Hello,
I have a login script that I created and for some weird reason when it is in plaintext it works, but as soon as I put md5() it errors out and will not let me log in at all.

<?php
session_start();
error_reporting(E_ALL);
ini_set("display_errors", 1);
include("config.php");
if($_SERVER["REQUEST_METHOD"] == "POST")
    {
    $errmsg = '';
// username and password sent from Form
    $username=$_POST['username'];
    $password=$_POST['password'];

// To protect MySQL injection 
    $username = mysql_real_escape_string($username);
    $password = mysql_real_escape_string($password);


    $md5pass = md5($password);

        if( $username == ''){
                $errmsg = 'Error: Please enter your username';
            }else{
        if($md5pass == ''){
                $errmsg = 'Error: Please enter your password';
            }else{

        $sql="SELECT id FROM admin WHERE username='$username' and passcode= ' $md5pass '";
        $result=mysql_query($sql);
        $row=mysql_fetch_array($result);
        $count=mysql_num_rows($result);


// If result matched $username and $md5pass, table row must be 1 row
        if($count==1)
    {
        session_register("username");
        $_SESSION['login_user']=$username;

        header("location: index.php");
    }
        else
    {
        $errmsg = "Error: your Username or Password is invalid. <br /> If you haven't registered yet, you can <a href='register.php'>register here</a>";
                }
            }
        }
    }
?>

The only error I am getting is from the login code when you come back with an error is when there is no errors at all.

after this line (27) $sql="SELECT id FROM admin WHERE username='$username' and passcode= ' $md5pass '";

add die($sql); and compare with what's in your database field.

Member Avatar for diafol

There are several issues here:

1) md5() is not secure, consider SHA-256
2) Always look to salt your hash
3) if($md5pass == '') this will never be '' as md5('') is d41d8cd98f00b204e9800998ecf8427e
4) mysql is pretty much dead, you should be using mysqli or PDO

The statement does not throw out an error after adding this.

ok, the last 4 digits of the code are not matching...

Its echoing: ************4b9d
in the db its: ************2b4b

the rest of the digits match....

Member Avatar for diafol

I have no idea what you changed. Your result is very odd - there shouldn't be that amount of agreement if the strings are slightly different - the hashes should be totally different.

Are you using mysql_real_escape_string() when you INSERT a new record to the users table? If you're escaping on SELECT but not on INSERT, then that may account for differences - but only is you have escapable characters in the pw.

the password I did directly from the PHPMYADMIN table. I have the real escape string up top there for the password, but only there for a formality to prevent injection. I also change it directly to reflect what is being echoed but it still will not let me log in.

I fugured out one error. In the damn table, i had the the character limit set to 30...ugh I am a dummy... bit it is still not letting me login.

I fixed it...
here is my updated code with SHA1 in it...

<?php
include("config.php");
session_start();
if($_SERVER["REQUEST_METHOD"] == "POST")
{
$errmsg = '';
// username and password sent from Form
    //$myusername=$_POST['username'];
    //$mypassword=$_POST['password'];

    $myusername=addslashes($_POST['username']);
    $mypassword=addslashes($_POST['password']);

// To protect MySQL injection (more detail about MySQL injection)
    $myusername = mysql_real_escape_string($myusername);
    $mypassword = mysql_real_escape_string($mypassword);


    $shapass = sha1($mypassword);
    if( $myusername == ''){
                $errmsg = 'Error: Please enter your username';
            }else{
        /*if($md5pass == ''){
                $errmsg = 'Error: Please enter your password';
            }else{*/

        $sql="SELECT id FROM admin WHERE username='$myusername' and passcode='$shapass'";
        $result=mysql_query($sql);
        $row=mysql_fetch_array($result);
        $active=
        $count=mysql_num_rows($result);


// If result matched $myusername and $mypassword, table row must be 1 row
        if($count==1)
    {
        session_register("username");
        $_SESSION['login_user']=$myusername;
        header("location: index.php");
    }
        else
    {
        $errmsg = "Error: your Username or Password is invalid. <br /> If you haven't registered yet, you can <a href='register.php'>register here</a>";
                }
            }
        }
?>
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.