Change Password with PHP, where to put the code?

ok i got this peculiar error, i created a user registration panel with php which works fine & users can log in bt the changepassword.php is getting on my nerves, YES users can chnge their passwords but my code for PASSWORD MUST BE WITHIN 6-25 CHARACTERS is not working, I dunno if I have put the code in the wrong place, would you please check it out, whenever i put a new password, whether its less than 6 or greater than 6 or 25, its always showing “Password must be within 6-25”. & yeah if i remove the code user can register with any length of code. HELP please!

I’ve marked out the code below!

<?php




session_start();


$user = $_SESSION['username'];

if ($user)

{

//user is logged in

		if ($_POST['submit'])
		{
		//check fields
		
		$oldpassword = md5($_POST['oldpassword']);
		$newpassword = md5($_POST['newpassword']);
		$repeatnewpassword = md5($_POST['repeatnewpassword']);
		
		//check pass against db
		$connect = mysql_connect("localhost","root","");
		mysql_select_db("phplogin");
		
		$queryget = mysql_query("SELECT password FROM users WHERE username='$user'") or die("Query didn't work");
		$row = mysql_fetch_assoc($queryget);
		
		$oldpassworddb = $row['password'];
		
			
		
		//check pass
		if ($oldpassword==$oldpassworddb)
		{
		
		
		
		//check twonew pass
		if ($newpassword==$repeatnewpassword)
		{
		//success
		//change pass in db
	
		 if (strlen($newpassword)>25||strlen($newpassword)<6)   <---------------Here is the code
		{
		 echo "Password must be betwwen 6 & 25";
		}

		else
		{
		
				$querychange = mysql_query("
				UPDATE users SET password='$newpassword' WHERE username='$user'
				");
				
				session_destroy();
				die("Your pass has benn changed.<a href='index.php'>Return</a> to the main page");
		
		
		
		
		
		}
		}
		else
				die("New Pass don't match");
				
	
		
		
		
		}
		else
			die("Old Pass doesn't match");
		
		
			
		
		
		
		}
		
		else
		{
		echo "
		
		<form action='changepassword.php' method='POST'>
			Old password:    <input type='text' name='oldpassword'><p>
			New password:	<input type='password' name='newpassword'><p><br>
			Repeat new password:	<input type='password' name='repeatnewpassword'><p>
			<input type='submit' name='submit' value='Change Password'>
		
		</form>
		
		";

}		

}


		else
		   die("You must be logged in to change your password");







?>

Hello,

you make a hash from your password here:

$newpassword = md5($_POST['newpassword']);

And then you use this code:

if (strlen($newpassword)>25||strlen($newpassword)<6) {
    echo "Password must be betwwen 6 & 25";
}

Md5 hash is always longer then 25 characters, that is why you always run into the message “Password must be between 6 & 25”.

Some advice. Remove the max limitation. Just remove it. When it comes to passwords do not limit what characters are supplied or the length. A minimum length is fine but not a maximum.

deleted my post already answered

salt your passwords. Otherwise you’re vulnerable to rainbow table attacks.

I think you should be thinking more along the lines of something like this:

if ($newpassword==$repeatnewpassword)
{
if (strlen($newpassword) > 25 || strlen($newpassword) < 6)
{
echo “Password must be betwwen 6 & 25”;
exit();
}

if ($newpassword !=="")
{
$querychange = mysql_query("
UPDATE users SET password='$newpassword' WHERE username='$user'
");
if (!mysql_query($querychange ))
{
	echo "There was an error in updating your password...";
	exit();
}
         
session_destroy();
die("Your pass has benn changed.&lt;a href='index.php'&gt;Return&lt;/a&gt; to the main page");

}

}

As your application will end if the criteria are not met, there is no need to the added else, you are basically creating an unneccessary complication in that.

You would ideally handle something like this by checking all of the input, then if this is all in order, proceed, first by cleaning the input, then whatever else you have in mind.

logic_earth also presents a point, one i think i need to think about myself… But if you are creating a hash of the password using md5, it is 32 characters long, so no matter how many characters are entered… There will not be any change in the volume of data stored in your database… If that is how you are thinking. Generally though, this would be used to limit the input in cases of sql/script injection… But then again this is what the cleaning i mentioned previously should be for.

So does Mr. Morris, here is an example:

$password = md5($_POST[‘password’] . ‘blah’);