help with change password script

batman

Hello,

I am really getting annoyed by this. :D

What I want to do is this: User signs up, computer generates them a password then e-mails the user all the info. In e-mail it gives them an activation link. Once activated I want people to be albe to change there password by filling out there old password then there new password twice. I want to reflect some errors if any of the boxes are missing, if the old password doesn't match that of the databases, and if the two new passwords don't = eachother. Then if everything goes good, then it'll update the password, and send a confimation e-mail to them.
I find out what the password and the e-mail fields are by using sessions.

Here's the code I am using, if anyone could find out what I'm doing wrong, I would very much appreciate it.


include 'db.php';

session_start(); 

if(!session_is_registered('first_name')){ 
include 'login_form.html'; 
exit(); 
} 




$oldpassword = $_POST ['oldpassword'];
$newpassword = $_POST ['newpassword'];
$newpassword2 = $_POST ['newpassword2'];

$oldpassword = stripslashes($oldpassword);
$newpassword = stripslashes($newpassword);
$newpassword2 = stripslashes($newpassword2);

if((!$oldpassword) || (!$newpassword) || (!$newpassword2)){
echo "You did not submit all the required info! <br />";
if(!$oldpassword)
{
echo "You must fill in your old password! <br />";
}
if(!$newpassword)
{
echo "You must fill in your New password! <br />";
}
if(!$newpassword2)
{
echo "You must re-type your new password! <br />";
}
if($newpassword2 != $newpassword)
{
echo "Your new password does not match in both fields. <br />";
}
include 'change_pass_form.php';
exit();
}

$email = $_SESSION ['email_address'];

$sql_check = mysql_query("SELECT * FROM users WHERE password='$password'"); 
    $sql_check_num = mysql_num_rows($sql_check); 
    if($sql_check_num != $oldpassword){ 
        echo "Your old password is incorrect!<br />"; 
        include 'change_pass_form.php'; 
        exit(); 
    } 



$db_password = md5($newpassword);

$sql = mysql_query("UPDATE users SET password='$db_password' WHERE email_address='$email_address'");


  if(!$sql)                  

 {
echo 'There has been an error updating your password. Please contact the webmaster. '; 
}

else{

$email_address =  "$email";                   

$subject = "Your recent password change!";
$message = "Hello,
You have recently changed your password at [url]http://www.1mspinc.com[/url]

Your new password is: $newpassword

Thanks,
  Webmaster

   This is an automated response, please do not reply!";

   mail($email_address, $subject, $message, "FROM: MSP Inc.<msp@starband.net>\n
   X-Mailer: PHP/" . phpversion());

   echo "Your new password has been saved and sent to your e-mail.";
   }