Pass Change Script Change

01/05/2014 18:03 .Curious.#1
Code:
<?php
include('info.php');
session_start();
if(!isset($_SESSION['UserID'])){header("location:index.php");}

$opw=ms_escape_string(htmlentities($_POST["oldpw"]));
$npw=ms_escape_string(htmlentities($_POST["newpw"]));
$UserID=$_SESSION["UserID"];

$res= mssql_query("SELECT * FROM PS_UserData.dbo.Users_Master WHERE UserID='".$UserID."' AND Pw='".$opw."'");
if(mssql_num_rows($res)==0){$_SESSION["msg"]='Couldn\'t change the password. Please provide the correct old Password';}
else
{
mssql_query("UPDATE PS_UserData.dbo.Users_Master SET Pw='".$npw."' WHERE UserID='".$UserID."'");
$_SESSION["msg"]="Password changed. Please allow up to 1 minute for the changes to be made into the database.";
}
header("location:usercp.php");
?>
This script allows to enter more than 13 character long passwords that is why it seems to be changed but it does not record the characters more than 13 character length. When you try to enter it says incorrect pass.

I need to edit some lines not to allow more than 13 and less than 3 .

Like
Code:
if(mssql_num_rows($npw)< 3){$_SESSION["msg"]='New password must be between 3 and 13 characters in length.;}
else if(mssql_num_rows($npw)> 13){$_SESSION["msg"]='New password must be between 3 and 13 characters in length.';}
Thank you for your helps in advance.