MD5 Password Encryption

[The14thGOD]

Hey, I am working on a change password form but I'm having a little problem.

heres the query:
[code]<?php
$query = "UPDATE user SET password=MD5('$password') , signature='$signature' , ";
$query .= "avatar='$file_dir' , status='$status' WHERE username='$username' ";
[/code]

The problem is that when put like that, the password is the encryption. So for example it would be "aa87d6boi71948anva" rather than if then the actual password.

I think that is it because if I log out and come back in the password is not the password i typed. So I did an echo and got the encryption with MD5 and got the password w/o it.

Anyone know how to update and store as a MD5 encryption?

Thanks in advance.

[marcus]

[code=php:0]
$newpass = md5($password);
//query
[/code]

[The14thGOD]

Thank you. It looks like I have another error /sigh.

Heres the summary:
I'm trying to detect if anything is entered in the password field, and if they match.

1. If they dont match then send back saying so.
2. If password is blank, set password to X.
3. If password exists then newpassword is Y.

heres the code

[code]<?php
$pass_query = "SELECT * FROM user WHERE id=$user_id ";
$pass_result = mysql_query($pass_query);
$pass_row = mysql_fetch_array($pass_result);
if ($password != $confirm_password) {
$error = 'pass';
header("Location: user_prefs.php?error=$error");
exit(0);
}
if ($password == "") {
$newpassword = md5($pass_row[password]);
}
elseif ($password != "") {
$newpassword = md5($password);
}?>[/code]

it is writing to the right row so that shouldn't be a problem..

thanks again.

[corbin]

Where is $password coming from?  I think you need $password = $_POST[var] where var is the name of the form field...

[The14thGOD]

i have import request variables, and its comming from a form

[Hypnos]

If you have an error, you need to paste it, and paste the line that it's from.


$newpassword = md5($pass_row[password]);

This doesn't look right. Aren't your passwords stored as MD5? If so, you would be MD5'ing an MD5.

[The14thGOD]

Ya I was thinking that myself. Is there a way to retrieve it w/o the md5? I tried it w/o the md5 but i think it failed..ill try again..

[The14thGOD]

Hmm.. it worked..but I'm almost positive that I tried it before..maybe I mistyped something..I know I fixed something along the lines.

Thanks for the help =D

[Sir William]

What wasn't really said was how you SHOULD be checking passwords.  The most common way I've seen and used is to store the md5'd password hash in the database for the user.  Then when they have to authenticate, you get their username/id and password.  You then retrieve the hash from the DB then md5 the submitted password.  If the retrieved hash and the hashed submission match, then you're authentic.  If not, error/try again/whatever.  That make sense?