PHP Change User Password Script using MD5 hasing

Hey All,

I have built a website using PHP and MySQL where users have to log in to use the site. I'm now trying to create a page on the site where logged in users can change their password if they need/want to. I thought this would be fairly easy and straight forward but I'm having a ton of issues. I've never been formally trained in PHP and MySQL, I've just picked up stuff along the way throughout the years so when I get into advanced stuff I start to struggle.

I'm using MD5 hashing for the passwords right now. I already know this isn't the most secure method but since I'm familiar with it I'm just going to go with it for now. I'll worry about changing the hashing later.

Anyway, the PHP code lives on the same page as the form. The HTML portion of the form has the following fields:

Current Password (id="cur_password")
New Password (id="password1")
Confirm New Password (id="password2")

Within the script I'm trying to verify that the Current Password and the password in the database match, but because of the MD5 I'm not exactly sure how to do this. Here is what I have so far:

$sql = "SELECT * FROM users WHERE username='$log_username'";
$query = mysqli_query($db_conx, $sql);
while ($row = mysqli_fetch_array($query, MYSQLI_ASSOC)) {
$username = $row[username];
$password = $row[password]; 
}


$cur_password=md5($_POST['cur_password']);
$password1=md5($_POST['password1']);
$password2=md5($_POST['password2']);


if (empty ($_POST['cur_password'])){
echo "Fill out all fields.";
}
else if ($cur_password != $password) {
echo "There was a problem. Wrong Password.";
} else if ($passord1 != $password2) {
echo "Passords don't match.";
} else {
$sql = "UPDATE users SET password = MD5('$password1') WHERE username='$log_username' LIMIT 1";
$query = mysqli_query($db_conx, $sql);
echo "Success! Password has been changed.";
}

When I test I keep getting the "Fill out all fields." message even though I submitted the form and none of the fields were blank. If I take the "empty" statement out I just keep getting the "There was a problem. Wrong Password." message which should happen only if the current password typed in and the current password in the database don't match. I know that I'm putting in the correct matching password.

Anyway, any help you could give would be greatly appreciated.

Thanks so much.