Below is a script that is run when a Change Password button is clicked for a form. The form contains 2 password fields, one for the new password, and one for confirming the new password. Here is the action script of the form:
<?php
session_start();
include("func.php");
$NewPassword = mysql_real_escape_string(md5($_POST['newpassword']));
$Confirm = mysql_real_escape_string(md5($_POST['confirmnewpassword']));
$userid = $_SESSION['username'];
if (!isset($NewPassword) || !isset($Confirm)) {
header("Location: ../error.php");
die("Error");
}else if ($NewPassword <> $Confirm) {
header("Location: ../error.php");
die("Error");
}else{
dbConnect();
mysql_query("UPDATE users SET password='$Confirm' WHERE username='$userid'");
mysql_close($connect);
header("Location: ../profile.php");
die("Success");
}
?>
Even when the 2 password fields on the form are empty or do not match, the password is still updated in the database. Any reason for why this could be?
I appreciate any help offered.
You do not need mysql_real_escape_string enclosing the md5 function, as md5 returns an hex number.
will never evaluate to true, you should check if $_POST[‘newpassword’] and $_POST[‘confirmnewpassword’] are not empty – in this case if the passwords are both empty the password will be updated.
About the passwork being updated even if the password are different, are you 100% sure you are passing the variables using POST and not GET and the names of the parameters are ‘newpassword’ and ‘confirmnewpassword’?
Try putting an “echo” to display the value of the variables to make sure you are passing the parameters properly, 99% the problem is there.