Updating password field for user [PHP]

Question

I'm currently creating a profile section that has a password change function inside of it.

It seems to work; but it doesn't update the password? Here's the section that controls the form:

if($newpass == $newpass2) {
$hashd = sha1($newpass);
$messagez = "Updated";
mysql_query("SELECT username, password FROM members WHERE username=$userhold password=$hashd LIMIT 1");
mysql_query("UPDATE members SET password=$hashd WHERE username=$userhold");
}else{
$messagez = "Incorrect Password";
}
}
?>

and here's the form section:

echo $messagez;
echo "<form action=profile.php method=POST>";
echo "OldPass:<br/> <input type=password name=oldpass placeholder=OldPass REQUIRED /><br/>";
echo "NewPass:<br/> <input type=password name=newpass placeholder=NewPassword REQUIRED /><br/>";
echo "Confirm:<br/> <input type=password name=newpass2 placeholder=ConfirmPassword REQUIRED /><br/><br/>";
echo "<input id=regbut type=submit name=submit/>&nbsp&nbsp";
echo "<input id=regbut type=reset name=reset />";
echo "</form>";

I'm using the $messagez variable to inform the user whether the password has been updated or not.

When filling the form incorrectly, it passes the $messagez "Incorrect Password". When filling the form correctly, it passes the $messagez "Updated".

But the script doesn't essentially update the password? Can anyone else see the issue?

Thanks,

you need to quote the string `$hashd` and `$userhold` in the two queries — , Feb 09 '15 at 03:09
FYI, it is good practice to put quotes around your HTML attribute values. I guess you have an aversion to quotes based on your SQL error. — John Conde, Feb 09 '15 at 03:11
Consider using [password_hash](http://php.net/manual/en/function.password-hash.php) — Machavity, Feb 09 '15 at 03:22

Updating password field for user [PHP]

0 Answers0