Solved

Need help with logging in using md5, php.

Posted on 2012-03-11
11
388 Views
Last Modified: 2012-06-27
So the passwords were stored in clear text. I got the passwords hashed using md5. I even got the code working to insert into the database.

Now, I can't login. Here's what the old code looked like:
$SelUserQry   = "SELECT email, password, id, codematched, promo_code FROM users WHERE email='".mysql_real_escape_string($_POST['email'])."' AND password='".mysql_real_escape_string($_POST['password'])."'";

Open in new window


I've tried everything I can think of an can't get it to work. I've put the md5 in front of the $Post, in front of the escape, even tried just deleting the escape to see if I could get it to work, but no luck.

Can anyone help me figure this out?

Thanks,
MHenry
0
Comment
Question by:MHenry
  • 5
  • 2
  • 2
  • +2
11 Comments
 
LVL 36

Expert Comment

by:Loganathan Natarajan
ID: 37708354
try to change "password" field 'usr_password'
0
 
LVL 24

Expert Comment

by:johanntagle
ID: 37708480
AND password=md5('".mysql_real_escape_string($_POST['password'])."')
0
 
LVL 7

Author Comment

by:MHenry
ID: 37709986
Neither of those suggestions worked.

johanntagle, if I enter it your way it gives a syntax error. But trying the md5 outside was one of the few things I hadn't tried.

On a side note, any chance it could be that there's only one = sign?

Thanks,
mh
0
 
LVL 33

Accepted Solution

by:
Slick812 earned 168 total points
ID: 37710995
Using the exact same methods (step by step) for the setting (update) of "password" and comparing of passwords usually works, can you show the php code you used to SET (update) the Passwords?
0
 
LVL 7

Author Comment

by:MHenry
ID: 37711742
Slick812,

It's a long insert but the important bits are:
$AddUserQry="INSERT INTO users SET ...
... password='".addslashes(md5($_POST['password']))."',


mh
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 108

Assisted Solution

by:Ray Paseur
Ray Paseur earned 166 total points
ID: 37712312
Please post the CREATE TABLE statement for the users table.  

Please post the form that is used to login  so we can see how the password input control is defined.

Do you still have the original clear-text passwords in the table (I hope so)?

Do you have backups of the table that date from before the table was altered?

Some things to check... When you altered the table to add the hashed password column did you use the md5() of the existing password from the table?  Did you make the hashed password column VARCHAR(32)?
0
 
LVL 24

Assisted Solution

by:johanntagle
johanntagle earned 166 total points
ID: 37712345
Good call on checking the column size, Ray.  Because calling md5 for the password check the way it was called for password set should have worked.
0
 
LVL 33

Expert Comment

by:Slick812
ID: 37712541
@ MHenry, , you use the PHP function -
md5(  );
to HASH the $__POST  value that the user entered as password

I can not see any use for you have the php function -  addslashes( ), I hope you know that the md5(  )  function returns a string 32 characters long with a restricted SET of just 16 characters as a HEX output -

0123456789abcdef

so I see no need for the  addslashes( ) function. An besides , if it is for MySQL security concerns, there is a MySQL function that is much better for that.

What I do many times, is NOT to use a select like yours -
$SelUserQry   = "SELECT email, password, id, codematched, promo_code FROM users WHERE email='".mysql_real_escape_string($_POST['email'])."' AND password='".mysql_real_escape_string($_POST['password'])."'";


$SelUserQry   = 'SELECT password FROM users WHERE email = "'.mysql_real_escape_string($_POST['email']).'"' AND name ='".mysql_real_escape_string($_POST['name'])."'";

and then If it returns ONE ROW test the password
if ($row['password'] == md5($_POST['password'])
    {
    echo 'Success,  you is Loged';
    }

This is untested code, and may have errors for the '  and  "  especially in the Query String. BUt My point is to  select Out the password for a user name (or email) and then md5( ) the POST password and compare to see if equal.  Of course There are other ways to get this done in programming, but this seems like a straight forward way to do it. as questions if you need more.
0
 
LVL 7

Author Comment

by:MHenry
ID: 37712962
Ray_Paseur,

Ok, I'll answer what I can...

