From 7d6450706f63646a90995ec4e2662a83aac4289e Mon Sep 17 00:00:00 2001
From: Thomas Hooge <thomas@hoogi.de>
Date: Thu, 23 Feb 2023 12:30:11 +0100
Subject: [PATCH] Fix password change code

---
 submit.php | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/submit.php b/submit.php
index e944ba6..05cc260 100644
--- a/submit.php
+++ b/submit.php
@@ -953,12 +953,13 @@ if (isset($_POST['edit'])) {
 
             $user = $db->db_select($query);
 
-            if(!strcmp(md5($user_currentpass), $user[0]['user_pass'])) {
+            if (password_verify($user_currentpass, $user[0]['user_pass'])) {
                 if(!strcmp($user_newpass1, $user_newpass2)) {
+                    $newhash = password_hash($user_newpass1, PASSWORD_BCRYPT);
                     $query = "UPDATE
                             user
                         SET
-                            user_pass='" . md5($user_newpass1) . "'
+                            user_pass='" . $newhash . "'
                         WHERE
                             user_id=" . $user_id;