[Resolved] md5'ed passwords

SeenGee

Doin a user admin thing for a site, users get to choose a username but are given a password to begin with. i'm giving them the option to change the password now. I've used md5 to encrypt it all but i'm comin across problems.

to check the user i'm drawing their md5'ed password from the database and comparing this with the password they have entered in the form which i md5 aswell to check they are the same. this works fine, the user can change their password to whatever they want, problem is when they try to login again their password does not work.

Any ideas what might be goin on?

heres the script:

<?php
session_start();
include 'db.php';
require ('functions.php');

$username = $_POST['username'];
$password = $_POST['password'];
$new_password = $_POST['new_password'];
$new_password_check = $_POST['new_password_check'];

$pagename = 'Confirm change';
pagetop($pagename);

if ((!$username) || (!$password) || (!$new_password) || (!$new_password_check))
{
		echo 'You did not enter the required information <br />';

	if (!$username)
		{
		echo 'Username is a required field, please fill it our <br />';
		}
	if (!$password)
		{
		echo 'Your original password is a required field, please fill it our <br />';
		}
	if (!$new_password)
		{
		echo 'Your new password is a required field, please fill it our <br />';
		}
	if (!$new_password_check)
		{
		echo 'Your new password is a required field, please fill it our <br />';
		}
		include 'pass_prob.php';// Show the form again! 

		/* End the error checking and if everything is ok, we'll move on to 
		creating the user account */ 
		pagebottom();
		exit();
		}

if ($new_password !== $new_password_check)
{
	echo 'Please make sure to enter the same new password twice. Thankyou.';
	include 'pass_prob.php';
	pagebottom();
	exit();	

}

$password_check = mysql_query("select password from users where username='$username'");
while ($row = mysql_fetch_array($password_check)) 
	{ 
	$pass_check = $row["password"]; 
	}
	$pass_this = md5($password);
	if ($pass_check !== $pass_this)
		{
			echo 'Houston, we have a problem...';
			pagebottom();
			exit();
		}
		else{


$sql_check = mysql_query("SELECT * FROM users WHERE username='$username'");
	$sql_check_num = mysql_num_rows($sql_check);
	{
	if($sql_check_num == 0){
		echo "No records found matching your username<br />";
		include 'pass_prob.php';
		pagebottom();
		exit();
	}
	if($sql_check_num > 0)
		{
		$db_password = md5($new_password);//encrypts the password
		$sql = mysql_query("UPDATE users SET password='$db_password' WHERE username='$username' and password = '$password'");
		echo 'Updated, seen.';
		}
	}
}
pagebottom();		
?>

SeenGee

i've just checked, for some reason the encrypted password that is entering the database does not match the password that i am sending to it.

i appended this onto my script:

$new_password_check = 'red';
$new_password_check2 = md5($new_password_check);
echo "$new_password_check2 <br />"; 
echo "$db_password";

the above 2 give the same values, as they should (when i enter the pass as red.)

db_password is the value that is sent at the end of the script but what it echoes back is different to the value that i see when i open my database in phpMyAdmin.

very confusing....