0

I'm not a php programmer, so I only know what I have looked up online about the md5 tag.

I am checking to see if passwords match in a php page. I send the password in the php url and retrieve it with this code: 

$u_pswd = md5(trim(strip_tags($_REQUEST['pswd'])));

Then I run a query to get the user's password so I can check if they are the same:

$usql = "SELECT user_password FROM ft_users WHERE user_email = '".$u_mail."'";
$ures = mssql_query($usql);
$urow = mssql_fetch_array($ures);
if ($urow['user_password'] = $u_pswd) {
    // passwords match
} else {
    // passwords do not match
}

My problem is that it says the passwords match every time. For example, if the current password is PASSWORD and I send it a password INCORRECT, the output is:

$_pswd = 64a4e8faed1a1aa0bf8bf0fc84938d25

$urow['user_password'] = 64a4e8faed1a1aa0bf8bf0fc84938d25

Could someone help me out in solving why it is saying the passwords are the same when they are not?

MSU_Bulldog
  • 3,501
  • 5
  • 37
  • 73
  • are you sure that you fetch the correct data in $_REQUEST['pswd'] – Unex Nov 20 '15 at 16:25
  • This is an incredibly insecure way of storing passwords (Google *"MD5 rainbow tables"*) - try `password_hash()` instead if you're running PHP 5.5+ : http://php.net/manual/en/function.password-hash.php – CD001 Nov 20 '15 at 16:25

2 Answers2

2

Do not use "=" for comparison. "=" will assign a value and any expression "$var = $value" will be evaluated to true. Use "==" instead.

if ($urow['user_password'] == $u_pswd) { ... }
maxhb
  • 8,554
  • 9
  • 29
  • 53
1

= is for assigning , in your code you are assigning $u_pswd value to $urow['user_password']

you need to compare those values are equal or not by using == to get required result

$usql = "SELECT user_password FROM ft_users WHERE user_email = '".$u_mail."'";
$ures = mssql_query($usql);
$urow = mssql_fetch_array($ures);
if ($urow['user_password'] == $u_pswd) {

} 
else 
{

}

Hope it helps.

Chaitanya K
  • 1,788
  • 6
  • 28
  • 39