I’m building a micro-site, and am having trouble with the password reset behavior.

There is a form that asks the user for their password twice. I’m not being a password nazi, and the only requirement is that the password be greater than 5 characters. On submit, the form data is added to the $_POST array and is sent to a setPass function in my site-wide php function script.

The function is

function setPass(){
    $link= connectDB();

    $query= "select * from People where Username='" . $_SESSION['name'] . "' Limit 1";
    $result= $link->query($query);

    if ($result->num_rows==0){
        $_SESSION['status']= 'invaliduser';
        header("location: ../index.php");
    } else {
        $first = $_POST['firstPass'];
        $second = $_POST['secondPass'];

        if (($first == $second) && (strlen($first) > 5)){
            $password = sha1($first);
        }
    }
}

I’m leaving out the database insertion code in this example.

My issue is that this script echo $_SESSION['name'] . " and password: " . $first; included in the page body prints out the username, but returns an unidentified variable: first warning. This also happens when I try to access the variable $password.

Earlier testing has shown that the first conditional is true, as the page is not redirected.

So what is causing the failure of execution in the else block?