密码更改脚本

Okay so I'm trying to make a password change script and I get some errors so where am I wrong? This is my form document:

<?php
include_once('php_includes/check_login_status.php');
include_once('php_includes/db_conx.php');
if(isset($_SESSION["username"])){
echo "";

}
else {
header("location:login.php");
}
?>

<html>
<head>
<title>Password Change</title>
</head>
<body>
<div id="form">
<form method="POST" id="form1" action="password_system.php"> 
<p>Current password: &nbsp; <input type="password" id="curpass" /> </p>
<p>New password: &nbsp; <input type="password" id="newpass" /> </p>
<p>Confirm new password: &nbsp; <input type="password" id="conpass" /> </p>
<input type="submit" value="Submit">
</form></div>
</body>
</html>

and this is updated password_system.php (the action script):

    <?php
include_once('php_includes/check_login_status.php');
include_once('php_includes/db_conx.php');
if(isset($_SESSION["username"])){
echo "";

}
else {
header("location:login.php");
}
$sql = "SELECT password FROM users WHERE username='$log_username'";
$query = mysqli_query($db_conx, $sql);
$numrows = mysqli_num_rows($query); 
while ($row = $query->fetch_assoc()) {
   $dbpass = $row['password'];
}
$query->free();
$curpass = md5($_POST['curpass']);
$newpass = $_POST['newpass'];
$conpass = $_POST['conpass'];
if ($newpass != $conpass) {
echo "Your passwords don't match!";
exit();
} else {
echo "Ohkay";
$newpas = true;
$newpassmd5ed = md5($newpass);
}
if ($curpass != $dbpass) {
echo "Your current password is incorrent!";
exit();
} else {
echo "Okay";
$curok = true;
}
if ($curok and $newpas == true) {
$sql = "UPDATE users
SET password = '$newpassmd5ed' 
WHERE username= '$log_username'";
$query = mysqli_query($db_conx, $sql);
}
?>

I now get this:

OhkayYour current password is incorrent!

check_login_status.php

<?php
session_start();
include_once("db_conx.php");
// Files that inculde this file at the very top would NOT require 
// connection to database or session_start(), be careful.
// Initialize some vars
$user_ok = false;
$log_id = "";
$log_username = "";
$log_password = "";
// User Verify function
function evalLoggedUser($conx,$id,$u,$p){
    $sql = "SELECT ip FROM users WHERE id='$id' AND username='$u' AND password='$p' AND activated='1' LIMIT 1";
    $query = mysqli_query($conx, $sql);
    $numrows = mysqli_num_rows($query);
    if($numrows > 0){
        return true;
    }
}
if(isset($_SESSION["userid"]) && isset($_SESSION["username"]) && isset($_SESSION["password"])) {
    $log_id = preg_replace('#[^0-9]#', '', $_SESSION['userid']);
    $log_username = preg_replace('#[^a-z0-9]#i', '', $_SESSION['username']);
    $log_password = preg_replace('#[^a-z0-9]#i', '', $_SESSION['password']);
    // Verify the user
    $user_ok = evalLoggedUser($db_conx,$log_id,$log_username,$log_password);
} else if(isset($_COOKIE["id"]) && isset($_COOKIE["user"]) && isset($_COOKIE["pass"])){
    $_SESSION['userid'] = preg_replace('#[^0-9]#', '', $_COOKIE['id']);
    $_SESSION['username'] = preg_replace('#[^a-z0-9]#i', '', $_COOKIE['user']);
    $_SESSION['password'] = preg_replace('#[^a-z0-9]#i', '', $_COOKIE['pass']);
    $log_id = $_SESSION['userid'];
    $log_username = $_SESSION['username'];
    $log_password = $_SESSION['password'];
    // Verify the user
    $user_ok = evalLoggedUser($db_conx,$log_id,$log_username,$log_password);
    if($user_ok == true){
        // Update their lastlogin datetime field
        $sql = "UPDATE users SET lastlogin=now() WHERE id='$log_id' LIMIT 1";
        $query = mysqli_query($db_conx, $sql);
    }
}

?>