I stored passwords in a mysql database using md5, and I have one script working that confirms an email address/password match to log someone in. Now I'm working on another script to allow the person to update their password, but I can't get the password retrieved to match.
$check_pass = md5($old_pass);
$valid_user = $_SESSION['valid user'];
$query = " SELECT password
FROM users
WHERE email = '$valid_user'
LIMIT 1";
$result = mysql_query($query) or die ("Error in query: $query. " . mysql_error());
while ($row = mysql_fetch_object($result))
{
$stored_pass = $row->password;
}
if($check_pass<>$stored_pass)
{
print 'stored: '.$stored_pass.'<br/>';
print 'entered: '.$check_pass;
$error .= "<li>The old password entered does not match the database.</li>";
}
This is what is returned. The one that it says is stored in the db is not what is actually stored there. And apparently it's the md5 of nothing? When I enter the query in the mysql db directly, it works fine and returns the proper value. Any ideas?
stored: d41d8cd98f00b204e9800998ecf8427e
entered: dc050ee2df0b09b13b3f9be754e27aad
Also, I've been doing a lot of reading of other posts on the site re: md5 and wondering if I should worry about adding a salt or other additional security. The only validation I did on the passwords is that users chose is that they had to be at least 6 characters. If I want to change it now, I'll have to make everyone create a new password, which I can't imagine they would like too much... I'm really a novice at this, but I'm trying to make a pretty complex site completely on my own and I've got so many questions!
