On my user info update form, i let users update the pass along with other things. If they don't want to update the password in the form, they leave it blank, as in the field is left empty. On the process page, if the field is blank i insert their existing password from the db (its md5) and if they changed it i want the new password in. Below is what i am using to try and accomplish that, but it is double md5-ing no matter what:
if (!get_magic_quotes_gpc()) {
$newpass = mysql_escape_string($_POST['password']);
$newpass = md5($_POST['password']);
}
// If $dob is empty
if (empty($newpass)) {
$newpass = "$passis"; //$passis = the password stored in db which is md5
}
Just a little reworking of your code:
$newpass = $_POST['password'];
if (!get_magic_quotes_gpc()) {
$newpass = mysql_escape_string($newpass);
}
if(empty($newpass)) {
$newpass = "$passis"; //$passis = existing md5'd password already stored in db
}
else {
$newpass = md5($newpass); //$newpass = newly provided password needs to be md5'd before updating db
}
$newpass will never be empty because md5 converts the empty string to a hash. So this condition will not work: if (empty($newpass)) {
Instead you have to do
if (empty($_POST['password'])) {
UPDATE
if (!get_magic_quotes_gpc()) {
$newpass = mysql_escape_string($_POST['password']);
$newpass = md5($_POST['password']);
}
// If $dob is empty
if (empty($_POST['password'])) {
$newpass = "$passis"; //$passis = the password stored in db which is md5
}
You code is strange because it performes md5 only if the magic_quotes_gpc directive is set.
Another think is that the md5 of the empty string is not the empty string.
Here is a code that should work nicer:
$newpass = isset($_POST['password']) ? $_POST['password'] : '';
if ($newpass=='') {
$newpass = $passis; // $passis = the password stored in db which is md5
} else {
if (get_magic_quotes_gpc()) $newpass = stripslashes($newpass); // take off slashes added by PHP if any
$newpass = md5($newpass);
}