If Input String not equal to MD5 password

[cozzy1984]

Having a bit of trouble when trying to check if an input string (password) equals the md5 password in the database table. Thought best way to do it was to make the string into an md5 variable (md5passwordold) and compare them both. But for some reason it doesnt seem to work.

 

Heres a snippet of my code:

<?php
if (isset($_POST['submit'])) {
$password = $_POST['password'];
$newpassword = $_POST['newpassword'];
$newpassword2 = $_POST['newpassword2'];
$md5passwordold = md5($_POST['password']);
$md5password = md5($_POST['newpassword']);


		if($password && $newpassword && $newpassword2)
		{
			if($md5passwordold != $account["password"])
			{		
				$error['password'] = 'Incorrect Password';
				$passworderror = 'regerrorwrong';
			}

			if($newpassword != $newpassword2)
			{
				$error['newpassword'] = 'Passwords don\'t match';
				$newpassworderror = 'regerrorwrong';
			}

			else if($password == $account["username"]){
				$error['newpassword'] = 'Can\'t be same as username';
				$newpassworderror = 'regerrorwrong';
			}
			else if (preg_match( '/\W/', $newpassword) || !ctype_alnum($newpassword)){
				$error['newpassword'] = 'No spaces / Invalid characters';
				$newpassworderror = 'regerrorwrong';
			}
		} else {
		$error['password'] = 'Please complete all fields';
		$passworderror = 'regerrorwrong';
	}

}

if(!$_SESSION["username"]){ ?>

<div id='postit'>
<div id='scotchtape'>

</div>
<h2>Not Logged In!</h2>
<p><span class='highlight'>Sorry, you are not logged in, therefore unable to view this page.</span> Please try logging in using the form on the right. If you are not a member you can register for free <a href="register.php">here..</a></p>
</div>
<?php
}

else if (!$error && isset($_POST['submit'])) 
{ 
   $update = mysql_query("UPDATE users SET password='$md5password' WHERE username='" . $_SESSION["username"] . "'"); 
?> 

<div id='postit'>
<div id='scotchtape'>

</div>
<h2>Password Change Successful</h2>
<?php echo "<p><span class='highlight'>Your password has been successfully updated " . $_SESSION["username"] . "</span>";?>
<p>Please Logout in order to test your new password, if there are any problems please contact us.</p>

</div>
<?php
} else{ 
   $account = mysql_fetch_array(mysql_query("SELECT username,password FROM users WHERE username='" . $_SESSION["username"] . "'")); 
?> 

<div id='postit'>

<div id='scotchtape'>
<img src='images/scotchtape.png' alt='' height='41' width='100' />
</div>
<h2>Change Password</h2>
<p><span class='highlight'>Below are the details for your account, <?php echo $account["username"]; ?></span><br/>You can edit your details simply by changing them and clicking the save changes button.</p>
<div id="helpicon"><img src='images/help_icon.png' alt='' height='70' width='70' /></div>
<div id="directionstitle">Help Information</div>
<div id="directions">This box will contain help relating to each section.<br/> All fields are required.</div>

</div>
<form name="registration" method="post" class="regform" action="" enctype="application/x-www-form-urlencoded">

<fieldset>
<label for="password">Current Password:</label>
<input name="password" type="password" id="password" maxlength="15" value="<?php echo $_POST['password']; ?>" onfocus="infotitle('Enter Curent Password'); info('Please enter your current password to authenticate user.');" />
<span class="<?php echo $passworderror; ?>"><?php echo $error['password']; ?></span>
</fieldset>

<fieldset>
<label for="newpassword">New Password:</label>
<input name="newpassword" type="password" id="newpassword" maxlength="15" value="" onfocus="infotitle('Re-Enter Password'); info('Your password can be any combination of characters and must be at least 4 chartacters in length.');" />
<span class="<?php echo $newpassworderror; ?>"><?php echo $error['newpassword']; ?></span>
</fieldset>

<fieldset>
<label for="newpassword2">Re-Type New Password:</label>
<input name="newpassword2" type="password" id="newpassword2" maxlength="15" value="" onfocus="infotitle('Re-Enter Password'); info('Please re-enter your new password to make sure it is correct.');" />
</fieldset>

<input type="submit" class="savebtn" name="submit" value="" />
</form>

<?php
}
?>

 

 

Hope you's can help.

[revraz]

All you need is one line

 

$password = md5 ($_POST['password']);

 

[cozzy1984]

Cheers revraz, but that didn't help. I printed out both the $md5passwordold and the $account['password'] and they are the same so i dont understand why this isnt working but am pretty sure it may be down to the fact that i am using $account['password'] to compare in the if statement as the one that compares that the password doesnt eaual $account['username'] is also not working.

 

Is there a special way when using values from a mysql query in an if statement?

[Wolphie]

Are you trying to pull an MD5 encrypted string from a database and echo a decrypted password? (Like the original password)

[cozzy1984]

Are you trying to pull an MD5 encrypted string from a database and echo a decrypted password? (Like the original password)

 

Am trying to pull the md5 password from the database and make sure that it is the same as what they entered into a input box, to confirm the password before they change it to a new one. Have it working using the seesion variables at the minute instead but would like it working by getting the values from the database rather than the session variables.

[rameshfaj]

For instance if the posted password is in the variable $password,then u can do like this:

 

mysql_query(select *from user_table where username=$username and password=$md5(posted_password));

/if the result set has atleast one rows then it is a valid login else not.

[aschk]

That query looks wrong.

Corrected:

$sql = "SELECT* FROM user_table WHERE username = '{$username}' and password = MD5('{$posted_password}')";
mysql_query($sql);