MD5 Encryption help.

[GunnDawg]

Alright so I have a site where you can register, log in, send emails (from user to user), upload an avatar image. I then decided to add a control panel to allow users to change their username and password. I managed to get the 'change username' part to work just fine, and figured I would have no trouble getting the 'change password' part to work as well.

 

I am having a few issues with the code. First it wont MD5 encrypt it like my register script does, and second it doesnt check to make sure the password was typed correctly on the 'veryify password' field, it just goes ahead and changes the users password to the first password input box. So no encryption and no verify checking.

 

Here is the code for changepw.php: http://pastebin.com/m5d898a8e

[roopurt18]

$querycpw  = "UPDATE `users` SET `password` = '".$_POST['newpw']."' WHERE `username` = '".$username."' limit 1";

Why don't you try updating it to the variable that is the result of the hash, rather than the value in POST?

 

Why do you say it does not verify it was typed correctly?  It certainly looks like your code is doing that?

 

 

 die ("Passwords do not match");

Are you serious?

 

(edit)md5 is hashing, not encryption.

[roopurt18]

New Password: <input type = "text" name = "newpw"><br>
        Repeat Password: <input type = "text" name = "newpwrt"><br>

 

Both should be: type="password"

 

Unless you like friends and coworkers looking over your shoulder to know what your passwords are.

[GunnDawg]

Its just a small learning experience, nothing I plan on making real serious. So what do you suggest i change in my code to make this store the md5 result rather than the password it self ?

[roopurt18]

Oh.  I see now why it's not performing the verification.

 

<form action = "changepw.php" method = "POST">

Your form is a POST, yet in your code you are doing:

                $submit = strip_tags($_GET['submit']);
                $newpw = strip_tags($_GET['newpw']);
                $newpwrt = strip_tags($_GET['newpwrt']);

Do you see the problem there?

 

 

[GunnDawg]

ah ok, I was able to correct the password checking and made sure it got stored in MD5, but now my dang login page keeps telling me the new password is invalid

 

The original password you create works fine when you log in, but when you change it (and yes the db updates it) and try to log in, then it no longer works.

 

this is annoying.

[roopurt18]

What's the code on your login page?

[GunnDawg]

Wait suddenly it works

 

Thanks a ton, been scratching my head for a while now with this one.

 

Much appreciated.