[SOLVED] changing md5 passwords

[CincoPistolero]

I'm trying tor write a change password php page. I currently create passwords with md5. I'm wondering why I can't just take a new post['pwd'], md5 it then update the mysql database. Am I missing something. Below is my code

 

$_POST['passwd'] = strip_tags($_POST['passwd']);
$md5pwd = md5($_POST['passwd']);
$sql = "UPDATE pwUsers SET password='$md5pwd' WHERE pwUserID='$id'";

[BillyBoB]

Is $id set somewhere or is it in a session?

[CincoPistolero]

yes, $id is set

[Alex]

Are you actually running the query (mysql_query())?. If so, double check your column names.

 

It's also usually not a good idea to preform functions like strip_tags() on passwords that will be encrypted. If users decide to use tags in their passwords (don't know why they would..) it would confuse them by changing their password, and although this scenario is unlikely there is no disadvantage because anything possibly malicious would be rendered harmless after an md5 encryption. Another good security measure is utilizing a salt.

[gizmola]

The answer is -- you can.  There is nothing inherently wrong with the lines of code you provided.  We can't see if and when you actually issue the query, or if there's an error.  If there is, perhaps that is the problem, and you should be catching that from the mysql_error() code.

 

The other thing I wonder about is why you are running strip_tags? Whether or not someone includes html tags in their password or not shoudl be irrelevant -- you aren't storing that, you're storing the md5() version of it.  strip_tags() is unnecessary here.

[CincoPistolero]

OK, I swear I had this in here yesterday, but it appears I was lacking

 

$resultmd = mysql_query($sql) or die ("Error in query: $sql. " . mysql_error());

 

 

is working now.