Almost working password change code

jwhillster

I hate to ask, but this has been killing me. I can't for the life of me see what is wrong. I successfully incorporated MD5 into registration and login pages using the same code.

They work fine, yet the password change page doesn't deliver the MD5. The password is changed on the correct record, but in plain text. Hence almost working. Thanks in advance.

$pw = strip_tags(substr($_POST['txtPassword'],0,32));
$cleanpw = md5($pw);

$editFormAction = $_SERVER['PHP_SELF'];
if (isset($_SERVER['QUERY_STRING'])) {
  $editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);
}

if ((isset($_POST["MM_update"])) && ($_POST["MM_update"] == "form1")) {
  $updateSQL = sprintf("UPDATE registration SET RegPassword='".mysql_real_escape_string($cleanpw)."' WHERE ID=%s",
                       GetSQLValueString($_POST['txtPassword'], "text"),
                       GetSQLValueString($_POST['ID'], "int"));

  mysql_select_db($database_vprRegistration, $vprRegistration);
  $Result1 = mysql_query($updateSQL, $vprRegistration) or die(mysql_error());

  $updateGoTo = "thank_you.php";
  if (isset($_SERVER['QUERY_STRING'])) {
    $updateGoTo .= (strpos($updateGoTo, '?')) ? "&" : "?";
    $updateGoTo .= $_SERVER['QUERY_STRING'];
  }
  header(sprintf("Location: %s", $updateGoTo));
}

$colname_rsRegistration = "-1";
if (isset($_SESSION['MM_Username'])) {
  $colname_rsRegistration = $_SESSION['MM_Username'];
}
mysql_select_db($database_vprRegistration, $vprRegistration);
$query_rsRegistration = sprintf("SELECT * FROM registration WHERE RegEmail = %s", GetSQLValueString($colname_rsRegistration, "text"));
$rsRegistration = mysql_query($query_rsRegistration, $vprRegistration) or die(mysql_error());
$row_rsRegistration = mysql_fetch_assoc($rsRegistration);
$totalRows_rsRegistration = mysql_num_rows($rsRegistration);$colname_rsRegistration = "-1";
if (isset($_SESSION['MM_Username'])) {
  $colname_rsRegistration = $_SESSION['MM_Username'];
}
mysql_select_db($database_vprRegistration, $vprRegistration);
$query_rsRegistration = sprintf("SELECT * FROM registration WHERE RegUsername = %s", GetSQLValueString($colname_rsRegistration, "text"));
$rsRegistration = mysql_query($query_rsRegistration, $vprRegistration) or die(mysql_error());
$row_rsRegistration = mysql_fetch_assoc($rsRegistration);
$totalRows_rsRegistration = mysql_num_rows($rsRegistration);
?>

jwhillster

Ok so if on line ten you have:

RegPassword=&#37;s WHERE ID=%s

it updates the password without MD5. On my login page, replacing the first %s with

'".mysql_real_escape_string($cleanpw)."'

used the MD5ed password as the variable and the second remained the same, ID (for selecting which record to modify).

Why - on this page - does replacing the first instance of %s with anything else make the ID = the MD5ed password, thus preventing table modification? How can I modify the code to work around the displacement of the first %s variable?

If anyone has any insight, I'd love to hear it, otherwise I'll continue trying to figure it out for myself.

Thanks!