PHP: Validate Current Password

Question

Hi guys I am implementing a password validation in my project.

Validate Current password in order to change a new password..

here is my query:

$res=mysql_query("SELECT * FROM users WHERE id=".$_SESSION['user']);
$userRow=mysql_fetch_array($res);
$pass = $userRow['password'];

    if(isset($_POST['update'])){
        $id = $_SESSION['user'];
        $new_pass = md5(mysql_real_escape_string($_POST['new_pass']));
        if($_POST['old_pass'] != $pass){
            ?>
                <script>alert('Wrong Old Password');</script>
             <?php
        }else if(mysql_query("UPDATE users SET password='$new_pass' WHERE id=$id")){
             ?>
                <script>alert('Password Successfully Updated');</script>
             <?php
         }else{
             ?>
               <script>alert('Failed');</script>
             <?php
         }
    }

the alert "Wrong Old Password" always popping out even though I entered the correct old password. so how to fix this?

1. Don't use `mysql_`. 2. Don't use `md5` for passwords. 3. What's the question? — Justinas, Feb 02 '16 at 12:16
Also, md5 and no salt is about the worse you can use for storing passwords. You might as well store the passwords as plain text. Search for PBKDF2 instead. — huysentruitw, Feb 02 '16 at 12:16
@DarkBee I know, that's why I added *and no salt* instead of *without salt*, but to make it clear, I've added PBKDF2. — huysentruitw, Feb 02 '16 at 12:18
Are you saving the old password as md5 ? .. if so, you cannot equal the old pass (which is not yet md5 encrypted) with the retrieved pass from database which is md5 encrypted — DTH, Feb 02 '16 at 12:20
then edit your question before you get any more negative votes. — Daniel PurPur, Feb 02 '16 at 12:21
Nice tell me if it worked .. i'd be pleased to post that as my answer for your accept ;) — DTH, Feb 02 '16 at 12:24
greate .. i have posted my answer for your accept .. with a little side note .. bare in mind that you CAN used md5, depends on the level of ambition for your project. If you aim for security (and not just some home fiddle work for fun) read the linked post :) — DTH, Feb 02 '16 at 12:29
I'll stick in using the md5 sir, :) because the project that I am doing is for demo only as an example of encrypted password — , Feb 02 '16 at 12:31

score 1 · Accepted Answer · edited May 23 '17 at 12:30

1

Are you saving the old password as md5 ? .. if so, you cannot equal the old pass (which is not yet md5 encrypted) with the retrieved pass from database which is md5 encrypted

PLease also as a side note look at this thread explaining why not to use md5

Why not to use MD5

edited May 23 '17 at 12:30

Community

1
1

answered Feb 02 '16 at 12:28

DTH

1,133
3
16
36

score 0 · Answer 2 · edited Feb 02 '16 at 12:57

0

Your old password was stored in encrypted format. Try this:

f(md5($_POST['old_pass']) != $pass)

edited Feb 02 '16 at 12:57

Muhammad Muazzam

2,810
6
33
62

answered Feb 02 '16 at 12:33

Yuvaraj R

1
2

PHP: Validate Current Password

2 Answers2