Page 1 of 1

How to login with md5

Posted: Thu Feb 12, 2009 4:21 pm
by mikes1471
Hi Guys

Can anyone tell me where in my login code I need to define the md5 password?

I have built a registration page and have entered users with md5 passwords so now I would like to test my login script but cannot until I figure this out :(

Code: Select all

<table width="300" border="0" align="center" cellpadding="0" cellspacing="1" bgcolor="#CCCCCC">
<tr>
<form name="form1" method="post" action="checklogin.php">
<td>
<table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#FFFFFF">
<tr>
<td colspan="3"><strong>Member Login </strong></td>
</tr>
<tr>
<td width="78">Username</td>
<td width="6">:</td>
<td width="294"><input name="username" type="text" id="username"></td>
</tr>
<tr>
<td>Password</td>
<td>:</td>
<td><input name="password" type="password" id="password"></td>
</tr>
<tr>
<td>&nbsp;</td>
<td>&nbsp;</td>
<td><input type="submit" name="Submit" value="Login"></td>
</tr>
</table>
</td>
</form>
</tr>
</table>

Re: How to login with md5

Posted: Thu Feb 12, 2009 4:43 pm
by Apollo
Don't you think posting your checklogin.php would clarify more? :)

When you say you "have entered users with md5 passwords", exactly what do you mean?

Re: How to login with md5

Posted: Thu Feb 12, 2009 4:47 pm
by mikes1471
doh yeh sorry

Code: Select all

<?php
// Connect to server and select databse.
include_once "functions.php";
 
connect();
 
// username and password sent from form
$username=$_POST['username'];
$password=$_POST['password'];
 
// To protect MySQL injection (more detail about MySQL injection)
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
 
$sql="SELECT * FROM $tbl_name WHERE username='$username' and password='$password'";
$result=mysql_query($sql);
 
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $username and $password, table row must be 1 row
 
if($count==1){
// Register $username, $password and redirect to file "login_success.php"
session_register("username");
session_register("password");
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}
?>
I mean I have the passwords encrypted at the point of registration

Re: How to login with md5

Posted: Thu Feb 12, 2009 5:57 pm
by mikes1471
Have I made this any clearer?

When a new user registers their chosen password is given an md5 encryption. As you can see from my login script and my checklogin script I am not declaring the md5 encryption, this is because Im not sure how, does anyone know?

Re: How to login with md5

Posted: Thu Feb 12, 2009 6:38 pm
by watson516
You just have to md5 the inputted password before checking. If the two are the same, they are the same password

Re: How to login with md5

Posted: Thu Feb 12, 2009 6:43 pm
by mikes1471
Yeah I know, I'm not sure how to do that in the script

Re: How to login with md5

Posted: Thu Feb 12, 2009 6:48 pm
by watson516
md5($password) inside the sql statement

Re: How to login with md5

Posted: Thu Feb 12, 2009 6:51 pm
by mikes1471
Thanks for the replies, I tried that on lines 13 and 15

I changed this

Code: Select all

// To protect MySQL injection (more detail about MySQL injection)
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
and instead typed this

Code: Select all

// To protect MySQL injection (more detail about MySQL injection)
$username = stripslashes($username);
$password = stripslashes".md5($password)";
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string".md5($password)";
and the result was errors on line 13

Re: How to login with md5

Posted: Thu Feb 12, 2009 6:56 pm
by mikes1471
OK I think I have it sussed but am not sure, this is the revised code

Code: Select all

<?php
// Connect to server and select databse.
include_once "functions.php";
 
connect();
 
// username and password sent from form
$username=$_POST['username'];
$password=$_POST['password'];
 
// To protect MySQL injection (more detail about MySQL injection)
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
 
$sql="SELECT * FROM $tbl_name WHERE username='$username' and password='.md5$password'";
$result=mysql_query($sql);
 
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $username and $password, table row must be 1 row
 
if($count==1){
// Register $username, $password and redirect to file "login_success.php"
session_register("username");
session_register("password");
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}
?>
But the result is "Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /var/www/vhosts/picfrisky.com/httpdocs/checklogin.php on line 21
Wrong Username or Password"

Re: How to login with md5

Posted: Fri Feb 13, 2009 2:03 am
by Apollo
mikes1471 wrote:I changed this

(...)

and instead typed this
You're using a strange notation.. why the quotes?
And of course using md5 inside a string won't help, it's a function.

Just do this:

Code: Select all

$password = md5($_POST['password']);
//...
$sql="SELECT * FROM $tbl_name WHERE username='$username' and password='$password'";
Security notice: you don't need mysql_real_escape_string in this case, cause any strange characters that the password may contain are just taken along in the hash, and an md5 hash contains hex digits only.

Alternatively, you could also do the hashing inside the SQL query (as watson516 suggests), then you do need escape the string first:

Code: Select all

$password = mysql_real_escape_string($_POST['password']);
//...
$sql="SELECT * FROM $tbl_name WHERE username='$username' and password=MD5('$password')";
But I guess the first approach is easier for now.