-1

Am trying to match the hashed password stored in the database with the login post password by using md5 for hashing ,but its always giving me incorrect password even when the hashed password is the exact been entered on the login page,cant seem to find where am going wrong.

This is how am hashing the user password on register page and then stored in the database 

$password = $_POST['password'];
$hash= md5($password);

This is how am trying to verify if the hashed password in the database is matching the login hashed password

    // Escape email to protect against SQL injections
    $email = $mysqli->escape_string($_POST['email']);
    $password =$_POST['password'];
    $hash = md5($password);

    $result = $mysqli->query("SELECT * FROM `Agent` WHERE  `email`='$email'");
    $row = mysql_fetch_row($result);
    $db_hash = $row['password'];
    if( $db_hash !== $hash )
    {
        $_SESSION['message'] = "user with that email doesn't exist!";
        echo"<script>alert('User login credentials are incorrect..!')</script>";

    }
    else
        {

               // User exists
            $_SESSION['email'] = $user['email'];
            $_SESSION['fname'] = $user['fname'];
            $_SESSION['lname'] = $user['lname'];
            $_SESSION['cell'] = $user['cell'];
            $_SESSION['Agency'] = $user['Agency'];

            header("location: Myprofile.php");


        }



    ?>
THE_NEW_AGE_PABLO
  • 3
  • 2
  • Besides MD5 on its own without a salt is a massive security risk (rainbow tables), also you can join the array with AND password=.. (And try to prevent doing select *..).. What happens if you manually verify the hashes, are they really different? also.. what happens if you use != instead of !==... – DevionNL Nov 20 '17 at 10:48
  • Are you sure you get a row from db? – xs0 Nov 20 '17 at 10:52
  • @DevionNL,okay noted, but do you have a script of how to this better the hashing using md5 with a unique salt...? – THE_NEW_AGE_PABLO Nov 20 '17 at 10:53
  • Don't use it tbh.. use password_hash password_verify, both are native functions of PHP and will use BCRYPT and automatically salts the hash. A lot safer and might work out of the box for your problem. – DevionNL Nov 20 '17 at 10:55
  • Change `mysql_fetch_row` - your mixing myqsl and mysqli methods – Nigel Ren Nov 20 '17 at 11:01
  • @xs0 how do i draw the rigth row fro the database – THE_NEW_AGE_PABLO Nov 20 '17 at 11:01
  • @NigelRen oh okay noted, but in mysqli how do i fetch, am just learning mysqli am a newbe. – THE_NEW_AGE_PABLO Nov 20 '17 at 11:03

1 Answers1

-3

This is actual solution ..

// Escape email to protect against SQL injections
$email = $mysqli->escape_string($_POST['email']);
$password =$_POST['password'];
$hash = md5($password);

$result = $mysqli->query("SELECT * FROM Agent WHERE  email='$email' and password='$password'");
$row = mysql_fetch_row($result);
$count = mysqli_num_rows($result);

// If result matched $email and $password, table row must be 1 row

if($count == 1) {
{
    // User exists
    $_SESSION['email'] = $row['email'];
    $_SESSION['fname'] = $row['fname'];
    $_SESSION['lname'] = $row['lname'];
    $_SESSION['cell'] = $row['cell'];
    $_SESSION['Agency'] = $row['Agency'];

    header("location: Myprofile.php");

}
else
{
    $_SESSION['message'] = "user with that email doesn't exist!";
    echo"<script>alert('User login credentials are incorrect..!')</script>";

}

?>
Matiur Rahman Mozumdar
  • 444
  • 1
  • 4
  • 12