Solved

Need help with logging in using md5, php.

Posted on 2012-03-11
11
390 Views
Last Modified: 2012-06-27
So the passwords were stored in clear text. I got the passwords hashed using md5. I even got the code working to insert into the database.

Now, I can't login. Here's what the old code looked like:
$SelUserQry   = "SELECT email, password, id, codematched, promo_code FROM users WHERE email='".mysql_real_escape_string($_POST['email'])."' AND password='".mysql_real_escape_string($_POST['password'])."'";

Open in new window


I've tried everything I can think of an can't get it to work. I've put the md5 in front of the $Post, in front of the escape, even tried just deleting the escape to see if I could get it to work, but no luck.

Can anyone help me figure this out?

Thanks,
MHenry
0
Comment
Question by:MHenry
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
  • 2
  • +2
11 Comments
 
LVL 36

Expert Comment

by:Loganathan Natarajan
ID: 37708354
try to change "password" field 'usr_password'
0
 
LVL 24

Expert Comment

by:johanntagle
ID: 37708480
AND password=md5('".mysql_real_escape_string($_POST['password'])."')
0
 
LVL 7

Author Comment

by:MHenry
ID: 37709986
Neither of those suggestions worked.

johanntagle, if I enter it your way it gives a syntax error. But trying the md5 outside was one of the few things I hadn't tried.

On a side note, any chance it could be that there's only one = sign?

Thanks,
mh
0
PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

 
LVL 34

Accepted Solution

by:
Slick812 earned 168 total points
ID: 37710995
Using the exact same methods (step by step) for the setting (update) of "password" and comparing of passwords usually works, can you show the php code you used to SET (update) the Passwords?
0
 
LVL 7

Author Comment

by:MHenry
ID: 37711742
Slick812,

It's a long insert but the important bits are:
$AddUserQry="INSERT INTO users SET ...
... password='".addslashes(md5($_POST['password']))."',


mh
0
 
LVL 110

Assisted Solution

by:Ray Paseur
Ray Paseur earned 166 total points
ID: 37712312
Please post the CREATE TABLE statement for the users table.  

Please post the form that is used to login  so we can see how the password input control is defined.

Do you still have the original clear-text passwords in the table (I hope so)?

Do you have backups of the table that date from before the table was altered?

Some things to check... When you altered the table to add the hashed password column did you use the md5() of the existing password from the table?  Did you make the hashed password column VARCHAR(32)?
0
 
LVL 24

Assisted Solution

by:johanntagle
johanntagle earned 166 total points
ID: 37712345
Good call on checking the column size, Ray.  Because calling md5 for the password check the way it was called for password set should have worked.
0
 
LVL 34

Expert Comment

by:Slick812
ID: 37712541
@ MHenry, , you use the PHP function -
md5(  );
to HASH the $__POST  value that the user entered as password

I can not see any use for you have the php function -  addslashes( ), I hope you know that the md5(  )  function returns a string 32 characters long with a restricted SET of just 16 characters as a HEX output -

0123456789abcdef

so I see no need for the  addslashes( ) function. An besides , if it is for MySQL security concerns, there is a MySQL function that is much better for that.

What I do many times, is NOT to use a select like yours -
$SelUserQry   = "SELECT email, password, id, codematched, promo_code FROM users WHERE email='".mysql_real_escape_string($_POST['email'])."' AND password='".mysql_real_escape_string($_POST['password'])."'";


$SelUserQry   = 'SELECT password FROM users WHERE email = "'.mysql_real_escape_string($_POST['email']).'"' AND name ='".mysql_real_escape_string($_POST['name'])."'";

and then If it returns ONE ROW test the password
if ($row['password'] == md5($_POST['password'])
    {
    echo 'Success,  you is Loged';
    }

This is untested code, and may have errors for the '  and  "  especially in the Query String. BUt My point is to  select Out the password for a user name (or email) and then md5( ) the POST password and compare to see if equal.  Of course There are other ways to get this done in programming, but this seems like a straight forward way to do it. as questions if you need more.
0
 
LVL 7

Author Comment

by:MHenry
ID: 37712962
Ray_Paseur,

Ok, I'll answer what I can...

