I have all passwords stored in my database in md5 form.

when people log in it always says Email or Password wrong, well thats the error i added when something's wrong, I am pretty sure the email and password are right.

here is my login code:

$passwordin= md5($_POST['passwordin']);

// To protect MySQL injection 
$emailin = stripslashes($emailin);
$passwordin = stripslashes($passwordin);
$emailin = mysql_real_escape_string($emailin);
$passwordin = mysql_real_escape_string($passwordin);

$sql="SELECT * FROM users WHERE email='$emailin' and password='$passwordin'";

// Mysql_num_row is counting table row
if(mysql_num_rows($result) > 0){
  $data = mysql_fetch_array($result);
  $_SESSION['id'] = $data['id'];
  $_SESSION['email'] = $data['email'];
} else {
  echo "Wrong Emaail or Password";
Member Avatar


Maybe a daft question - is the password stored as md5 digest in the db?
Check for magic quotes before using stripslashes.
If you md5 a string, you won't need to clean it (I don't think). Perhaps cleaning it before you md5 it (check for magic quotes first etc).

The password in the db is stored as md5.

Member Avatar


echo the statement:

$sql="SELECT * FROM users WHERE email='$emailin' and password='$passwordin'";
echo $sql;

Copy it from the screen and paste it into the SQL box in phpmyadmin. See if it gives a result.

Cant edit last post, it echo's the the email and password exactly like in the database, and still says wrong email or password.

Member Avatar


Have you done as I suggested? Posted the output to phpmyadmin? If so, did it work and return a record?

It gave an error:

SQL query: 

$sql = "SELECT * FROM users WHERE email='$emailin' and password='$passwordin'" 

MySQL said:

md5 is used for encryption and stored as encrypted data that is why user enter his/her password but while retrieving the entered password and stored password is not matching .

If you want to work with password encryption in your PHP / MySQL setup, you should take in account the following:

When a user registers, a password is inserted into the database. If you clean this password with for example stripslashes, like in your case, you should execute the exact same procedure when the user logs in.

In other words, in your case, if you don't strip slashes from the password when the user registers, but if you then do when he tries to login, some errors might occur ;).

So just make sure that if you alter the data that is inserted into the database when a user registers, you alter that data exactly the same way when you retrieve that info from that database. If you don't, the data won't match.

Guys here is my registration code:


   $sql = "INSERT INTO users (firstname, lastname, email, password)
    VALUES ('{$_POST['firstname']}', '{$_POST['lastname']}', '{$_POST['email']}', '$password')";
    if (!mysql_query($sql,$con))
    die('Error: ' . mysql_error());
echo "User created, Thanks for Registrating";

what should I do?

Member Avatar


You should clean your other vars!