Md5 Login Page Help

PHP
1

I’m trying to have the user login with the password he put in the register field (which has now been hashed in the database).

It would seem this code:

$password=md5($_POST['password']);

Doesn’t work…here is how I’m inserting it into the database (Yes I am aware sql is deprecated and I’m not using $salt, just using this for testing purposes, I am also aware md5 is easy to crack, will fix it later)

if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "register-form")) {
  $insertSQL = sprintf("INSERT INTO Users (UserID, Fname, Lname, Username, Password) VALUES ('$userid', '$fname', '$lname', '$username', md5 ('".$password."'))",
                       GetSQLValueString($_POST['UserID'], "int"),
                       GetSQLValueString($_POST['Fname'], "text"),
                       GetSQLValueString($_POST['Lname'], "text"),
                       GetSQLValueString($_POST['Username'], "text"),
                       GetSQLValueString($_POST['password'], "text"));

And this is how I’m getting the password from the database:

if (isset($_POST['Username'])) {
  $loginUsername=$_POST['Username'];
  $password=md5($_POST['password']);
  $MM_fldUserAuthorization = "";
  $MM_redirectLoginSuccess = "filelocation";
  $MM_redirectLoginFailed = "login.php";
  $MM_redirecttoReferrer = false;
  mysql_select_db($database_Connection_Users, $Connection_Users);
  
  $LoginRS__query=sprintf("SELECT Username, Password FROM Users WHERE Username=%s AND Password= md5 ('".$password."')",
    GetSQLValueString($loginUsername, "text"), GetSQLValueString($password, "text"));

Whether I delete the part where it says: $LoginRS__query=sprintf("SELECT Username, Password FROM Users WHERE Username=%s AND Password= md5 ('".$password."')" and leave it as → AND Password=%s

this won’t work: $password=md5($_POST['password']);

Can anyone help me out with this?

I will fix the code later, just using this for testing

2

What version of PHP are you using?

3

895×521 39.7 KB

4

Does your host offer any upgrade to version 5.5 of PHP? Version 5.5 has available some functions available (introduced in PHP version 5.5) for more secure hashing of passwords http://php.net/manual/en/book.password.php for versions of PHP 5.4 or older there’s a backwards compatible library that provides the same functionality.

5

I don’t know if they do, I will ask them, and thank you for the link.

Will the code only work in version 5.5 and up?

6

My question is why are you md5-ing the password and then md5-ing that again

True, the code is several years out-of-date, but I can’t recall ever seeing that done before, ever.

And if I also remember correctly, PHP and MySQL do it differently despite the functions having the same name.

IMHO, since this is only as a learning exercise anyway, you should lose one or the other.

7

I removed this: AND Password= md5 ('".$password."')", and just left it as And Password=%s so the code would look like:

$password=md5($_POST['password']);

$LoginRS__query=sprintf("SELECT Username, Password FROM Users WHERE Username=%s AND Password=%s, GetSQLValueString($loginUsername, "text"), GetSQLValueString($password, "text"));

I’ve also tried to remove this: $password=md5($_POST['password']); and leave this:

 $password=$_POST['password'];.

$LoginRS__query=sprintf("SELECT Username, Password FROM Users WHERE Username=%s AND Password= md5 ('".$password."')", GetSQLValueString($loginUsername, "text"), GetSQLValueString($password, "text"));
8

What is GetSQLValueString doing to your strings?

9

GetSQLValueString() is a function used in Dreamweaver whenever a server behavior that inserts or updates a query is inserted into a page. The function is useful for scrubbing data values to prevent SQL injection attacks and to normalize the data.

10

Well unless it adds quotes to strings, Username=%s is gonna cause your query to fail because SQL doesnt understand the word JohnDoe.

11

Also, are you getting any error messages?

<?php
/* development and testing only */
error_reporting(E_ALL);
ini_set('display_errors', true);
⋮
⋮
12

Well unless it adds quotes to strings, Username=%s is gonna cause your query to fail because SQL doesnt understand the word JohnDoe.

It still works, whether Username=%s or Username='$username', either one works fine.

Also, are you getting any error messages?

<?php error_reporting(E_ALL); ini_set('display_errors', true); ⋮ ⋮

No, no error messages at all…

13

Hosting Company doesn’t seem to be offering PHP 5.5 as of yet (said they’ll have it by the end of the year)…

14

You can implement the same password processing in PHP 5.3 as was added in PHP 5.5 simply by adding one extra include:- https://github.com/ircmaxell/password_compat

1 Like
16

I got it to work, turned out I was using $username instead of $loginUsername in the Username='$loginUsername'

And also this fix needs to be made so the person creating the login can know that instead of using

$password=md5($_POST['password']);

use this instead: $password=(md5($_POST['password']));

that worked for me and got everything else to work perfectly, and also can this thread be marked as solved so others can find it and use the method?

17

why would they want to use that antiquated easy to break password system when from PHP 5.3 onward they can use the one built into PHP 5.5+

18

What I mean use that way to do it but instead of using md5 use your own method, just wanted to give them an idea of how to do it…

19

Why use your own method when PHP supplies one built in that will be automatically upgraded in future versions of PHP when even higher levels of security are required?

20

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.