Not matching md5 passwords

Question

I'm using a jQuery datagrid plugin to make an easy tool to edit my User's table in the admin area of a site. I store the passwords as md5() when the user registers. When ever I attempt to update the table, it is rehashing the password, thus making it unusable. I've tried several methods of verifying the password is the same as the one in the database, but none of them seem to be working.

Here is my update code:

PHP

<?php
require_once("../class/TimeClock.class.php");

$tc = new TimeClock();
$id = $_POST['id'];
$username = $_POST['username'];
$password = $_POST['password'];
$email = $_POST['email'];
$active = $_POST['active'];
$role = $_POST['role'];
$emp_id = $_POST['emp_id'];

if($tc->validatePass($id, $password)) {
try {
    $tc->connect();
    $query = $tc->dbh->prepare("UPDATE us_users SET username=:username,email=:email,active=:active,role=:role,emp_id=:emp_id WHERE id=:id");
    $query->execute(array(':username' => $username, ':email' => $email, ':active' => $active, ':role' => $role, ':emp_id' => $emp_id, ':id' => $id));
    $tc->close();
} catch (PDOException $e) {
    throw new Exception('Something bad happened' . $e->getMessage());
}
} else {
try {
    $password = md5($password);
    $tc->connect();
    $query = $tc->dbh->prepare("UPDATE us_users SET username=:username,password=:password,email=:email,active=:active,role=:role,emp_id=:emp_id WHERE id=:id");
    $query->execute(array(':username' => $username, ':password' => $password, ':email' => $email, ':active' => $active, ':role' => $role, ':emp_id' => $emp_id, ':id' => $id));
    $tc->close();
} catch (PDOException $e) {
    throw new Exception('Something bad happened' . $e->getMessage());
}
}

echo json_encode(array(
'id' => $id,
'username' => $username,
'password' => $password,
'email' => $email,
'active' => $active,
'role' => $role,
'emp_id' => $emp_id
));
?> 

My validatePasss() function:

PHP

function validatePass($id, $pass) {
    try {
    $this->connect();
    $result = $this->dbh->prepare("SELECT username, password FROM us_users WHERE id=:id");
    $result->execute(array(':id' => $id));
    $userObj = $result->fetch(PDO::FETCH_ASSOC);
    } catch( PDOException $e) {
        throw new Exception('Something bad happened' . $e->getMessage());
        die();
    }
    if($pass == $userObj['password']) {
        return true;
    } else {
        return false;
    }
    $this->close();
}

I know that the mysql_ code is out dated, however, when I try to use PDO it throws errors, I think it is related to the component or something.

Thank you for any assistance you can provide.

EDIT: Changed the function to pure PDO, and here is an image of the datagrid so you see that the passwords are stored as a hash, and, unless changed, should be passed to the update script as a match to what is in the database.

http://www.bolinconstruction.com/timeclock/datagrid.png

Answer 1

In your validatePass() function, you must hash the password before comparing

if(md5($pass) == $userObj['password']) {
    return true;
} else {
    return false;
}

You could do the same in your query

select id
from from us_users
where username = :username and password = :password

and then

$result->execute(array(':username' => $username, ':password' => md5($password)));

and test for number of rows > 0.

Answer 2

The answer was actually simple after I thought it through. In the initial code, I was polling the database for the password of the username that was submitted with the form. If the username was changed, then of course the query would fail, and thus change the password. By setting it up to poll the database based on ID instead, the problem seems to have corrected itself. Thank you all for your help, I never would have figured this out without you guys.