0

Hello,
I have a login script that I created and for some weird reason when it is in plaintext it works, but as soon as I put md5() it errors out and will not let me log in at all.

<?php
session_start();
error_reporting(E_ALL);
ini_set("display_errors", 1);
include("config.php");
if($_SERVER["REQUEST_METHOD"] == "POST")
    {
    $errmsg = '';
// username and password sent from Form
    $username=$_POST['username'];
    $password=$_POST['password'];

// To protect MySQL injection 
    $username = mysql_real_escape_string($username);
    $password = mysql_real_escape_string($password);


    $md5pass = md5($password);

        if( $username == ''){
                $errmsg = 'Error: Please enter your username';
            }else{
        if($md5pass == ''){
                $errmsg = 'Error: Please enter your password';
            }else{

        $sql="SELECT id FROM admin WHERE username='$username' and passcode= ' $md5pass '";
        $result=mysql_query($sql);
        $row=mysql_fetch_array($result);
        $count=mysql_num_rows($result);


// If result matched $username and $md5pass, table row must be 1 row
        if($count==1)
    {
        session_register("username");
        $_SESSION['login_user']=$username;

        header("location: index.php");
    }
        else
    {
        $errmsg = "Error: your Username or Password is invalid. <br /> If you haven't registered yet, you can <a href='register.php'>register here</a>";
                }
            }
        }
    }
?>

The only error I am getting is from the login code when you come back with an error is when there is no errors at all.

Edited by patk570: forgot snippet

3
Contributors
9
Replies
21
Views
3 Years
Discussion Span
Last Post by patk570
0

after this line (27) $sql="SELECT id FROM admin WHERE username='$username' and passcode= ' $md5pass '";

add die($sql); and compare with what's in your database field.

0

There are several issues here:

1) md5() is not secure, consider SHA-256
2) Always look to salt your hash
3) if($md5pass == '') this will never be '' as md5('') is d41d8cd98f00b204e9800998ecf8427e
4) mysql is pretty much dead, you should be using mysqli or PDO

0

Its echoing: ************4b9d
in the db its: ************2b4b

the rest of the digits match....

0

I have no idea what you changed. Your result is very odd - there shouldn't be that amount of agreement if the strings are slightly different - the hashes should be totally different.

Are you using mysql_real_escape_string() when you INSERT a new record to the users table? If you're escaping on SELECT but not on INSERT, then that may account for differences - but only is you have escapable characters in the pw.

0

the password I did directly from the PHPMYADMIN table. I have the real escape string up top there for the password, but only there for a formality to prevent injection. I also change it directly to reflect what is being echoed but it still will not let me log in.

0

I fugured out one error. In the damn table, i had the the character limit set to 30...ugh I am a dummy... bit it is still not letting me login.

0

I fixed it...
here is my updated code with SHA1 in it...

<?php
include("config.php");
session_start();
if($_SERVER["REQUEST_METHOD"] == "POST")
{
$errmsg = '';
// username and password sent from Form
    //$myusername=$_POST['username'];
    //$mypassword=$_POST['password'];

    $myusername=addslashes($_POST['username']);
    $mypassword=addslashes($_POST['password']);

// To protect MySQL injection (more detail about MySQL injection)
    $myusername = mysql_real_escape_string($myusername);
    $mypassword = mysql_real_escape_string($mypassword);


    $shapass = sha1($mypassword);
    if( $myusername == ''){
                $errmsg = 'Error: Please enter your username';
            }else{
        /*if($md5pass == ''){
                $errmsg = 'Error: Please enter your password';
            }else{*/

        $sql="SELECT id FROM admin WHERE username='$myusername' and passcode='$shapass'";
        $result=mysql_query($sql);
        $row=mysql_fetch_array($result);
        $active=
        $count=mysql_num_rows($result);


// If result matched $myusername and $mypassword, table row must be 1 row
        if($count==1)
    {
        session_register("username");
        $_SESSION['login_user']=$myusername;
        header("location: index.php");
    }
        else
    {
        $errmsg = "Error: your Username or Password is invalid. <br /> If you haven't registered yet, you can <a href='register.php'>register here</a>";
                }
            }
        }
?>
This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.