Change Password using md5 in PHP and Jquery

Question

When I tried to update/change the password it says that my current password is wrong,

I use md5 to encrypt the password but I don't know how to update the encrypted password using jQuery and Ajax.

This is the jQuery code that I'm using:

jQuery("#change_password").submit(function (e) {
            e.preventDefault();

            var password = jQuery('#password').val();
            var current_password = jQuery('#current_password').val();
            var new_password = jQuery('#new_password').val();
            var retype_password = jQuery('#retype_password').val();
            if (password != current_password) {
                $.jGrowl("Password does not match with your current password  ", {
                    header: 'Change Password Failed'
                });
            } else if (new_password != retype_password) {
                $.jGrowl("Password does not match with your new password  ", {
                    header: 'Change Password Failed'
                });
            } else if ((password == current_password) && (new_password == retype_password)) {
                var formData = jQuery(this).serialize();
                $.ajax({
                    type: "POST",
                    url: "update_password_mahasiswa.php",
                    data: formData,
                    success: function (html) {

                        $.jGrowl("Your password is successfully change", {
                            header: 'Change Password Success'
                        });
                        var delay = 2000;
                        setTimeout(function () {
                            window.location = 'dashboard_mahasiswa.php'
                        }, delay);
                    }
                });

php code for updating the password:

<?php
  include('dbcon.php');
  include('session.php');
  $new_password  = $_POST['new_password'];
  $new_password  = md5($new_password)
  mysql_query("update mahasiswa set password = '$new_password' where mahasiswa_id = '$session_id'")or die(mysql_error());
?>

Answer 1

I would recommend you to use mysqli_query() with prepared statements. To avoid SQL injection you have to use prepared statements.

$mysqli = new mysqli("example.com", "user", "password", "database");
if ($mysqli->connect_errno) {
    echo "Failed to connect to MySQL: (" . $mysqli->connect_errno . ") " . $mysqli->connect_error;
}

/* Prepared statement, stage 1: prepare */
$stmt = $mysqli->prepare("update mahasiswa set password = ? where mahasiswa_id = ?");
$new_password = password_hash($_POST['new_password']);
$stmt->bind_param("si", $new_password, $session_id);
$stmt->execute();
if($stmt->affected_rows === 0) exit('No rows updated');
$stmt->close();

A simple example which uses mysqli_query() instead of mysql_query() .

 //$con must contain your database connection
 //eg:  $con = mysqli_connect("localhost","my_user","my_password","my_db");
 $new_password = password_hash($_POST['new_password']);
 $my_query = 'update mahasiswa set password = '.$new_password.' where mahasiswa_id = '.$session_id;
 if(mysqli_query($con,$my_query)){
     //database updated succesfully
 } else {
     //failure
 }

If you are working with mysql_query() then

 // if your db connection is valid then
 if(mysql_query($my_query)){
     //database updated succesfully
 } else {
     //failure
 }

Answer 2

Try to use the following functions when you do hashing against your passwords:

password_hash()
password_verify()
password_needs_rehash()
password_get_info()

These are pretty handy if you want to do it the standard way. Here is an article about it.

As per the updating of your new password, it is as same as any standard update query.

UPDATE table_name SET column1=value, column2=value2,... WHERE some_column=some_value

Here is more info.