Page 1 of 1
updating an MD5 password
Posted: Fri May 22, 2009 7:10 am
by ianao
Hi
I have been Googling all morning but can't find the answer I'm looking for.
I am trying to write some PHP to update a user password. Here is an extract from my code:
Code: Select all
$newpassword = md5($_POST['newpassword']);
mysql_query("UPDATE members SET password='$newpassword' WHERE email='$email'")
or die("could not execute command");
The code executes, but when I check the relevant entry in MySQL the old password remains unchanged.
Can anyone help?
Best
ianao
Re: updating an MD5 password
Posted: Fri May 22, 2009 7:22 am
by mattpointblank
The easiest way to figure out why your code isn't putting the right info in the database is to print out your SQL and see what you're sending.
Code: Select all
$newpassword = md5($_POST['newpassword']);
$query = "UPDATE members SET password='$newpassword' WHERE email='$email'";
$result = mysql_query($query) or die("could not execute command: " . mysql_error());
echo $query;
See what's coming back: maybe some of your variables aren't defined like you think they are.
Re: updating an MD5 password
Posted: Fri May 22, 2009 8:15 am
by ianao
Hi
I can see how that would be very useful if it were producing an error, but frustratingly it's not doing that. It simply will not update the password field.
Best
ianao
Re: updating an MD5 password
Posted: Fri May 22, 2009 8:25 am
by onion2k
"password" is a MySQL reserved word. Backtick your query and that won't happen. Eg
[sql]UPDATE `members` SET `password`='$newpassword' WHERE `email`='$email'[/sql]
The backtick ` is usually at the top left of your keyboard.
Alternatively, avoid calling columns and tables names that coincide with MySQL functions...
http://dev.mysql.com/doc/refman/5.1/en/ ... words.html
EDIT: Weird, "password" isn't on that list. I'm sure it's a reserved word though.
Re: updating an MD5 password
Posted: Fri May 22, 2009 9:03 am
by ianao
Hi
I've tried backticking like this, but to no avail. It's still not updating.
Code: Select all
mysql_query("UPDATE `members` SET `password`='$newpassword' WHERE `email`='$email'")
Any other thoughts would be most welcome.
Best
ianao
Re: updating an MD5 password
Posted: Fri May 22, 2009 9:09 am
by mattpointblank
ianao wrote:Hi
I can see how that would be very useful if it were producing an error, but frustratingly it's not doing that. It simply will not update the password field.
Best
ianao
It is producing an error, or at least, it's not doing what you expect. Echo out your query and double check that it's doing what you think it is doing.
Re: updating an MD5 password
Posted: Fri May 22, 2009 9:24 am
by ianao
Hi
This is the echo'd result:
Code: Select all
UPDATE members SET `password`='101186a9a44bc0354ed997696a6aefba' WHERE `email`='$email'
Just can't see what's wrong.
Ianao
Re: updating an MD5 password
Posted: Fri May 22, 2009 9:35 am
by mattpointblank
Looks to me like it's trying to find an email address of '$email'? Try using double " not single ' around email.
Re: updating an MD5 password
Posted: Fri May 22, 2009 9:40 am
by ianao
Nope.
I tried escaping the "s as well, still no luck.

Re: updating an MD5 password
Posted: Fri May 22, 2009 9:52 am
by pickle
Ya, $email isn't evaluating to your actual email address. When you run that query on the database, it probably says "Query OK, 0 rows affected" right? That'll mean your WHERE clause isn't matching anything.
Re: updating an MD5 password
Posted: Fri May 22, 2009 10:12 am
by ianao
Aha!
I tried changing the $email variable to the email string, and it worked!!
Now just got to figure out why it doesn't like the variable.
Thanks everyone and have a great weekend!
ianao
Re: updating an MD5 password
Posted: Fri May 22, 2009 10:54 am
by mattpointblank
Sounds stupid, but did you define $email anywhere? Your other variable comes from $_POST so maybe you meant to write something like $email = $_POST['email']; somewhere?
Also: do some reading on SQL injection before you insert raw $_POST data into your database.
Re: updating an MD5 password
Posted: Fri May 22, 2009 11:15 am
by ianao
Not stupid at all. The email address came about from a posting from another file, and the error was in there. All sorted now, so thanks again for the help.
Yup. Got my SQL injection killer sorted.
Best
ianao