Md5 login help!

freebies4real · August 15, 2011, 3:59am

When a user registers for my site then their password is encrypted in md5, but they are not able to login. I have my login page below, i tried to ude the MD5() string where the code selects the pass but no luck, what do i do?

<?php
session_start();
if( $_SESSION["logging"]&& $_SESSION["logged"])
{
     print_secure_content();
}
else {
    if(!$_SESSION["logging"])
    { 
    $_SESSION["logging"]=true;
    loginform();
    }
       else if($_SESSION["logging"])
       {
         $number_of_rows=checkpass();
         if($number_of_rows==1)
            {   
             $_SESSION[user]=$_POST[userlogin];
             $_SESSION[logged]=true;
             print"<h1>you have loged in successfully</h1>";
             print_secure_content();
            }
            else{
                   print "wrong pawssword or username, please try again";   
                   echo $ttt;   
                loginform();
            }
        }
     }

function loginform()
{
print "please enter your login information to proceed with our site";
print ("<table border='2'><tr><td>username</td><td><input type='text' name='userlogin' size'20'></td></tr><tr><td>password</td><td><input type='password' name='password' size'20'></td></tr></table>");
print "<input type='submit' >";   
print "<h3><a href='registerform.php'>register now!</a></h3>";   
}

function checkpass()
{
$servername="*******";
$username="*******";
$conn=  mysql_connect($servername,$username,"cool23")or die(mysql_error());
mysql_select_db("*******",$conn);
$sql="select * from users where user='$_POST[userlogin]' and pass='$_POST[password]'";
$result=mysql_query($sql,$conn) or die(mysql_error());
return  mysql_num_rows($result);
}

function print_secure_content()
{
    print("<b><h1>hi mr.$_SESSION[user]</h1>");
    print "<br><h2>only a logged in user can see this</h2><br><a href='logout.php'>Logout</a><br>";   
   
}
?>

SpacePhoenix · August 15, 2011, 4:07am

You need to run the submitted password through the md5() function before using it in the query but before that you need to sanitize both the username and password as your script is vulnerable to SQL injection attack. Also have a [URL=“http://php.net/manual/en/pdo.prepared-statements.php”]read of this which is about prepared statements.

freebies4real · August 15, 2011, 4:33am

I will read that now and how do i sanitize and run the submitted password through the md5() function?

sorry I am a beginner

SpacePhoenix · August 15, 2011, 6:02am

For getting the md5 hash of a password (once it has been sanitized):

$password_hash=md5($sanitized_password);

To use prepared statements you’ll need to switch to using the mysqli_* extension instead of the mysql_* extension.

freebies4real · August 15, 2011, 11:36am

so prepared statements prevent sql injections

Wuiqed · August 15, 2011, 11:35pm

That’s correct. However, there is no need sanitize the password since you’re hashing it.