Hey guys, I am creating a form that allows a logged in user to enter a new password for their, account, I already have the query set up to update the password, but in my form I have the first input set to take the existing password, which must match the existing value of password in the database before the update will be performed. I cannot figure out how to do this check, the whole thing must be done with one POST submit. Check the entered password matches the one currently in the database and if it matches then updates the current value to that of the passwordnew value. here is my form:


	<legend>Change Password</legend>

	<form action="changepass.php" method="POST">
			<label>Current Password :</label>
			<input type="password" name="password" /><br />
			<label>New Password :</label>
			<input type="password" name="passwordnew" /><br/>
			<label>Repeat New Password :</label>
			<input type="password" name="passwordnewRepeat" /><br/>
			<input class="signbutt" type="submit" value="Save"/><br />



here is the SQL i have for the password update:

$userid = $_SESSION['userID'];

		$password_hash = md5($passwordnew); 	
			if ($password)
				$sql = "UPDATE cryptuser  SET password='" . $password_hash."'  WHERE userID ='" . $userid ."' ";	
				//Check SQL Query		
				$stmt = sqlsrv_query( $conn, $sql,array(), array( "Scrollable" => SQLSRV_CURSOR_KEYSET ));
					die('An error has occured with your registration. If this is an indeliberate occurance, 
						 please report this to us through the contact us page with details of the error.');
				echo'Your password was changed';

I have a third input which I will later use JavaScript to compare the new password with a re-enter.

If anyone can help me figure out how to do this that would be great!


Member Avatar


check new passwords match each other, if so:
do a select on user_id
retrieve the password
check the retrieved password against the hashed current password from the form.
if all ok
update on user_id

that ok?

alternatively, you could do a straight update, but it's not as secure:

"UPDATE ... WHERE user_id = $user_id AND pw = '$hashpass'";
check update has happened with mysql_insert_id()
if not - wrong pw