No idea where the create code is for users. I think it's all just inserted into the database?
Yes, I kept the old password column.
Yes, I made a backup of the database prior to playing in it.
(although I don't think this info is necessary to solve the problem.  Just an ID10T test I guess. Hope I passed!) ;)

I made the new hash column match what was setup in the db for the original password:
varchar(100), null=N

I also verified that if I copy the value from the database and used it as the login, every thing works fine.

And I tested the value from the database with a reverse md5 lookup and verified it is the text I thought it was.

For testing, I registered as a new user with the new registration form, I did not use an existing account. I just inserted the md5 password into the existing password field.

Code for the form:
<form name="register" id="register" enctype="multipart/form-data" method="post" action="login.php">
							<table width="100%" border="0" cellspacing="0" cellpadding="0">
							  <tr>
								<td>&nbsp;</td>
							  </tr>
							  <? if($Message!=""){?>
							  <tr>
								<td align="left" class="arial_11_red"><?=$Message?></td>
							  </tr>
							  <? } ?>
							  <tr>
								<td height="18" valign="bottom"><strong>Email Address:</strong></td>
							  </tr>
							  <tr>
								<td><table width="240" border="0" align="left" cellpadding="0" cellspacing="0">
								  <tr>
									<td width="8" align="left"><img src="images/box_left.jpg" width="8" height="20" /></td>
									<td width="219" align="left" valign="top"><input name="email" type="text" class="box" id="email" style="padding-top:7px;" /></td>
									<td width="11" align="left"><img src="images/box_right.jpg" width="3" height="20" /></td>
								  </tr>
								</table></td>
							  </tr>
							  <tr>
								<td height="18" valign="bottom"><strong>Password:</strong></td>
							  </tr>
							  <tr>
								<td><table width="240" border="0" align="left" cellpadding="0" cellspacing="0">
								  <tr>
									<td width="8" align="left"><img src="images/box_left.jpg" width="8" height="20" /></td>
									<td width="219" align="left" valign="top"><input name="password" type="password" class="box" id="password" style="padding-top:7px;" /></td>
									<td width="11" align="left"><img src="images/box_right.jpg" width="3" height="20" /></td>
								  </tr>
								</table></td>
							  </tr>
							  <tr>
								<td height="12"><a href="forgotpass.php" class="page-link">Forgot your password? <font color="red">Click here!</font></a></td>
							  </tr>
							  <tr>
								<td>&nbsp;</td>
							  </tr>
							  <tr>
								<td align="left">
                                <input name="login" type="submit" id="login" value="Login" onClick="return valid();">
                                <? if($break == 1) { echo "<br /><br />"; } ?>
								</td>
							  </tr>
							</table>
						<input type="hidden" name="HidSubmiLogin" id="HidSubmiLogin" value="0"></form>	

Open in new window

0
 
LVL 7

Author Comment

by:MHenry
ID: 37712967
Slick812,

I took your advice and changed the addslashes bit. And I agree that your way is probably better, I'd like to just try to get this working before I start changing stuff.

I'm confused enough as it is right now.

Best,
mh
0
 
LVL 7

Author Comment

by:MHenry
ID: 37713078
Ok, I got it working.

I did it like this:
//Get password from form
            $myPassword=mysql_real_escape_string($_POST['password']);
            //encrypt it
            $encPass=md5($myPassword);

and then -
$SelUserQry   = "SELECT email, password, id, codematched, promo_code FROM users WHERE email='".mysql_real_escape_string($_POST['email'])."' AND password='$encPass'";


Not sure why it wasn't working before, but this did work. I did find one place where I had $mypassword instead of $myPassword, but not sure if that was in there before or not.

Anyway, I learned more about md5 and bug tracking. Thanks to everyone for the help!

mh
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Does the idea of dealing with bits scare or confuse you? Does it seem like a waste of time in an age where we all have terabytes of storage? If so, you're missing out on one of the core tools in every professional programmer's toolbox. Learn how to …
Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question