Msg#: 3290 posted 11:09 am on Mar 24, 2004 (gmt 0)
The form could store the user-password string in a variable, which you could then encode using the MD5 function [php.net] before altering it in the database, and then compare them as you already must do when users login. Or am I missing something obvious? :\
Msg#: 3290 posted 11:27 am on Mar 24, 2004 (gmt 0)
That shouldn't be a problem.
Just make sure that the person changing the password is actually the user who owns the account!
Can be done in 2 ways in my opinion:
1. User also enters old password for verification. 2. User also enters some verification-code he got sent via email.
note that point 2 you can also accomplish by using the ability to give them a auto-generated password (wich you allready have). Users can then use point 1 using that generated password to effectively get point 2 :).