Search the Community

Hello, I have inserted a user into my database table through phpMyAdmin using the predefined MD5 function. (I know md5 is not secure and I should use bcrypt istead, but I don't need that type of security, my only purpose is not to store the passwords in plain text) Now my problem is that whenever I try to log the user in, I can never read the hashed password back. This is my code: The function that is testing for the username and password: function login($username, $password) { include('core/db/db_connection.php'); $sql = "SELECT COUNT(user_id) FROM `_users` WHERE username = '$username' AND password = '$password'"; $query = mysqli_query($dbCon, $sql); $user_id = get_user_id($username); $username = sanitize($username); $password = md5($password); // issue return (mysqli_result($query, 0) == 1) ? $user_id : false; // possible issue } The logging processing code: if (empty($_POST) === false) { $username = $_POST['username']; $password = $_POST['password']; if (empty($username) === true || empty($password) === true) { $errors[] = 'Username and/or password fields must not be left blank'; } else if (user_exists($username) === false) { $errors[] = 'Username does not exist! Please register before logging in.'; } else if (user_active($username) === false) { $errors[] = 'You haven\'t activated your account yet'; } else { $login = login($username, $password); if ($login === false) { $errors[] = 'Username/password incorrect'; } else { echo 'ok' . '<br/>'; //set user session //redirect user } } print_r($errors); } How can I read the stored MD5 password to allow my registered users access? Many thanks.

I'll start by apologizing for the stupid decision that led to this question. A few years ago, I created a PHP/Myysql site with a login system and I created a field in the MySQL called "password" and it stored literally the exact password people entered (I know, I know). The site has proven to have nice traffic potential, so I am going to re-vamp everything, including storing passwords properly (i.e. hashed). My first question... Is there a way to convert regular text passwords to hashed passwords? For example, I could create a new field in the "User" table for "hashedpassword" and write a script that takes all the insecure passwords and turns them into hashed passwords. Then deleted the previous "bad" password field from the database. This would allow me to do it without the customer every knowing anything changed. Quick googling appears to support that it IS doable rather easily, with something like... UPDATE mytable SET password = MD5(password) If not, I guess I would have to create a thing where the first time omeone logged in after I put hashing in place, the site would force them to change their password. I'd rather not annoy the visitors if it all possible. Second question, what is the proper/recommended hashing method to use? Some people seem to poo-poo MD5. If you agree, should I use: MD5 SHA MD5 with a salt SHA with a salt Something else i never heard of NOTE: My site is a fantasy sports site, so the data involved is not overly important. Maybe a salt is overkill? Or is being overly safe never a bad thing? Lastly, don't need to address this, but if anyone can explain it like I'm 5 that would be great because i must be missing something... if you can easily turn a regular password into a hashed password, couldn't hackers easily do the reverse, which would render the hashing almost useless? I get that salting helps, but before salting (i.e. doing ONLY MD5), I don't see how hashing helped that much (if you could reverese figure out the password). What am I missing? Thanks! Greg

Just want to get clarification on what this does and why you'd want it displayed in email output: .bin2hex(mhash(MHASH_MD5, time())) Thanks

Hey All, I have built a website using PHP and MySQL where users have to log in to use the site. I'm now trying to create a page on the site where logged in users can change their password if they need/want to. I thought this would be fairly easy and straight forward but I'm having a ton of issues. I've never been formally trained in PHP and MySQL, I've just picked up stuff along the way throughout the years so when I get into advanced stuff I start to struggle. I'm using MD5 hashing for the passwords right now. I already know this isn't the most secure method but since I'm familiar with it I'm just going to go with it for now. I'll worry about changing the hashing later. Anyway, the PHP code lives on the same page as the form. The HTML portion of the form has the following fields: Current Password (id="cur_password") New Password (id="password1") Confirm New Password (id="password2") Within the script I'm trying to verify that the Current Password and the password in the database match, but because of the MD5 I'm not exactly sure how to do this. Here is what I have so far: $sql = "SELECT * FROM users WHERE username='$log_username'"; $query = mysqli_query($db_conx, $sql); while ($row = mysqli_fetch_array($query, MYSQLI_ASSOC)) { $username = $row[username]; $password = $row[password]; } $cur_password=md5($_POST['cur_password']); $password1=md5($_POST['password1']); $password2=md5($_POST['password2']); if (empty ($_POST['cur_password'])){ echo "Fill out all fields."; } else if ($cur_password != $password) { echo "There was a problem. Wrong Password."; } else if ($passord1 != $password2) { echo "Passords don't match."; } else { $sql = "UPDATE users SET password = MD5('$password1') WHERE username='$log_username' LIMIT 1"; $query = mysqli_query($db_conx, $sql); echo "Success! Password has been changed."; } When I test I keep getting the "Fill out all fields." message even though I submitted the form and none of the fields were blank. If I take the "empty" statement out I just keep getting the "There was a problem. Wrong Password." message which should happen only if the current password typed in and the current password in the database don't match. I know that I'm putting in the correct matching password. Anyway, any help you could give would be greatly appreciated. Thanks so much.

Hello! I've recently been having trouble with my basic membership website. It is currently being tested with mamp on localhost. So I have two pages, login.php, and register.php. My register.php file is working fine. One of the things about my register file is the password, which is the thing I'm having serious trouble with. Here is the register.php code (Php code only) $query = "INSERT INTO users (username,password,email) VALUES ('$username',md5(md5('$password'),'$email')"; if (!mysql_query($query)){ die('ERROR: ' . mysql_error . ''); } echo "You have been registered successfully"; As far as I can see, the register.php file successfully inserts the data into my database, since I can see it through phpMyAdmin. Now here's my login.php file. <?php $checkusername = $_POST['username']; $checkpassword = $_POST['password']; if (strlen($checkusername) <= 0){ echo "<p id='error'>You Need to enter a username!</p>"; }else{ if (strlen($checkpassword) <= 0){ echo "<p id='error'>You need to enter a password!</p>"; }else{ $query = mysql_query("SELECT * FROM users WHERE username='" . $checkusername ."'"); if (mysql_num_rows($query) == 1){ $query = mysql_query("SELECT * FROM users WHERE password='" . md5(md5($checkpassword)) . "'"); if (mysql_num_rows($query) == 1){ echo "Welcome, " . $checkusername . "! You are now logged in!"; $_SESSION['user'] = $checkusername; $_SESSION['pass'] = $checkpassword; }else{ echo "<p id='error'>Wrong Password!</p>"; } }else{ echo "<p id='error'>Wrong Username!</p>"; } } } ?> So, the issue here is when I fill out my php login form, I get a wrong password error. At first, I thought that I wasn't properly connecting to my database table, but I got no error. So I then decided to remove all of the md5 encryption. Without the encryption, my password got entered into the database, and the login file worked. So I think that my problem is the md5(). Now, how do I fix it? I'm sorry if it turns out that the issue was some sort of basic mistake. I'm not the most experienced php coder.

Hello everybody, i have a problem about php. there's can help me? i don't know how to make encryption in php. i try and i try again, but i can't. please help. thanks before