Need help with logging in using md5, php.

So the passwords were stored in clear text. I got the passwords hashed using md5. I even got the code working to insert into the database.

Now, I can't login. Here's what the old code looked like:
$SelUserQry   = "SELECT email, password, id, codematched, promo_code FROM users WHERE email='".mysql_real_escape_string($_POST['email'])."' AND password='".mysql_real_escape_string($_POST['password'])."'";

Open in new window


I've tried everything I can think of an can't get it to work. I've put the md5 in front of the $Post, in front of the escape, even tried just deleting the escape to see if I could get it to work, but no luck.

Can anyone help me figure this out?

Thanks,
MHenry
LVL 7
MHenryAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Loganathan NatarajanLAMP DeveloperCommented:
try to change "password" field 'usr_password'
0
johanntagleCommented:
AND password=md5('".mysql_real_escape_string($_POST['password'])."')
0
MHenryAuthor Commented:
Neither of those suggestions worked.

johanntagle, if I enter it your way it gives a syntax error. But trying the md5 outside was one of the few things I hadn't tried.

On a side note, any chance it could be that there's only one = sign?

Thanks,
mh
0
Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

Slick812Commented:
Using the exact same methods (step by step) for the setting (update) of "password" and comparing of passwords usually works, can you show the php code you used to SET (update) the Passwords?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MHenryAuthor Commented:
Slick812,

It's a long insert but the important bits are:
$AddUserQry="INSERT INTO users SET ...
... password='".addslashes(md5($_POST['password']))."',


mh
0
Ray PaseurCommented:
Please post the CREATE TABLE statement for the users table.  

Please post the form that is used to login  so we can see how the password input control is defined.

Do you still have the original clear-text passwords in the table (I hope so)?

Do you have backups of the table that date from before the table was altered?

Some things to check... When you altered the table to add the hashed password column did you use the md5() of the existing password from the table?  Did you make the hashed password column VARCHAR(32)?
0
johanntagleCommented:
Good call on checking the column size, Ray.  Because calling md5 for the password check the way it was called for password set should have worked.
0
Slick812Commented:
@ MHenry, , you use the PHP function -
md5(  );
to HASH the $__POST  value that the user entered as password

I can not see any use for you have the php function -  addslashes( ), I hope you know that the md5(  )  function returns a string 32 characters long with a restricted SET of just 16 characters as a HEX output -

0123456789abcdef

so I see no need for the  addslashes( ) function. An besides , if it is for MySQL security concerns, there is a MySQL function that is much better for that.

What I do many times, is NOT to use a select like yours -
$SelUserQry   = "SELECT email, password, id, codematched, promo_code FROM users WHERE email='".mysql_real_escape_string($_POST['email'])."' AND password='".mysql_real_escape_string($_POST['password'])."'";


$SelUserQry   = 'SELECT password FROM users WHERE email = "'.mysql_real_escape_string($_POST['email']).'"' AND name ='".mysql_real_escape_string($_POST['name'])."'";

and then If it returns ONE ROW test the password
if ($row['password'] == md5($_POST['password'])
    {
    echo 'Success,  you is Loged';
    }

This is untested code, and may have errors for the '  and  "  especially in the Query String. BUt My point is to  select Out the password for a user name (or email) and then md5( ) the POST password and compare to see if equal.  Of course There are other ways to get this done in programming, but this seems like a straight forward way to do it. as questions if you need more.
0
MHenryAuthor Commented:
Ray_Paseur,

Ok, I'll answer what I can...

No idea where the create code is for users. I think it's all just inserted into the database?
Yes, I kept the old password column.
Yes, I made a backup of the database prior to playing in it.
(although I don't think this info is necessary to solve the problem.  Just an ID10T test I guess. Hope I passed!) ;)

I made the new hash column match what was setup in the db for the original password:
varchar(100), null=N

I also verified that if I copy the value from the database and used it as the login, every thing works fine.

And I tested the value from the database with a reverse md5 lookup and verified it is the text I thought it was.

For testing, I registered as a new user with the new registration form, I did not use an existing account. I just inserted the md5 password into the existing password field.

Code for the form:
<form name="register" id="register" enctype="multipart/form-data" method="post" action="login.php">
							<table width="100%" border="0" cellspacing="0" cellpadding="0">
							  <tr>
								<td>&nbsp;</td>
							  </tr>
							  <? if($Message!=""){?>
							  <tr>
								<td align="left" class="arial_11_red"><?=$Message?></td>
							  </tr>
							  <? } ?>
							  <tr>
								<td height="18" valign="bottom"><strong>Email Address:</strong></td>
							  </tr>
							  <tr>
								<td><table width="240" border="0" align="left" cellpadding="0" cellspacing="0">
								  <tr>
									<td width="8" align="left"><img src="images/box_left.jpg" width="8" height="20" /></td>
									<td width="219" align="left" valign="top"><input name="email" type="text" class="box" id="email" style="padding-top:7px;" /></td>
									<td width="11" align="left"><img src="images/box_right.jpg" width="3" height="20" /></td>
								  </tr>
								</table></td>
							  </tr>
							  <tr>
								<td height="18" valign="bottom"><strong>Password:</strong></td>
							  </tr>
							  <tr>
								<td><table width="240" border="0" align="left" cellpadding="0" cellspacing="0">
								  <tr>
									<td width="8" align="left"><img src="images/box_left.jpg" width="8" height="20" /></td>
									<td width="219" align="left" valign="top"><input name="password" type="password" class="box" id="password" style="padding-top:7px;" /></td>
									<td width="11" align="left"><img src="images/box_right.jpg" width="3" height="20" /></td>
								  </tr>
								</table></td>
							  </tr>
							  <tr>
								<td height="12"><a href="forgotpass.php" class="page-link">Forgot your password? <font color="red">Click here!</font></a></td>
							  </tr>
							  <tr>
								<td>&nbsp;</td>
							  </tr>
							  <tr>
								<td align="left">
                                <input name="login" type="submit" id="login" value="Login" onClick="return valid();">
                                <? if($break == 1) { echo "<br /><br />"; } ?>
								</td>
							  </tr>
							</table>
						<input type="hidden" name="HidSubmiLogin" id="HidSubmiLogin" value="0"></form>	

Open in new window

0
MHenryAuthor Commented:
Slick812,

I took your advice and changed the addslashes bit. And I agree that your way is probably better, I'd like to just try to get this working before I start changing stuff.

I'm confused enough as it is right now.

Best,
mh
0
MHenryAuthor Commented:
Ok, I got it working.

I did it like this:
//Get password from form
            $myPassword=mysql_real_escape_string($_POST['password']);
            //encrypt it
            $encPass=md5($myPassword);

and then -
$SelUserQry   = "SELECT email, password, id, codematched, promo_code FROM users WHERE email='".mysql_real_escape_string($_POST['email'])."' AND password='$encPass'";


Not sure why it wasn't working before, but this did work. I did find one place where I had $mypassword instead of $myPassword, but not sure if that was in there before or not.

Anyway, I learned more about md5 and bug tracking. Thanks to everyone for the help!

mh
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.