Using MD5

[joesaddigh]

Hi,

 

I am trying to use MD5 to encrypt my passwords in the database. This works fine in the sense that the passwords are stored encrypted and inserted encrypted. However when i send an email to the users email address with the password in it even though i specify that it should use MD5 in order to de-crypt it before sending it. The user receives the encrypted version which they cannot login using.

 

My code is below

 

<?php

//Get the details based on the course id
$querycourse="SELECT * FROM course WHERE CourseId =" . $courseid;
$resultcourse=mysql_query($querycourse) 
	or die("Error getting course details");
$row = mysql_fetch_assoc($resultcourse);
$coursetitle = $row['CourseTitle']; 
$courselevel = $row['CourseLevel']; 

//Get the details based on the course id
$query="SELECT * FROM student WHERE StudentID =" . $studentid;
$result=mysql_query($query) 
	or die("Error getting student details");
$row = mysql_fetch_assoc($result);
$studentemail = $row['StudentEmailAddress']; 
//$studentpassword = $row['StudentPassword']; 
$studentpassword = $row[MD5('StudentPassword')]; 

//MD5('".$password."')


$headers = 'MIME-Version: 1.0' . "\r\n"; $headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n"; $headers .= 'From: info@cisschool.co.uk' . "\r\n";	


   echo $body = 'We have received payment of £' . $amountpaid . '. Your enrolment is now complete for Course Title: ' . $coursetitle . ' Level: ' . $courselevel . ' Date:' . $startdate . '-' . $enddate . ' Your username is ' . $studentemail . ' and password: ' . $studentpassword;  
   
if (mail($studentemail,"Enrolment Complete", $body,$headers))
{
		//echo("<p>Message successfully sent!</p>");
}
else
{
		echo("<p>Message delivery failed...</p>");
}
?>

 

Im not sure if i am doing it in the correct place or even have the right syntax. It does not error but does not de-crypt the password.

 

 

Should i be trying to de-crypt it at the the point of retrieving from the database, that is what i am currently doing.

 

$studentpassword = $row[MD5('StudentPassword')];

 

Any help would be really appreciated

 

Thanks

[Carth]

You don't decrypt MD5, it's a one way thing hash, that's the point of it.

 

If you must send them the password in an email, use the password before it's been hashed?

 

If they have forgotten their password, reset it to something random, and send them that. Then allow them to change their password later.

[joesaddigh]

That is not really possible in my situation as the password is sent a lot later that the student enrols so storing it would be a problem. Even if i set the password to something like 'password' and then try and login this does not work. Im not sure why. My login script is below if you could see if everything seems ok that would be really helpful

 

<?php
session_start();

//Use the connect script to connect to CIS School database
require "connectstudent.php";

//Use the student data to connect to the database
$dbuser = $_POST["user"];
$dbpass = $_POST["password"];
$dbhost = 'localhost';
$dbname = 'CISSchool';		
//Build the query checking the username and passowrd entered is correct
$query = "select * from student where StudentUsername ='".$dbuser."' and StudentPassword = md5('".$dbpass."')";
//$query = "select * from MEMBER where USERNAME ='".$username."' and PASSWORD=md5('".$password."')";
//$query = "select * from MEMBER where USERNAME ='".$username."' and PASSWORD=md5('".$dbpass."')";
$result = mysql_query($query, $conn)
	or die ("Unable to perform query. <br/> $query <br/>"  . mysql_error());

//Retrieve the data that is stored in the array
$row= mysql_fetch_array($result);

//If there is a match then take them to the student page
if ($row != null)
{	
	$_SESSION["user"] = $row['StudentUsername'];
	$_SESSION["name"] = $row['StudentFirstName'] .' ' .  $row['StudentSurname'];
	header("Location: Student/studenthome.php");
	exit();
}
//Else display error message and navigate to homepage
else 
{	
	//Pass this message to the index screen to let the user know they have incorrect login details
	$message = 'Invalid user name or password, please try again';
	header("Location: index.php? message=$message");
	exit();		
}
?>

 

 

Thanks

[ober]

$query = "select * from student where StudentUsername ='".$dbuser."' and StudentPassword = md5('".$dbpass."')";

 

There is your problem.

 

$query = "select * from student where StudentUsername ='".$dbuser."' and StudentPassword = '".md5($dbpass.)."'";

[joesaddigh]

Thank you but this gives a parse error

 

$query = "select * from student where StudentUsername ='".$dbuser."' and StudentPassword = '".md5($dbpass.)."'";


//I CHANGED THE ABOVE TO

$query = "select * from student where StudentUsername ='".$dbuser."' and StudentPassword = '".md5($dbpass)."'";

//This got rid of the parse error but still did not work??

 

 

Sorry but i really don't understand the problem.

[ober]

Sorry about the extra period.  I was moving too fast.

 

The difference is that your query would have said:

$query = "select * from student where StudentUsername ='John' and StudentPassword = LONGSTRINGOFCHARACTERS";

 

MD5 returns an alphanumeric string that must be surrounded in quotes, just like the username.

 

What isn't working?

[joesaddigh]

No worries

 

When i put in the password that i have hardcoded for the point of this to 'joe'. When this password is entered it is not recognising that this is the correct password it is like it is not decrypting in correctly. Even if i put the encrypted password in it does not work. I know that this shouldn't work but it proves that the logincheck is decrypting it??

 

 

 

[ober]

You cannot DECRYPT the value in your login script.  Here's how it works.

 

1) User provides password. 

2) You insert the plain text password into database but you md5 it first:

 

INSERT INTO Student (StudentUsername, StudentPassword) VALUES ('$user', '."md5($password)."')

 

3) User tries to login with their plain text password:

 

$query = "select * from student where StudentUsername ='".$dbuser."' and StudentPassword = '".md5($dbpass)."'";

 

So once again, it is taking the plain text password and running md5 against it to compare it to the md5 value in the database.

 

md5 = md5 is the comparison.

 

Also, make sure that the password field can hold an md5 length value (32 characters).

[mrMarcus]

No worries

 

When i put in the password that i have hardcoded for the point of this to 'joe'. When this password is entered it is not recognising that this is the correct password it is like it is not decrypting in correctly. Even if i put the encrypted password in it does not work. I know that this shouldn't work but it proves that the logincheck is decrypting it??

k, lose the 'decrypting' aspect as that's not what's happening.

 

the logic behind what you are trying to accomplish is as follows .. upon creating a user, a password is also created and encrypted (in your case using md5()), and is then stored in the db never to be decrypted.  then, anytime the user tries to login, before the passwords (what the user is entering and what is stored in the db) are compared, the users entered password is then encrypted using the same encryption method as was put into action upon creation of the account (md5() in your case) .. then the two password hashes are compared.

 

it makes things much easier to problem solve when you understand what is actually happening.

[joesaddigh]

Yessssssss!!!

 

It was the database field it only held 30 characters.

 

Thank you soo much for your help!!