Checking Length of MD5 in Change Password Script
Posted: Thu Aug 23, 2012 4:06 pm
So im trying to write a change password script for the user control panel for my site. My server is storing passwords in the database as unsalted md5 (i know i need to salt them but one step at a time). The script ive modified was orignally used for plaintext passwords, i've modified to to md5. The problem im having is with the character count check.. The script is counting the hashed rather than the password and im not versed enough in php to understand yet where the problem lies.. When i remove the character check, it works fine except the script allows null password hashes to be written. Anyone able to lend a noob some advice?
Code: Select all
<?php {
// check the login details of the user and stop execution if not logged in
if(!empty($_POST['username']) && !empty($_POST['password']) && !empty($_POST['password2'])) ;
$todo=$_POST['todo'];
$password=md5(mysql_real_escape_string($_POST['password']));
$password2=md5(mysql_real_escape_string($_POST['password2']));
/////////////////////////
if(isset($todo) and $todo=="change-password"){
$password=md5(mysql_real_escape_string($_POST['password']));
//Setting flags for checking
$status = "OK";
$msg="";
if ( strlen($password) < 3 or strlen($password) > 100 ){
$msg=$msg."Password must be more than 3 char legth and maximum 100 char lenght<BR>";
$status= "NOTOK";}
if ( $password <> $password2 ){
$msg=$msg."Both passwords are not matching<BR>";
$status= "NOTOK";}
if($status<>"OK"){
echo "$msg<br><center><input type='button' value='Retry' onClick='history.go(-1)'></center>";
}else{ // if all validations are passed.
if(mysql_query("update users set Password='$password' where UserID='$_SESSION[UserID]'")){
echo "Thanks <br> Your password changed successfully.";
}else{echo "Sorry <br> Failed to change password Contact Site Admin";
}
}
} else ?>
<div id="stylized" class="myform">
<form id="form" method="post" action="account.php?p=settings">
<input type="hidden" name="todo" value="change-password">
<h1>Change Password:</h1>
<p>Enter details below to change your password</p>
<label>New Password
<span class="small"></span>
</label>
<input type="password" name="password" id="password" />
<label>Re-Enter Password
<span class="small"></span>
</label>
<input type="password" name="password2" id="password2" />
<button type="submit">Change Password</button>
<div class="spacer"></div>
</form>
<?php ;
echo "</div>";
}?>