Page 1 of 1

Comparing Hashed Passwords

Posted: Thu Aug 14, 2008 2:47 am
by Grahamhart
I have created an SQL database containing a list of Username's and password's and have hashed these passwords using md5. The problem i am now having is that when i take an entered password and try to compare it to the one in the database for a match the result comes back incorrect. without the hashing it works fine.

The code I am using to compare the passwords is as follows:

$passwordhash = md5($_POST['fpassword']);
$sql = "SELECT loginName FROM Member WHERE loginName='$_POST[fusername]' AND password='$passwordhash'";

Re: Comparing Hashed Passwords

Posted: Thu Aug 14, 2008 3:00 am
by Geteburg
Check if MD5 hash is the same when you submit form as the one in DB. If it is, do the same for SQL query, echo it and check that the output of SQL echo has what it should have.

Code: Select all

 
$passwordhash = md5($_POST['fpassword']);
echo $passwordhash; // <--- this should match the entry in table
 
And btw, at least do mysql_real_escape_string($_POST[fusername]). Cause right now you are sql-injection ready :) NEVER trust the input that users add.

Re: Comparing Hashed Passwords

Posted: Thu Aug 14, 2008 3:22 am
by Grahamhart
Thanks I will try this, i will be adding anti injection to this later, i like to get one thing working at a time :)

Re: Comparing Hashed Passwords

Posted: Thu Aug 14, 2008 3:49 am
by Grahamhart
Ah seems you were right after returning it just turns out the table was setup wrong and needed a bigger VAR.

Thanks,