was the form submitted?
if (isset($_POST["ResetPasswordForm"]))
{

        // Form Fields Check
        if ($objForm->isPost('email')) {

            $objValid->_expected = array(
            'email',
            'password',
            'confirm_password'

            );

            $objValid->_required = array(
                'email',
                'password',
                'confirm_password'

                );


            $objValid->_special = array(
                'email' => 'email'
                );


            $objValid->_post_remove = array(
                'confirm_password'
                );


            $objValid->_post_format = array(
                'password' => 'password'
                );

            $email = $objForm->getPost('email');
            $user = $objUser->getByEmail($email);

            if (empty($user)) {
                $objValid->add2Errors('e-mail_not_found');
            }

        }


    // Gather the post data
        $email = $_POST["email"];
        $password = $_POST["password"];
        $confirmpassword = $_POST["confirmpassword"];
        $hash = $_POST["q"];    


    // validate password
    $password = $objForm->getPost('password');
    $confirmpassword = $objForm->getPost('confirmpassword');

    if (!empty($password) && !empty($confirmpassword) && $password != $confirmpassword) {
        $objValid->add2Errors('password_mismatch');
    }

    // Use the same salt from the forgot_password.php file
    $salt = "---blank for demo---";

    // Generate the reset key
    $resetkey = hash('sha512', $salt.$email);

    // Does the new reset key match the old one?
    if ($resetkey == $hash)
    {
        if ($password == $confirmpassword)
        {
            //hash and secure the password
            $password = hash('sha512', $password);

            // Update the user's password
                $query = $conn->prepare('UPDATE clients SET password = :password WHERE email = :email');
                $query->bindParam(':password', $password);
                $query->bindParam(':email', $email);
                $query->execute();
                $conn = null;
            Helper::redirect('/?page=password_changed');
        }
        else
            $objValid->add2Errors('password_mismatch');
    }
    else
        echo "Your password reset key is invalid.";
}


require_once('_header.php'); ?>

<div id="cat_prod"><h1>- CHANGE PASSWORD -</h1></div>

    <br /><br />


    <form action="" method="POST">

        <table cellpadding="0" cellspacing="0" border="0" class="tbl_insert">

            <tr>

                <th>
                    <label for="email">E-mail : *</label>
                </th>

                <td>
                    <?php echo $objValid->validate('e-mail_not_found'); ?>
                    <input type="text" name="email" id="login_email" class="fld" 
                    value="<?php echo $objForm->stickyText('e-mail_not_found'); ?>" /> 
                </td>

            </tr>

            <tr>

                <th>
                    <label for="password">Password : *</label>      
                </th>

                <td>
                    <?php echo $objValid->validate('password'); ?>
                    <?php echo $objValid->validate('password_mismatch'); ?>
                    <input type="password" name="password" id="password" class="fld" value="" />
                </td>

            </tr>

            <tr>

                <th>
                    <label for="confirm_password">Confirm Password : *</label>      
                </th>

                <td>
                    <?php echo $objValid->validate('confirm_password'); ?>
                    <input type="password" name="confirmpassword" id="comfirm_password" class="fld" value="" />
                </td>

            </tr>


            <tr>

                <th>
                     
                </th>

                <td>
                    <label for="change_pass" class="sbm_blue fl_l">
                    <input type="hidden" name="q" value="';
                                if (isset($_GET["q"])) {                        
                                echo $_GET["q"];                            
                            }                           
                                echo '" />
                    <input type="submit" name="ResetPasswordForm" id="btn_login" class="btn" value=" Reset Password " />
                    </label>
                </td>

            </tr>


        </table>

    </form>


<?php require_once('_footer.php'); ?>

Do you have error reporting turned on for your code? Are you getting any error messages? http://stackoverflow.com/questions/845021/how-to-get-useful-error-messages-in-php — Maximus2012, Sep 11 '15 at 20:13
Are you sure the values are getting passed from one part of the page to another ? — Maximus2012, Sep 11 '15 at 20:13
How do you know the values are the same? It looks like the `q` will have raw PHP in it. That should be in php blocks. `value="'; if (isset($_GET["q"])) { echo $_GET["q"]; } echo '" />` — chris85, Sep 11 '15 at 20:17
I added `error_reporting(-1); ini_set('display_errors', 'On');` to the top of my page but don't get anything showing. — Ashley Smith, Sep 11 '15 at 20:17
chris, the q is a static string that never changes, it is a hash of the $salt and $email that is sent via e-mail to a user for changing their password. I need to update this and implement a token system for temp links, but that's to be done. I have been merging two pages to get this working on one as I had some validation messages to output via objValid and the Validation class, so previously I was simply wrapping the form in `` which worked... but now that doesn't with my merging code. — Ashley Smith, Sep 11 '15 at 20:22
You have to put that echo in php blocks.. Also this can make your page open to XSS injection. A malicious user could link to the page with `q` containing markup to insert a form. — chris85, Sep 11 '15 at 20:28
Which echo do you mean in a php block? I've tried but still the form doesn't process. Yes, re XSS, i'll be updating as say to that token system asap to randomise the string - i.e. have temp links and string in database auto-updating on use. — Ashley Smith, Sep 11 '15 at 20:36
Yep, already tried that and get notice and fatal errors as mentioned in the answer/comments below. No joy. — Ashley Smith, Sep 11 '15 at 20:50
Hmm... perhaps it should be conndb? as I have that in my DBase class... `private function connect() { $this->_conndb = mysql_connect($this->_host, $this->_user, $this->_password);` Strange as I say though that this worked when form simply wrapped, I've just added other if conditions to validate passwords, check and report errors. I'm using Object Oriented PHP and extending classes. — Ashley Smith, Sep 11 '15 at 21:01
Cool, I added this back in that I removed as the database connection should d be run automatically for each of my pages, so something's up with that... `$conn = new PDO("mysql:host={$host};dbname={$dbname};charset=utf8", $username, $password);` — Ashley Smith, Sep 11 '15 at 21:08

score 2 · Accepted Answer · answered Sep 11 '15 at 20:22

2

probably you have some typo. Try it like this.

<input type="hidden" name="q" value="<?php echo isset($_GET["q"]) ? $_GET["q"]: '' ;?>"/>

answered Sep 11 '15 at 20:22

volkinc

2,143
1
15
19

She'll have to escape those double quotes. – al'ein Sep 11 '15 at 20:25
I know the if statement is correct as it previously worked when I wrapped the form, so yes maybe something is up...? Doing it your way I just get a fatal error... `Notice: Undefined variable: conn in /reset_password.php on line 84 Fatal error: Call to a member function prepare() on a non-object in /reset_password.php on line 84` Btw, I'm Male :) Blame the parents... Lol – Ashley Smith Sep 11 '15 at 20:30
Escaping the quotes renders the page blank. – Ashley Smith Sep 11 '15 at 20:32
in a case of Call to a member function prepare() you just have no connection object ready. And you don't need escape quotes, to check it out see the source of you page – volkinc Sep 11 '15 at 20:32
1

can you do echo print_r($conn, true); before line $query = $conn->prepare(.... just to see if there is an object – volkinc Sep 11 '15 at 20:44
1

so you have no connection, check the code where you creating the connection, It could be that the server is down – volkinc Sep 11 '15 at 20:49

PHP If statement in input tag value, and form not processing

1 Answers1