Jump to content

PHP Change User Password Script using MD5 hasing

Go to solution Solved by froppo,

Recommended Posts

Hey All,


I have built a website using PHP and MySQL where users have to log in to use the site. I'm now trying to create a page on the site where logged in users can change their password if they need/want to. I thought this would be fairly easy and straight forward but I'm having a ton of issues. I've never been formally trained in PHP and MySQL, I've just picked up stuff along the way throughout the years so when I get into advanced stuff I start to struggle.


I'm using MD5 hashing for the passwords right now. I already know this isn't the most secure method but since I'm familiar with it I'm just going to go with it for now. I'll worry about changing the hashing later.


Anyway, the PHP code lives on the same page as the form. The HTML portion of the form has the following fields:


Current Password (id="cur_password")
New Password (id="password1")
Confirm New Password (id="password2")


Within the script I'm trying to verify that the Current Password and the password in the database match, but because of the MD5 I'm not exactly sure how to do this. Here is what I have so far:


$sql = "SELECT * FROM users WHERE username='$log_username'";
$query = mysqli_query($db_conx, $sql);
while ($row = mysqli_fetch_array($query, MYSQLI_ASSOC)) {
$username = $row[username];
$password = $row[password]; 


if (empty ($_POST['cur_password'])){
echo "Fill out all fields.";
else if ($cur_password != $password) {
echo "There was a problem. Wrong Password.";
} else if ($passord1 != $password2) {
echo "Passords don't match.";
} else {
$sql = "UPDATE users SET password = MD5('$password1') WHERE username='$log_username' LIMIT 1";
$query = mysqli_query($db_conx, $sql);
echo "Success! Password has been changed.";


When I test I keep getting the "Fill out all fields." message even though I submitted the form and none of the fields were blank. If I take the "empty" statement out I just keep getting the "There was a problem. Wrong Password." message which should happen only if the current password typed in and the current password in the database don't match. I know that I'm putting in the correct matching password.


Anyway, any help you could give would be greatly appreciated.


Thanks so much. 

Link to comment
Share on other sites

well in your update query, you're using mysql to md5 the value of $password1 which has already been md5'd by php so you are doing it twice when you should only be doing it once. Are you also doing this in whatever registration script you are using? Or did it work the first time and then stopped working the 2nd time and on?

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.