MD5 login not letting me login

Question

patk570 42 Newbie Poster

11 Years Ago

Hello,
I have a login script that I created and for some weird reason when it is in plaintext it works, but as soon as I put md5() it errors out and will not let me log in at all.

<?php
session_start();
error_reporting(E_ALL);
ini_set("display_errors", 1);
include("config.php");
if($_SERVER["REQUEST_METHOD"] == "POST")
    {
    $errmsg = '';
// username and password sent from Form
    $username=$_POST['username'];
    $password=$_POST['password'];

// To protect MySQL injection 
    $username = mysql_real_escape_string($username);
    $password = mysql_real_escape_string($password);


    $md5pass = md5($password);

        if( $username == ''){
                $errmsg = 'Error: Please enter your username';
            }else{
        if($md5pass == ''){
                $errmsg = 'Error: Please enter your password';
            }else{

        $sql="SELECT id FROM admin WHERE username='$username' and passcode= ' $md5pass '";
        $result=mysql_query($sql);
        $row=mysql_fetch_array($result);
        $count=mysql_num_rows($result);


// If result matched $username and $md5pass, table row must be 1 row
        if($count==1)
    {
        session_register("username");
        $_SESSION['login_user']=$username;

        header("location: index.php");
    }
        else
    {
        $errmsg = "Error: your Username or Password is invalid. <br /> If you haven't registered yet, you can <a href='register.php'>register here</a>";
                }
            }
        }
    }
?>

The only error I am getting is from the login code when you come back with an error is when there is no errors at all.

php

Edited 11 Years Ago by patk570 because: forgot snippet

3 Contributors
9 Replies
221 Views
1 Hour Discussion Span
Latest Post 11 Years Ago Latest Post by patk570

paulkd 59 Newbie Poster

11 Years Ago

after this line (27) $sql="SELECT id FROM admin WHERE username='$username' and passcode= ' $md5pass '";

add die($sql); and compare with what's in your database field.

diafol

11 Years Ago

There are several issues here:

1) md5() is not secure, consider SHA-256
2) Always look to salt your hash
3) if($md5pass == '') this will never be '' as md5('') is d41d8cd98f00b204e9800998ecf8427e
4) mysql is pretty much dead, you should be using mysqli or PDO

diafol

11 Years Ago

I have no idea what you changed. Your result is very odd - there shouldn't be that amount of agreement if the strings are slightly different - the hashes should be totally different.

Are you using mysql_real_escape_string() when you INSERT a new record to the users table? If you're escaping on SELECT but not on INSERT, then that may account for differences - but only is you have escapable characters in the pw.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

patk570 42 Newbie Poster · Answer 1 · 2013-09-24T22:06:05+00:00

The statement does not throw out an error after adding this.

patk570 42 Newbie Poster · Answer 2 · 2013-09-24T22:07:29+00:00

ok, the last 4 digits of the code are not matching...

patk570 42 Newbie Poster · Answer 3 · 2013-09-24T22:08:58+00:00

Its echoing: ************4b9d
in the db its: ************2b4b

the rest of the digits match....

patk570 42 Newbie Poster · Answer 4 · 2013-09-24T22:39:21+00:00

the password I did directly from the PHPMYADMIN table. I have the real escape string up top there for the password, but only there for a formality to prevent injection. I also change it directly to reflect what is being echoed but it still will not let me log in.

patk570 42 Newbie Poster · Answer 5 · 2013-09-24T22:47:14+00:00

I fugured out one error. In the damn table, i had the the character limit set to 30...ugh I am a dummy... bit it is still not letting me login.

patk570 42 Newbie Poster · Answer 6 · 2013-09-24T23:07:47+00:00

I fixed it...
here is my updated code with SHA1 in it...

<?php
include("config.php");
session_start();
if($_SERVER["REQUEST_METHOD"] == "POST")
{
$errmsg = '';
// username and password sent from Form
    //$myusername=$_POST['username'];
    //$mypassword=$_POST['password'];

    $myusername=addslashes($_POST['username']);
    $mypassword=addslashes($_POST['password']);

// To protect MySQL injection (more detail about MySQL injection)
    $myusername = mysql_real_escape_string($myusername);
    $mypassword = mysql_real_escape_string($mypassword);


    $shapass = sha1($mypassword);
    if( $myusername == ''){
                $errmsg = 'Error: Please enter your username';
            }else{
        /*if($md5pass == ''){
                $errmsg = 'Error: Please enter your password';
            }else{*/

        $sql="SELECT id FROM admin WHERE username='$myusername' and passcode='$shapass'";
        $result=mysql_query($sql);
        $row=mysql_fetch_array($result);
        $active=
        $count=mysql_num_rows($result);


// If result matched $myusername and $mypassword, table row must be 1 row
        if($count==1)
    {
        session_register("username");
        $_SESSION['login_user']=$myusername;
        header("location: index.php");
    }
        else
    {
        $errmsg = "Error: your Username or Password is invalid. <br /> If you haven't registered yet, you can <a href='register.php'>register here</a>";
                }
            }
        }
?>