[RESOLVED] password checking problems

Smudly

I'm creating a profile page that allows users to change their first name, last name, email or password.

Everything is working fine, except the password part.

On one of the else statements, it says "Old passwords do not match".

That is the message i get when I try changing the password. It could be an MD5 error

MySQL version: 5.0.19
I'm not getting any mysql errors

Here's the code:

<?php

session_start();
include('inc/connect.php');

$username = $_SESSION['username'];

if ($username)
{
	//if user is logged in

$sql = mysql_query("SELECT * FROM `users` WHERE `username`='".$username."'");
$row = mysql_fetch_assoc($sql);

$fname = $row['fname'];
$lname = $row['lname'];
$email = $row['email'];
$edit = ($_POST['edit']);

// Edit variables
$fnamenew = ucfirst(strip_tags($_POST['fname']));
$lnamenew = ucfirst(strip_tags($_POST['lname']));
$emailnew = strip_tags($_POST['email']);
$password = strip_tags(md5($_POST['password']));
$passwordnew = strip_tags(md5($_POST['passwordnew']));
$passwordconf = strip_tags(md5($_POST['passwordconf']));


if($edit){

// check password against database

$oldpassworddb = $row['password'];

// check passwords
if($password==$oldpassworddb)
{
	//check two new passwords
	if($passwordnew==$passwordconf)
	{
		// success
		// change password in database
		$edit = "UPDATE users SET `fname`='$fnamenew', `lname`='$lnamenew', `email`='$emailnew', `password`='$passwordnew' WHERE username='$username'";
		mysql_query($edit);

	$fname = ucfirst(strip_tags($_POST['fname']));
	$lname = ucfirst(strip_tags($_POST['lname']));
	$email = strip_tags($_POST['email']);

	$submitted = "Changes Submitted";


}
else
	die("New Passwords Don't Match!");

}
else
	die("Old Password doesn't match!");

}
}
else
	header("Location: index.php");

?>

<html>
<head>
<title>Profile</title>
</head>
<body>

<form action="profile.php" method="POST">
	Username: <input type="text" value="<?php echo $username; ?>" readonly="readonly"><br />
	First Name: <input type="text" maxlength="25" name="fname" value="<?php echo $fname; ?>"><br />
	Last Name: <input type="text" maxlength="25" name="lname" value="<?php echo $lname; ?>"><br />
	Email: <input type="text" maxlength="64" name="email" value="<?php echo $email; ?>"><br />
	Password: <input type="password" maxlength="32" name="password"><br />
	New Password: <input type="password" maxlength="32" name="passwordnew"><br />
	Confirm Password: <input type="password" maxlength="32" name="passwordconf"><br />

<input type="submit" name="edit" value="Submit Changes">
<?php echo $submitted; ?>
</form>
</body>
</html>

NogDog

How was the password in the DB hashed? Did you use any sort of "salt" for it? Other than that, try echoing out both of the variables that are being compared to see if either is obviously wrong (e.g. empty).

Also, it shouldn't have anything to do with this problem, but there is no need to do a strip_tags() on an md5()'ed value, as md5() returns a string of hexadecimal characters (0-9 and A-F).

bradgrafelman

Also note that user-supplied data should never be used in a SQL query without first sanitizing it with a function such as [man]mysql_real_escape_string/man (for string data). Otherwise, your code will be vulnerable to SQL injection attacks and/or just plain SQL errors.

Smudly

Got it working. Thanks for the tips!