Page 1 of 1

Login md5 encrypt password verify help

Posted: Sun Dec 05, 2010 9:21 pm
by jennymesserly
Hello! I'm the typical newbie seeking help from you PHP masta-wizards...

I have a login form with an encrypted password and I keep getting "Wrong Username or Password" even though the login exists. It works if I remove the password fields, so I know the encrypted password is not verifying. Can anyone help? Thank you!

Form - main_login.php:

Code: Select all

<form name="form1" method="post" action="checklogin.php">
Username: <input name="myusername" type="text" id="myusername">
Password: <input name="mypassword" type="text" id="mypassword">
<input type="submit" name="Submit" value="Login">
</form>
checklogin.php

Code: Select all

<?php
ob_start();
$host="xx"; // Host name 
$username="xx"; // Mysql username 
$password="xx"; // Mysql password 
$db_name="xx"; // Database name 
$tbl_name="xx"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

// Define $myusername and $mypassword 
$myusername=$_POST['myusername']; 
$mypassword=$_POST['mypassword'];

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

// encrypt password 
$encrypted_mypassword = md5($mypassword);

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$encrypted_mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("mypassword"); 
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}

ob_end_flush();
?>

Re: Login md5 encrypt password verify help

Posted: Mon Dec 06, 2010 1:46 am
by Zyxist
And is the password correct? The code itself looks correct, unless we mention poor quality. Why are you using MD5 instead of SHA1?

And some hints:

Code: Select all

mysql_connect("$host", "$username", "$password")or die("cannot connect");
What is this? You do not know how to pass the arguments to functions. Never cast them to strings unless you really need to.

Code: Select all

$myusername=$_POST['myusername']; 
$mypassword=$_POST['mypassword'];
Why don't you operate on the original $_POST fields, but create unnecessary temporary variables?

Code: Select all

$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
Why do you pass the values through both stripslashes() and mysql_real_escape_string() if both of them basically do the same? Now it can destroy some data with quotes.

Code: Select all

session_register("myusername");
session_register("mypassword");
What book/tutorial/resource are you learning PHP from? This kind of session handling is deprecated for 7 or 8 years, if not more.

Re: Login md5 encrypt password verify help

Posted: Mon Dec 06, 2010 3:58 am
by social_experiment
IMO you shouldn't pass the password through mysql_real_escape_string() before you have hashed it. Let's say your password is !23'56, and you pass it through the escape function you will be hashing this value !23\'56 which is not your password. Rather has it inside the query.
Zyxist wrote:...stripslashes() and mysql_real_escape_string() if both of them basically do the same?
Basically the same? No. You should only use stripslashes for output. mysql_real_escape_string() escapes quotes while stripslashes removes slashes, technically the opposite of each other. If you are inputting to the database, you use mysql_real_escape_string() and addslashes() if you really want to.

Re: Login md5 encrypt password verify help

Posted: Mon Dec 06, 2010 5:08 am
by Zyxist
Oops, my bad. I meant addslashes(). Thanks for pointing it out.

Re: Login md5 encrypt password verify help

Posted: Mon Dec 06, 2010 7:35 am
by jennymesserly
The password is correct. I've tried several users.

Thanks for all the suggestions! I don't really know PHP, so I used this tutorial: http://www.phpeasystep.com/workshopview.php?id=6

I'll try these suggestion and let you know how they work for me. Do you have any better tutorial suggestions?

Re: Login md5 encrypt password verify help

Posted: Mon Dec 06, 2010 10:39 am
by pickle
Just FYI: encryption != hashing

Re: Login md5 encrypt password verify help

Posted: Mon Dec 06, 2010 10:47 am
by devilinc
yes note the above things and maybe i must have overlooked but where is your insert query that actually does the hashing? or did i miss that post?it first hashes the password and stores it right?

Re: Login md5 encrypt password verify help

Posted: Mon Dec 06, 2010 11:54 am
by social_experiment
jennymesserly wrote:Do you have any better tutorial suggestions?
Yeah, go old school and get a book (an actual book) on php for beginners. I used PHP in 24 hours by Matt Zandstra. It's probably outdated now seeing as the book covers php 4.3 but the basics are the same. It doesn't seem like you have a problem with the syntax but more with thinking like a programmer but don't worry it's probably like that for many beginners.