Password encryption

thmnetwork

okay I saved each user's password in encrypted form in the DB (maybe this was a mistake) and now I want to set up a script to where users can change their passwords, and I've tried to use the password function in the WHERE clause but this doesn't seem to work, it just gives me an error as to my SQL syntax.

Any ideas?

MrAlaska

Saving the password encrypted is always a good idea because it gives your users a layer of protection if your database security is compromised.

Are your users able to log in at all? I do not completely understand your problem. One approach would have the users enter their old password for validation and also the new one, then change the password to the new encrypted password.

Something like:

$sql="
update table users
set password = '".crypt($newPass, $salt) ."'
where user_id=$user_id
and password='". crypt($oldPass, $salt).'";

I think that's right. I use my own functions so I might be memory challenged, but I think that is valid PHP syntax.

thmnetwork

yeah that's what I was writing when it gave me the error, only I didn't have the part in there about the userid, could that of been the problem?

they're able to login, they just can't change their passwords right now.

MrAlaska

Leaving the user ID out would not have thrown an error, it just carries the risk that another user might get their password updated too g

Echo the sql statement back and see what it looks like. Maybe you are missing a quote or something...