php password change

[phprick]

i made a script to change the password

if i file in the form i get a message that my password is changed

but it doesnt  :'(

please help me

thanks in advanced

if($_POST['submit']=='Set')
{
// If the change form has been submitted
       
       	$err = array();
$usr = $_SESSION['usr'];
        $newpass = $_POST['newpass'];
        $passorig = mysql_query("SELECT pass FROM tz_mebers WHERE usr=$usr");
        $email = mysql_query("SELECT email FROM tz_mebers WHERE usr=$usr");	
if(!$_POST['oldpassword'] == $passorig)
{
	$err[]='Your password is incorrect!';
}

if(!$_POST['newpass'] == $_POST['vnewpass'])
{
	$err[]='Your passwords do not match!';
}

if(!count($err))
{
	// If there are no errors

	$pass = md5($_POST['newpassword']);
	// Generate a random password

	$_POST['newpassword'] = mysql_real_escape_string($_POST['newpassword']);
	// Escape the input data


	mysql_query("UPDATE tz_members SET pass=$newpass WHERE usr=$usr");


                			send_mail(	'member@clephaswebdesign.x10.mx',
					$email,
					'ClephasWebdesign member registration - Your New Password',
					'Your password is: '.$pass);

		$_SESSION['msg']['cha-success']='Your password is set succesfull!';



}

if(count($err))
{
	$_SESSION['msg']['cha-err'] = implode('<br />',$err);
}	

header("Location: home.php");
exit;
}
<form action="" method="post">
				<h1>Change Your Password</h1>		
                                        <?php

					if($_SESSION['msg']['cha-err'])
					{
						echo '<div class="err">'.$_SESSION['msg']['cha-err'].'</div>';
						unset($_SESSION['msg']['cha-err']);
					}

					if($_SESSION['msg']['cha-success'])
					{
						echo '<div class="success">'.$_SESSION['msg']['cha-success'].'</div>';
						unset($_SESSION['msg']['cha-success']);
					}
				?>
                    		
				<label class="grey" >Old Password:</label>
				<input class="field" type="password" name="oldpass" id="oldpass" value="" size="23" />
				<label class="grey" >New Password:</label>
				<input class="field" type="password" name="newpass" id="newpass" value="" size="23" />
				<label class="grey" >Verify New Password:</label>
				<input class="field" type="password" name="vnewpass" id="vnewpass" value="" size="23" />					
		         	<input type="submit" name="submit" value="Set"  class="bt_register"/>
			</form>

[Porl123]

You're comparing the user inputted field with a query, you know. You need to fetch the row before you can compare its fields.

 

$query = mysql_query("SELECT pass, email FROM tz_mebers WHERE usr=$usr");
$user = mysql_fetch_array($sql);

echo 'Email: '.$user['email'].' Password: '.$user['pass'];

[phprick]

yes i know i forget 

sorry but it is stil not changing

[Porl123]

In the select queries you're referring to the table tz_mebers and in the update query you're updating tz_members.

[phprick]

ok yes

 

but than he shoot change ??

[Porl123]

if(!md5($_POST['oldpassword']) == $passorig)
{
$err[]='Your password is incorrect!';
}

 

The original password should be put through the md5 function to make the comparison.

[phprick]

i changed that md5 but now it say

 

Your password is incorrect

 

[Porl123]

Yeah, your update query updates your password to $newpass, which is the version of the password before it went through the md5. So the password stored in the database isn't encrypted.

[phprick]

yes but he do not change in anything

 

and de Original password is incorrect with md5

without md5 i can type anyting

[phprick]

than he has to change in the normal tekst right??

[Porl123]

What error messages are you getting?

[phprick]

no error

 

it say that the password change

but in my database it isnt

 

[Porl123]

Ah I see, well add "or die(mysql_error())" at the end of your query.

[phprick]

i dit the this

 

mysql_query("UPDATE tz_members SET pass=$pass WHERE usr=$usr")or die(mysql_error());

 

 

but it stil say that old password is incorrect

[Porl123]

Well yeah, because the password in the database won't be encrypted. Take the md5 off for a moment.

[phprick]

this is what i get

 

Unknown column 'rick' in 'where clause'

[Christian F.]

First and foremost I'd just like to point out that MD5 was found broken in 2006, meaning it would take only one minute to find a collision with a laptop computer back then. So, don't use MD5 for passwords.

Secondly, you'll always want to use a individual salt per user when hashing the password, and change this salt every time the password is changed.

 

Read the thread "What's the point of MD5", and you will be a bit more enlightened. Just remember to read the entire thread, as there are quite a lot of misconceptions posted inside of it. Best advice comes in the final post.

 

Once you've done that, update your code and post the updated version here, if you still have problems with it.

[phprick]

ok

[phprick]

i have one more question how can i make a folder under oder folder in php

[jazzman1]

if(!md5($_POST['oldpassword']) == $passorig)
{
$err[]='Your password is incorrect!';
}

 

The original password should be put through the md5 function to make the comparison.

 

I think this logic is wrong.

Simple example:

 

// incorrect 
$pass = "password";
$passMd5 = md5('password'); 
if(!$passMd5 == md5($pass)){
    var_dump($passMd5);   
}

// correct 
$pass = "password";
$passMd5 = md5('password'); 
if($passMd5 == md5($pass)){
    var_dump($passMd5);   
}

//correct 

$pass = "password";
$passMd5 = md5('password'); 
if(!$passMd5 != md5($pass)){
    var_dump($passMd5);   
}

[Christian F.]

Actually, that logic is correct. Provided that he'd tested the correct values, that is. Not that I disagree with you that he should have written it in a more simple manner, to make it easier to read and maintain.

 

The test parses as following:

 // Starting point.
if (!$Hash == md5 ($Pass) {

// Since $Hash and md5 ($Pass) equals, the comparison returns true.
if (!true) {

// Not true == false, thus the IF-block is skipped and we know the password is correct.
if (false) { $err[] = '' }

[jazzman1]

Actually, that logic is correct.

Are you sure ?

 

$pass = "password";
$passMd5 = md5('password'); 
if(!$passMd5 == md5($pass)){
    var_dump($passMd5);   
} else {
   var_dump(false);
}

 

[Christian F.]

Seems I did indeed forget about the operator precedence. Sorry about that.

 

The correct interpretation of how PHP parses it:

 // Starting point.
if (!$Hash == md5 ($Pass) {

// Since ! has precedence, it changes a string to BOOL FALSE.
if (false == md5 (pass)) {

// A string with content is always != false, thus the test will always fail.
if (false) { $err[] = '' }

[jazzman1]

No problem.

[Christian F.]

I did, then I had some second thoughs and tested the inverse. Thus my edit above.

Sorry a bout all of the confusion, I'm ashamed of myself.