Hashed password change feature – Core PHP

Before you proceed, make sure you have PHP version 5 or greater than 5 till 5.5.0 (PHP 5 >= 5.5.0) or PHP 7. You can check your server’s PHP version by creating a new PHP file and write the following code in it:

<?php
	phpinfo();
?>

This tutorial uses PHP password_hash and password_verify functions that allows you to save passwords in MySQL database as hashed strings, so even if your database gets hacked or someone tries to read it, he will still not be able to find the actual passwords of users. For the sake of simplicity, we are going to use a sample table named “users” in MySQL database and it will have just 4 columns:

  1. ID (int, auto increment primary key)
  2. name (text)
  3. email (text)
  4. password (text)

Create an HTML form

Our form will contain 3 fields:

  1. Current password: to check if user has entered its current password correctly.
  2. New password
  3. Confirm password

Paste the following code in page where you want to allow user to change their password (make sure to change the form action attribute to your desired filename):

<link rel="stylesheet" type="text/css" href="bootstrap.min.css">

<div class="container" style="margin-top: 50px;">
	<div class="row">
		<div class="col-md-12">
			<form method="POST" action="index.php">
				<div class="form-group">
					<label>Current password</label>
					<input type="password" class="form-control" name="current_password" placeholder="Current password">
				</div>

				<div class="form-group">
					<label>New password</label>
					<input type="password" class="form-control" name="new_password" placeholder="New password">
				</div>

				<div class="form-group">
					<label>Confirm password</label>
					<input type="password" class="form-control" name="confirm_password" placeholder="Confirm password">
				</div>

				<p>
					<input type="submit" class="btn btn-primary" name="change_password" value="Change password">
				</p>
			</form>
		</div>
	</div>
</div>

Handle PHP request

When you submit the form above, it will send the data to “index.php” page. If you have written any other filename in “action” attribute, paste the following code in that PHP file:

<?php

	// Connect with database
	$conn = mysqli_connect("localhost:8889", "root", "root", "classicmodels");
	// Set user ID, you must be getting it from $_SESSION
	$user_id = 1;

	// This will be called once form is submitted
	if (isset($_POST["change_password"]))
	{
		// Get all input fields
		$current_password = $_POST["current_password"];
		$new_password = $_POST["new_password"];
		$confirm_password = $_POST["confirm_password"];

		// Check if current password is correct
		$sql = "SELECT * FROM users WHERE id = '" . $user_id . "'";
		$result = mysqli_query($conn, $sql);
		$row = mysqli_fetch_object($result);
		
		if (password_verify($current_password, $row->password))
		{
			// Check if password is same
			if ($new_password == $confirm_password)
			{
				// Change password
				$sql = "UPDATE users SET password = '" . password_hash($new_password, PASSWORD_DEFAULT) . "' WHERE id = '" . $user_id . "'";
				mysqli_query($conn, $sql);

				echo "<div class='alert alert-success'>Password has been changed.</div>";
			}
			else
			{
				echo "<div class='alert alert-danger'>Password does not match.</div>";
			}
		}
		else
		{
			echo "<div class='alert alert-danger'>Password is not correct.</div>";
		}
	}
?>

Leave a Reply

Please disable your adblocker or whitelist this site!