No idea where the create code is for users. I think it's all just inserted into the database?
Yes, I kept the old password column.
Yes, I made a backup of the database prior to playing in it.
(although I don't think this info is necessary to solve the problem.  Just an ID10T test I guess. Hope I passed!) ;)

I made the new hash column match what was setup in the db for the original password:
varchar(100), null=N

I also verified that if I copy the value from the database and used it as the login, every thing works fine.

And I tested the value from the database with a reverse md5 lookup and verified it is the text I thought it was.

For testing, I registered as a new user with the new registration form, I did not use an existing account. I just inserted the md5 password into the existing password field.

Code for the form:
<form name="register" id="register" enctype="multipart/form-data" method="post" action="login.php">
							<table width="100%" border="0" cellspacing="0" cellpadding="0">
							  <tr>
								<td>&nbsp;</td>
							  </tr>
							  <? if($Message!=""){?>
							  <tr>
								<td align="left" class="arial_11_red"><?=$Message?></td>
							  </tr>
							  <? } ?>
							  <tr>
								<td height="18" valign="bottom"><strong>Email Address:</strong></td>
							  </tr>
							  <tr>
								<td><table width="240" border="0" align="left" cellpadding="0" cellspacing="0">
								  <tr>
									<td width="8" align="left"><img src="images/box_left.jpg" width="8" height="20" /></td>
									<td width="219" align="left" valign="top"><input name="email" type="text" class="box" id="email" style="padding-top:7px;" /></td>
									<td width="11" align="left"><img src="images/box_right.jpg" width="3" height="20" /></td>
								  </tr>
								</table></td>
							  </tr>
							  <tr>
								<td height="18" valign="bottom"><strong>Password:</strong></td>
							  </tr>
							  <tr>
								<td><table width="240" border="0" align="left" cellpadding="0" cellspacing="0">
								  <tr>
									<td width="8" align="left"><img src="images/box_left.jpg" width="8" height="20" /></td>
									<td width="219" align="left" valign="top"><input name="password" type="password" class="box" id="password" style="padding-top:7px;" /></td>
									<td width="11" align="left"><img src="images/box_right.jpg" width="3" height="20" /></td>
								  </tr>
								</table></td>
							  </tr>
							  <tr>
								<td height="12"><a href="forgotpass.php" class="page-link">Forgot your password? <font color="red">Click here!</font></a></td>
							  </tr>
							  <tr>
								<td>&nbsp;</td>
							  </tr>
							  <tr>
								<td align="left">
                                <input name="login" type="submit" id="login" value="Login" onClick="return valid();">
                                <? if($break == 1) { echo "<br /><br />"; } ?>
								</td>
							  </tr>
							</table>
						<input type="hidden" name="HidSubmiLogin" id="HidSubmiLogin" value="0"></form>	

Open in new window

0
 
LVL 7

Author Comment

by:MHenry
ID: 37712967
Slick812,

I took your advice and changed the addslashes bit. And I agree that your way is probably better, I'd like to just try to get this working before I start changing stuff.

I'm confused enough as it is right now.

Best,
mh
0
 
LVL 7

Author Comment

by:MHenry
ID: 37713078
Ok, I got it working.

I did it like this:
//Get password from form
            $myPassword=mysql_real_escape_string($_POST['password']);
            //encrypt it
            $encPass=md5($myPassword);

and then -
$SelUserQry   = "SELECT email, password, id, codematched, promo_code FROM users WHERE email='".mysql_real_escape_string($_POST['email'])."' AND password='$encPass'";


Not sure why it wasn't working before, but this did work. I did find one place where I had $mypassword instead of $myPassword, but not sure if that was in there before or not.

Anyway, I learned more about md5 and bug tracking. Thanks to everyone for the help!

mh
0

Featured Post

Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

Join & Write a Comment

Part of the Global Positioning System A geocode (https://developers.google.com/maps/documentation/geocoding/) is the major subset of a GPS coordinate (http://en.wikipedia.org/wiki/Global_Positioning_System), the other parts being the altitude and t…
Creating and Managing Databases with phpMyAdmin in cPanel.
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now