Login md5 encrypt password verify help

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
jennymesserly
Forum Newbie
Posts: 2
Joined: Sun Dec 05, 2010 9:06 pm

Login md5 encrypt password verify help

Post by jennymesserly »

Hello! I'm the typical newbie seeking help from you PHP masta-wizards...

I have a login form with an encrypted password and I keep getting "Wrong Username or Password" even though the login exists. It works if I remove the password fields, so I know the encrypted password is not verifying. Can anyone help? Thank you!

Form - main_login.php:

Code: Select all

<form name="form1" method="post" action="checklogin.php">
Username: <input name="myusername" type="text" id="myusername">
Password: <input name="mypassword" type="text" id="mypassword">
<input type="submit" name="Submit" value="Login">
</form>
checklogin.php

Code: Select all

<?php
ob_start();
$host="xx"; // Host name 
$username="xx"; // Mysql username 
$password="xx"; // Mysql password 
$db_name="xx"; // Database name 
$tbl_name="xx"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

// Define $myusername and $mypassword 
$myusername=$_POST['myusername']; 
$mypassword=$_POST['mypassword'];

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

// encrypt password 
$encrypted_mypassword = md5($mypassword);

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$encrypted_mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("mypassword"); 
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}

ob_end_flush();
?>
User avatar
Zyxist
Forum Contributor
Posts: 104
Joined: Sun Jan 14, 2007 10:44 am
Location: Cracow, Poland

Re: Login md5 encrypt password verify help

Post by Zyxist »

And is the password correct? The code itself looks correct, unless we mention poor quality. Why are you using MD5 instead of SHA1?

And some hints:

Code: Select all

mysql_connect("$host", "$username", "$password")or die("cannot connect");
What is this? You do not know how to pass the arguments to functions. Never cast them to strings unless you really need to.

Code: Select all

$myusername=$_POST['myusername']; 
$mypassword=$_POST['mypassword'];
Why don't you operate on the original $_POST fields, but create unnecessary temporary variables?

Code: Select all

$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
Why do you pass the values through both stripslashes() and mysql_real_escape_string() if both of them basically do the same? Now it can destroy some data with quotes.

Code: Select all

session_register("myusername");
session_register("mypassword");
What book/tutorial/resource are you learning PHP from? This kind of session handling is deprecated for 7 or 8 years, if not more.
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: Login md5 encrypt password verify help

Post by social_experiment »

IMO you shouldn't pass the password through mysql_real_escape_string() before you have hashed it. Let's say your password is !23'56, and you pass it through the escape function you will be hashing this value !23\'56 which is not your password. Rather has it inside the query.
Zyxist wrote:...stripslashes() and mysql_real_escape_string() if both of them basically do the same?
Basically the same? No. You should only use stripslashes for output. mysql_real_escape_string() escapes quotes while stripslashes removes slashes, technically the opposite of each other. If you are inputting to the database, you use mysql_real_escape_string() and addslashes() if you really want to.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
User avatar
Zyxist
Forum Contributor
Posts: 104
Joined: Sun Jan 14, 2007 10:44 am
Location: Cracow, Poland

Re: Login md5 encrypt password verify help

Post by Zyxist »

Oops, my bad. I meant addslashes(). Thanks for pointing it out.
jennymesserly
Forum Newbie
Posts: 2
Joined: Sun Dec 05, 2010 9:06 pm

Re: Login md5 encrypt password verify help

Post by jennymesserly »

The password is correct. I've tried several users.

Thanks for all the suggestions! I don't really know PHP, so I used this tutorial: http://www.phpeasystep.com/workshopview.php?id=6

I'll try these suggestion and let you know how they work for me. Do you have any better tutorial suggestions?
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Re: Login md5 encrypt password verify help

Post by pickle »

Just FYI: encryption != hashing
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
devilinc
Forum Newbie
Posts: 16
Joined: Fri Nov 12, 2010 1:07 am

Re: Login md5 encrypt password verify help

Post by devilinc »

yes note the above things and maybe i must have overlooked but where is your insert query that actually does the hashing? or did i miss that post?it first hashes the password and stores it right?
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: Login md5 encrypt password verify help

Post by social_experiment »

jennymesserly wrote:Do you have any better tutorial suggestions?
Yeah, go old school and get a book (an actual book) on php for beginners. I used PHP in 24 hours by Matt Zandstra. It's probably outdated now seeing as the book covers php 4.3 but the basics are the same. It doesn't seem like you have a problem with the syntax but more with thinking like a programmer but don't worry it's probably like that for many beginners.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
Post Reply