[SOLVED] encrypted password

[ngreenwood6]

I have a script where users can login and register for my site. I have just created a page where users can reset their password. I am trying to do the error handling section of it right now. I am trying to make it so that if they do not enter a password into the form it tells them they must enter a password. I have this code:

 

if (empty($new_pass)
{
echo ("You must enter a password");
}

 

The problem is that it submits it no matter what. I just figured out why, but I don't know how to fix it. The reason is because the password is encrypted. So if they don't enter a password it still gives them a value of something crazy like "dakjk389934532" (md5 hash). Does anyone know how to fix it so that it will check to make sure that they have entered a value?

[JonnoTheDev]

Only encrypt if the password is entered:

 

if(strlen(trim($_POST['password']))) {
  $newPass = md5($_POST['password']);
  // update database

}
else {
echo "Please enter a password";
}

[ngreenwood6]

Thanks for the reply. I got it working with your suggestion.

[mbeals]

where are you applying the hash?

 

perform your validation on the submitted password before hashing:

 

<?php

$pass = $_POST['pass'];

if($pass) $hash = md5($pass);

?>

 

Now...I wouldn't do it exactly like that.  I'd write a function that does more validation first:

 

<?php

function validate($pass){

 if(!$pass) return 0;
 if(!preg_match("some regex", $pass) return 0;
 ## more conditions

 return md5($pass);
}

if($hash = validate($_POST['pass'])){
  #do something with the valid hashed password
}

?>