Can't login with real password in php

Question

I've a registration form as well as login form. I've used md5 encryption in my registration form and it's working fine. But when I'm trying to login with real password like (123) it's not logging me in. On the other hand, when I copy paste that md5 encryption in password field, it's then logging me in. Please help me about this! Thank you!

Here is my coding:

<?php
        if (isset($_POST['submit'])) {

            $user_name = $_POST['username'];
            $user_email = $_POST['email'];
            $user_pass = $_POST['password'];

            $query = "SELECT * FROM users where Email = '" . $_POST["email"] . "'";
            $result = $obj->run_query($query);

            if ($count = mysqli_num_rows($result) == 0) {

                $query = "INSERT INTO users (Name,Email,Pass) VALUES ('$user_name','$user_email', md5('$user_pass'))";
                $result = $obj->run_query($query);

                echo "<script>alert('You have successfully Registered!')</script>";
                echo "<script>window.open('welcome.php','_self')</script>";

            } else {

                echo "<script>alert('This user email $user_email is already exist!')</script>";
            }
        }

    // login script
    if (isset($_POST['login'])) {

        $name = $_POST['name'];
        $email = $_POST['email'];
        $password = $_POST['pass'];

        $query = "SELECT * FROM users WHERE Email = '$email' AND Pass = '$password'";
        $result = $obj->run_query($query);

        if ($count = mysqli_num_rows($result) > 0) {

            $_SESSION['email'] = $email;
            $_SESSION['name'] = $name;

            echo "<script>window.open('welcome.php','_self')</script>";



        }
        else 
        {
            echo "<script>alert('Your email or password is incorrect!')</script>";
        }
    }

?>

`$password = md5($_POST['pass']);` and make sure that password column's length is 32+. However, if this is intended for, or is a live site; *STOP right there*. Edit: and use v_v_v — Funk Forty Niner, Feb 29 '16 at 18:30
`md5` is not an encryption! You should be using `password_hash()` and `password_verify()` or a similar strong method. See [this q&a](http://stackoverflow.com/questions/401656/secure-hash-and-salt-for-php-passwords) for much more information on PHP and passwords — kero, Feb 29 '16 at 18:30
*"On the other hand, when I copy paste that md5 encryption in password field, it's then logging me in."* - As I stated [*up there...*](http://stackoverflow.com/questions/35706844/cant-login-with-real-password-in-php#comment59090355_35706844) and you never inserted it into DB as a hash to start off with. — Funk Forty Niner, Feb 29 '16 at 18:32
You never hashed the password entered into the login form, so you're comparing `hunter42 == md5('hunter42')` which will never be equal. And you are vulnerable to [sql injection attacks](http://bobby-tables.com), so your login system is essentially useless. try `' or 1=1` as your password... — Marc B, Feb 29 '16 at 18:33
SQL Injection and [Little Bobby Tables](http://imgs.xkcd.com/comics/exploits_of_a_mom.png) — zaph, Feb 29 '16 at 18:33
@AishaSalman curious though: You're not "live" with this, are you? or wanting to go live? — Funk Forty Niner, Feb 29 '16 at 18:40
No it's not live yet! actually it's my final year project and I'm a newbie in PHP and MYSQL @Fred-ii- — Aisha Salman, Feb 29 '16 at 18:47
*"not live yet"*. Don't ever go live with this. See the answer I've given you below. — Funk Forty Niner, Feb 29 '16 at 18:47
@AishaSalman I feel that you/your school may also be victims of not being taught what's going on in the "real world" of databases/password storage. I see many questions where people say that the schools don't teach them about security issues. It's really a shame that that is what is happening today, especially in this day and age. Stack is a good place to read up on Q&A's in relation to this. I for one, have learned most of what I know on Stack, including Google/other websites. *Stay safe*, cheers. — Funk Forty Niner, Feb 29 '16 at 19:00
Totally agree with you and yes I also learnt so much from Stack :) @Fred-ii- — Aisha Salman, Feb 29 '16 at 19:03

score 2 · Accepted Answer · edited May 23 '17 at 12:17

As stated: you're comparing plain text from the POST array $password = $_POST['pass']; to the MD5 in your table.

That should read as $password = md5($_POST['pass']);

I also stated that you shouldn't go live with this, "ever". If it is a live site, I suggest you put it on hold until you use a safe hashing function that is of "this century".

MD5 is 30+ years old and is no longer considered safe to use now to hash/store passwords with.

Consult the following:

Passwords

Use one of the following:

CRYPT_BLOWFISH
crypt()
bcrypt()
scrypt()
On OPENWALL
PBKDF2
PBKDF2 on PHP.net
PHP 5.5's password_hash() function.
Compatibility pack (if PHP < 5.5) https://github.com/ircmaxell/password_compat/

Can't login with real password in php

1 Answers1