if (empty($errors)) { // If current password supplied $email = $_SESSION['email']; // get email data from original login $i_id = $_SESSION['i_id']; // get logged in individual id from original login $old_login_OK = NULL; // Retrieve the user salt and password for the email and id $q1 = 'SELECT i_namefirst, salt, pswd FROM individual WHERE i_email = ? and i_id = ?'; // prepare the update query $stmt = mysqli_prepare($dbc,$q1); if (FALSE === $stmt) { // if prepare failed... die('prepare failed: ' . mysqli_error($dbc)); } // bind parameters; $rc (return code) holds T/F results $rc = mysqli_stmt_bind_param($stmt, 'si', $email, $i_id); if (FALSE === $rc) { die('bind failed: ' . mysqli_error($dbc)); } $rc = mysqli_stmt_execute($stmt); // execute the statement if (FALSE === $rc) { die('execute failed: ' . mysqli_error($dbc)); } mysqli_stmt_store_result($stmt); if ( mysqli_stmt_num_rows($stmt) == 1 ) // 1 (and only 1) record found (that's good) { // Retrieve first name, salt and password mysqli_stmt_bind_result($stmt, $namefirst, $salt, $pswd); mysqli_stmt_fetch($stmt); // regenerate password from current password (as entered) and compare $gen_pswd = hash_hmac('sha512', $currentpw . $salt, SECRET); // does generated password match DB password? if ($gen_pswd === $pswd) { $old_login_OK = 'yes'; } else { $errors[] = 'The password entered does not match the one on file.'; } } else { $errors[] = 'SystemError 111'; } } // Ensure we have a new_password. $newpw = ""; if (empty($_POST['new_password'])) { $errors[] = 'New password missing.'; } else { $newpw = $_POST['new_password']; } if ($newpw == $currentpw) { $errors[] = 'New password is the same as current password. Select a different new password.'; } else { // Ensure we have a retype_password. $retypepw = ""; if (empty($_POST['retype_password'])) { $errors[] = 'Retyped password missing.'; } else { $retypepw = $_POST['retype_password']; // Ensure new_password matches retype_password if ($newpw != $retypepw) { $errors[] = 'New password does not match retyped new password.'; } } } // If everything's OK so far... if (empty($errors)) { if ($old_login_OK == 'yes') // A record was pulled from the database. { // create a new salt and then generate the new salted password hash $new_salt = bin2hex(openssl_random_pseudo_bytes(64)); $newpw_hash = hash_hmac('sha512', $newpw . $new_salt, SECRET); // change the user's password $q2 = 'UPDATE individual SET salt = ?, pswd = ? WHERE i_id = ?'; // prepare the update query $stmt = mysqli_prepare($dbc,$q2); if (FALSE === $stmt) { // if prepare failed... die('prepare failed: ' . mysqli_error($dbc)); } // bind parameters; $rc (return code) holds T/F results $rc = mysqli_stmt_bind_param($stmt, 'ssi', $new_salt, $newpw_hash, $i_id); if (FALSE === $rc) { die('bind failed: ' . mysqli_error($dbc)); } $rc = mysqli_stmt_execute($stmt); // execute the statement if (FALSE === $rc) { die('execute failed: ' . mysqli_error($dbc)); } if (mysqli_affected_rows($dbc) == 1) { // If the update was successful... // Redirect to the success page // Start define the URL. LKS 29Mar2014 $url = 'https://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']); if ((substr($url, -1) == '/') or (substr($url, -1) == '\\') ) { $url = substr ($url, 0, -1); //  chop off the final slash } // Add the page. $url .= '/changepasswordsuccess.php'; header("Location: $url"); exit(); // Quit the script. } else { $errors[] = 'Update was not successful. Please notify the webmaster.'; $try_again = 'no'; } } } } else // Form has not been submitted. { $errors = NULL; $try_again = NULL; } // End of the main Submit conditional.