How to login with md5

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
mikes1471
Forum Commoner
Posts: 88
Joined: Sat Jan 24, 2009 3:29 pm

How to login with md5

Post by mikes1471 »

Hi Guys

Can anyone tell me where in my login code I need to define the md5 password?

I have built a registration page and have entered users with md5 passwords so now I would like to test my login script but cannot until I figure this out :(

Code: Select all

<table width="300" border="0" align="center" cellpadding="0" cellspacing="1" bgcolor="#CCCCCC">
<tr>
<form name="form1" method="post" action="checklogin.php">
<td>
<table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#FFFFFF">
<tr>
<td colspan="3"><strong>Member Login </strong></td>
</tr>
<tr>
<td width="78">Username</td>
<td width="6">:</td>
<td width="294"><input name="username" type="text" id="username"></td>
</tr>
<tr>
<td>Password</td>
<td>:</td>
<td><input name="password" type="password" id="password"></td>
</tr>
<tr>
<td>&nbsp;</td>
<td>&nbsp;</td>
<td><input type="submit" name="Submit" value="Login"></td>
</tr>
</table>
</td>
</form>
</tr>
</table>
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: How to login with md5

Post by Apollo »

Don't you think posting your checklogin.php would clarify more? :)

When you say you "have entered users with md5 passwords", exactly what do you mean?
mikes1471
Forum Commoner
Posts: 88
Joined: Sat Jan 24, 2009 3:29 pm

Re: How to login with md5

Post by mikes1471 »

doh yeh sorry

Code: Select all

<?php
// Connect to server and select databse.
include_once "functions.php";
 
connect();
 
// username and password sent from form
$username=$_POST['username'];
$password=$_POST['password'];
 
// To protect MySQL injection (more detail about MySQL injection)
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
 
$sql="SELECT * FROM $tbl_name WHERE username='$username' and password='$password'";
$result=mysql_query($sql);
 
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $username and $password, table row must be 1 row
 
if($count==1){
// Register $username, $password and redirect to file "login_success.php"
session_register("username");
session_register("password");
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}
?>
I mean I have the passwords encrypted at the point of registration
mikes1471
Forum Commoner
Posts: 88
Joined: Sat Jan 24, 2009 3:29 pm

Re: How to login with md5

Post by mikes1471 »

Have I made this any clearer?

When a new user registers their chosen password is given an md5 encryption. As you can see from my login script and my checklogin script I am not declaring the md5 encryption, this is because Im not sure how, does anyone know?
watson516
Forum Contributor
Posts: 198
Joined: Mon Mar 20, 2006 9:19 pm
Location: Hamilton, Ontario

Re: How to login with md5

Post by watson516 »

You just have to md5 the inputted password before checking. If the two are the same, they are the same password
mikes1471
Forum Commoner
Posts: 88
Joined: Sat Jan 24, 2009 3:29 pm

Re: How to login with md5

Post by mikes1471 »

Yeah I know, I'm not sure how to do that in the script
watson516
Forum Contributor
Posts: 198
Joined: Mon Mar 20, 2006 9:19 pm
Location: Hamilton, Ontario

Re: How to login with md5

Post by watson516 »

md5($password) inside the sql statement
mikes1471
Forum Commoner
Posts: 88
Joined: Sat Jan 24, 2009 3:29 pm

Re: How to login with md5

Post by mikes1471 »

Thanks for the replies, I tried that on lines 13 and 15

I changed this

Code: Select all

// To protect MySQL injection (more detail about MySQL injection)
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
and instead typed this

Code: Select all

// To protect MySQL injection (more detail about MySQL injection)
$username = stripslashes($username);
$password = stripslashes".md5($password)";
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string".md5($password)";
and the result was errors on line 13
mikes1471
Forum Commoner
Posts: 88
Joined: Sat Jan 24, 2009 3:29 pm

Re: How to login with md5

Post by mikes1471 »

OK I think I have it sussed but am not sure, this is the revised code

Code: Select all

<?php
// Connect to server and select databse.
include_once "functions.php";
 
connect();
 
// username and password sent from form
$username=$_POST['username'];
$password=$_POST['password'];
 
// To protect MySQL injection (more detail about MySQL injection)
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
 
$sql="SELECT * FROM $tbl_name WHERE username='$username' and password='.md5$password'";
$result=mysql_query($sql);
 
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $username and $password, table row must be 1 row
 
if($count==1){
// Register $username, $password and redirect to file "login_success.php"
session_register("username");
session_register("password");
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}
?>
But the result is "Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /var/www/vhosts/picfrisky.com/httpdocs/checklogin.php on line 21
Wrong Username or Password"
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: How to login with md5

Post by Apollo »

mikes1471 wrote:I changed this

(...)

and instead typed this
You're using a strange notation.. why the quotes?
And of course using md5 inside a string won't help, it's a function.

Just do this:

Code: Select all

$password = md5($_POST['password']);
//...
$sql="SELECT * FROM $tbl_name WHERE username='$username' and password='$password'";
Security notice: you don't need mysql_real_escape_string in this case, cause any strange characters that the password may contain are just taken along in the hash, and an md5 hash contains hex digits only.

Alternatively, you could also do the hashing inside the SQL query (as watson516 suggests), then you do need escape the string first:

Code: Select all

$password = mysql_real_escape_string($_POST['password']);
//...
$sql="SELECT * FROM $tbl_name WHERE username='$username' and password=MD5('$password')";
But I guess the first approach is easier for now.
Post Reply