Need help with logging in using md5, php.

try to change "password" field 'usr_password'

AND password=md5('".mysql_real_escape_string($_POST['password'])."')

Neither of those suggestions worked.

johanntagle, if I enter it your way it gives a syntax error. But trying the md5 outside was one of the few things I hadn't tried.

On a side note, any chance it could be that there's only one = sign?

Thanks,
mh

Slick812,

It's a long insert but the important bits are:
$AddUserQry="INSERT INTO users SET ...
... password='".addslashes(md5($_POST['password']))."',


mh

@ MHenry, , you use the PHP function -
md5(  );
to HASH the $__POST  value that the user entered as password

I can not see any use for you have the php function -  addslashes( ), I hope you know that the md5(  )  function returns a string 32 characters long with a restricted SET of just 16 characters as a HEX output -

0123456789abcdef

so I see no need for the  addslashes( ) function. An besides , if it is for MySQL security concerns, there is a MySQL function that is much better for that.

What I do many times, is NOT to use a select like yours -
$SelUserQry   = "SELECT email, password, id, codematched, promo_code FROM users WHERE email='".mysql_real_escape_string($_POST['email'])."' AND password='".mysql_real_escape_string($_POST['password'])."'";


$SelUserQry   = 'SELECT password FROM users WHERE email = "'.mysql_real_escape_string($_POST['email']).'"' AND name ='".mysql_real_escape_string($_POST['name'])."'";

and then If it returns ONE ROW test the password
if ($row['password'] == md5($_POST['password'])
    {
    echo 'Success,  you is Loged';
    }

This is untested code, and may have errors for the '  and  "  especially in the Query String. BUt My point is to  select Out the password for a user name (or email) and then md5( ) the POST password and compare to see if equal.  Of course There are other ways to get this done in programming, but this seems like a straight forward way to do it. as questions if you need more.

Ray_Paseur,

Ok, I'll answer what I can...

No idea where the create code is for users. I think it's all just inserted into the database?
Yes, I kept the old password column.
Yes, I made a backup of the database prior to playing in it.
(although I don't think this info is necessary to solve the problem.  Just an ID10T test I guess. Hope I passed!) ;)

I made the new hash column match what was setup in the db for the original password:
varchar(100), null=N

I also verified that if I copy the value from the database and used it as the login, every thing works fine.

And I tested the value from the database with a reverse md5 lookup and verified it is the text I thought it was.

For testing, I registered as a new user with the new registration form, I did not use an existing account. I just inserted the md5 password into the existing password field.

Code for the form:

<form name="register" id="register" enctype="multipart/form-data" method="post" action="login.php">
							<table width="100%" border="0" cellspacing="0" cellpadding="0">
							  <tr>
								<td>&nbsp;</td>
							  </tr>
							  <? if($Message!=""){?>
							  <tr>
								<td align="left" class="arial_11_red"><?=$Message?></td>
							  </tr>
							  <? } ?>
							  <tr>
								<td height="18" valign="bottom"><strong>Email Address:</strong></td>
							  </tr>
							  <tr>
								<td><table width="240" border="0" align="left" cellpadding="0" cellspacing="0">
								  <tr>
									<td width="8" align="left"><img src="images/box_left.jpg" width="8" height="20" /></td>
									<td width="219" align="left" valign="top"><input name="email" type="text" class="box" id="email" style="padding-top:7px;" /></td>
									<td width="11" align="left"><img src="images/box_right.jpg" width="3" height="20" /></td>
								  </tr>
								</table></td>
							  </tr>
							  <tr>
								<td height="18" valign="bottom"><strong>Password:</strong></td>
							  </tr>
							  <tr>
								<td><table width="240" border="0" align="left" cellpadding="0" cellspacing="0">
								  <tr>
									<td width="8" align="left"><img src="images/box_left.jpg" width="8" height="20" /></td>
									<td width="219" align="left" valign="top"><input name="password" type="password" class="box" id="password" style="padding-top:7px;" /></td>
									<td width="11" align="left"><img src="images/box_right.jpg" width="3" height="20" /></td>
								  </tr>
								</table></td>
							  </tr>
							  <tr>
								<td height="12"><a href="forgotpass.php" class="page-link">Forgot your password? <font color="red">Click here!</font></a></td>
							  </tr>
							  <tr>
								<td>&nbsp;</td>
							  </tr>
							  <tr>
								<td align="left">
                                <input name="login" type="submit" id="login" value="Login" onClick="return valid();">
                                <? if($break == 1) { echo "<br /><br />"; } ?>
								</td>
							  </tr>
							</table>
						<input type="hidden" name="HidSubmiLogin" id="HidSubmiLogin" value="0"></form>	

Select allOpen in new window

Slick812,

I took your advice and changed the addslashes bit. And I agree that your way is probably better, I'd like to just try to get this working before I start changing stuff.

I'm confused enough as it is right now.

Best,
mh

Ok, I got it working.

I did it like this:
//Get password from form
            $myPassword=mysql_real_escape_string($_POST['password']);
            //encrypt it
            $encPass=md5($myPassword);

and then -
$SelUserQry   = "SELECT email, password, id, codematched, promo_code FROM users WHERE email='".mysql_real_escape_string($_POST['email'])."' AND password='$encPass'";


Not sure why it wasn't working before, but this did work. I did find one place where I had $mypassword instead of $myPassword, but not sure if that was in there before or not.

Anyway, I learned more about md5 and bug tracking. Thanks to everyone for the help!

mh