Home/ Questions/Q 6844485
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T00:23:03+00:00

I create a function to edit user password here the function code. function updateUser

  • 0

I create a function to edit user password here the function code.

function updateUser ()
{


    $current = md5($_POST['cpassword']);
    $new = md5($_POST['npassword']);
    $newc = md5($_POST['npasswordc']);

    $name = $_POST['username'];
    connectDB();

        $check = mysql_query("SELECT password FROM user WHERE user_name = '$name'") 

        or die(mysql_error());


            if ($check != $current) {

            ?> <div id="error">
                <?php die('Current password is wrong. Press back to try again.'); ?>
                </div> <?php

            }

        if ($new == $newc) :

            $sql = "UPDATE user SET password = '$new' WHERE user_name = '$name'";
            execute($sql);

            ?> <div id="error">
            <?php die('Password Successfully Updated. Back to <a href="/dashboard">dashboard</a>');
            ?> </div>  <?php

        else :  ?> <div id="error">
            <?php die('New Password did not match. Press back to try again');
            ?> </div>  <?php

        endif;


}

the value will be pass by the form on different page, everything seem to work fine. When I try to change password, it say successful, and when I check in the database, the md5 value is changing that mean the password was change.

But when I try to change password of same username, I still need to enter the old password for current password, even though in database it already changed?

What seem to be the problem?

Thank you

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    $check is a mysql resource, not a value. You might do

    if($check && (mysql_num_rows($check) > 0))
{
  $res = mysql_fetch_assoc($check);
  if($res['password'] != $current) {

    Be careful of SQL injections, you should do at least 

    $name = mysql_real_escape_string($_POST['username']);

    before entering it into the query.

    Also, md5 is a week hashing algorithm, I strongly suggest you use a SALT, and better hash algos like at the very least sha1() or better go for the sha2 family (sha256, sha512, for ex) or bcrypt

    • 0