1

I've recently started on making a login / register system using MYSQL and PHP but I have come across a problem where I have hashed the password on register but when it comes to logging in, it won't work, says incorrect password.

http://snap.binarypaw.com/gc53h3w0.png <-- Register Code http://snap.binarypaw.com/1qhsyeyw.png <-- Login Code

If anyone has any answers I will be more than delighted.

Edit

The links on this domain are now dead. I apologise for any inconvenience.

Mathew Berry
  • 138
  • 1
  • 7
  • 4
    Please post your code here, not in some image hosting thing. If you don't know how to format it, just paste it in and someone will edit your question. – Mike Aug 02 '13 at 18:53
  • We have answers, but you have to specify the question first. – dev-null-dweller Aug 02 '13 at 18:55
  • 2
    I disagree with all the answers. `md5` is not suitable for passwords under any circumstances. I don't care what the original code said. Everyone gets a down vote. – Mike Aug 02 '13 at 18:58
  • @Mike you do realise he's also using mysql_*. – Ben Fortune Aug 02 '13 at 19:02
  • @BenFortune actually no. I asked OP to paste the code here. Still waiting for that... – Mike Aug 02 '13 at 19:02

5 Answers5

4

In your login code, you need to compare the MD5 hashed version of the entered password with the MD5 hashed version you are storing. If the hashes match, the password matches.

The simplest way to achieve this would be to hash the entered password just before comparing it in the exact same way as you are in the register code:

$query = "SELECT user,pass FROM members WHERE user='$user' AND pass='".md5($pass)."'";

Edit: bear in mind this answers your question directly. However, Mike makes a very valid point in his comment above. MD5 is not a good choice for password hashing as it is weak. In addition, you're not salting your hashes. Making both of these changes would be highly recommended to help secure your users. Some of the related questions on the right, such as this one, would be worth a look to get started.

Community
  • 1
  • 1
Mark Embling
  • 12,605
  • 8
  • 39
  • 53
3

The other answers have provided direct solutions to your particular problem, but I'll elaborate a little more on the security behind your code - just for your and other's reference. Feel free to add onto this or correct me as necessary.

Storing passwords in md5 is a no-no. This is because the md5 hashing algorithm can be brute-forced easily/quickly. Also, you use mysql_ functions, which are deprecated. You should be using PDO (or alternatively mysqli_ functions). Luckily, you sanitize your data - however, these functions are no longer maintained, so I would recommend switching.

This is a great tutorial on creating a basic log in system with PDO and a SALT. I highly recommend you review it and re-implement your login system with a method like this for a couple reasons:

In general, if you have the opportunity to add more security to your system without unreasonably inconveniencing your users (like storing SALTs and using strong hashing algorithms), take the opportunity ahead of time to reduce the headache you'll face in the future.

Hope this helps!

Community
  • 1
  • 1
Mattiavelli
  • 888
  • 2
  • 9
  • 22
2

hash your password in your where clause.

WHERE user ='$user' and pass=md5('$pass')

Make sure $user and $pass are appropriately sanitized prior to building your query string.

As Mike pointed out in the comments md5 is a weak choice for hashing your passwords.

Alternative hashing algorithms can be found here https://dev.mysql.com/doc/refman/5.5/en/encryption-functions.html

Orangepill
  • 24,500
  • 3
  • 42
  • 63
1
$pass = md5($pass);

Also don't use mysql_*, as it is deprecated.

Ben Fortune
  • 31,623
  • 10
  • 79
  • 80
0

In your login code you need to hash the input before you query the database. Insert the line:

$pass = md5($pass);

Before the $query = line.

Michael Banzon
  • 4,879
  • 1
  • 26
  • 28