php check current password error

Question

For some reason this code is not checking the current password with the database but it does correctly change the password. It is also able to connect to my database. It can also check if the new password is the same as confirm new password. This is the php being run, what could be wrong with this:

<?php if(!defined('INCLUDE_CHECK')) header("Location: index.php"); ?>

<?php

/* irrelevant parts omitted */

if($_POST['submit']=='Change Password')
{
    // Checking whether the Change Password form has been submitted

    $err = array();
    // Will hold our errors


    if(!$_POST['password'] || !$_POST['newpassword'] || !$_POST['confirmpassword'])
        $err[] = 'All the fields must be filled in!';

    if(!count($err))
    {

        if($_POST['password'] != /* something should be here but i don't know what */)
            $err[] = 'Current password is incorrect!';

        if($_POST['newpassword'] != $_POST['confirmpassword'])
            $err[] = 'New passwords do not match!';

        if(!count($err))
        {           

            $pass = $_POST['confirmpassword'];

            mysql_query(
                            "UPDATE members 
                            SET pass='".md5($pass)."' 
                            WHERE id='{$_SESSION['id']}'"
                        );

            $_SESSION['msg']['change-password-success']='Success your password has been changed!';

        }       
    }

    if($err)
    $_SESSION['msg']['change-password-err'] = implode('<br />',$err);
    // Save the error messages in the session

    header("Location: change-password.php");
    exit;
}
?>

Answer 1

For some reason this code is not checking the current password with the database but it does correctly change the password.

...is this actually your code? Or have you worded your question poorly?

if($_POST['password'] != /* something should be here but i don't know what */)

Because there is the reason why it is not checking the password...

Also:

It is also able to connect to my database and check if the new password is the same as confirm new password.

No it is not - it is just checking the password against the other field the user typed - it has not checked anything against the database:

if($_POST['newpassword'] != $_POST['confirmpassword'])
        $err[] = 'New passwords do not match!';

Answer 2

Well as far as i can see, there isnt anywhere in your script you call the database to check against existing records...

$query = mysql_query("SELECT * FROM members WHERE id='{$_SESSION['id']}'");
$data = mysql_fetch_assoc($query);
if($data['pass'] == md5($_POST['confirmpassword'])){
echo "Old and new password matches";
}