[SOLVED] Login hashing

[aashcool198]

I have written a code to register users.It uses md5 before saving the password.

 

$password = MD5($_POST['password']);

 

But when user logs in i need to compare the password in database with password he writes. so i convert the password entered by user in hash

 

$password = md5 ($_POST['password']);

 

 

and now i compare this with passwords in database.

But despite entering the correct password its not logging in.

 

Please help!

 

 

 

 

[iarp]

Wheres the code that does the comparison? Is it using proper number of equal signs(==)... etc.

[aashcool198]

<?php

 

// Open a connection to the DB

$conn = mysql_connect('localhost', 'root', '') or die(mysql_error());

mysql_select_db('Sumeru Skills', $conn);

 

// Start the session (DON'T FORGET!!)

session_start();

 

// Check if user wants to login (GET info)

if(isset($_GET['try'])) {

 

// That's nice, user wants to login. But lets check if user has filled in all information

If(empty($_POST['username']) OR empty($_POST['password'])) {

 

// User hasn't filled it all in!

echo 'Please fill in all the required fields!';

 

} else {

 

// User filled it all in!

 

// Make variables save with addslashes and md5

$username = $_POST['username'];

$password = md5 ($_POST['password']);

 

// Search for a combination

$query = mysql_query("SELECT login_id FROM login

  WHERE username = '" . $username . "'

  AND password = '" . $password . "'

  ") or die(mysql_error());

 

// Save result

list($user_id) = mysql_fetch_array($query);

 

// If the user_id is empty no combination was found

if(empty($user_id)) {

 

echo 'No combination of username and password found.';

 

} else {

 

// the user_id variable doesn't seem to be empty, so a combination was found!

 

// Create new session, store the user id

$_SESSION['user_id'] = $user_id;

 

// Redirect to userpanel.php

header('location: userpanel.php');

 

}

 

}

 

}

 

?>

<form action="login.php?try=true" method="post">

 

Username: <input type="text" name="username"><br>

<br>

Password: <input type="password" name="password"><br>

<br>

<input type="submit" value="Login!">

 

</form>

 

 

[iarp]

Made a few changes, quick edits as its late and i'm heading to bed. It may or may not work as i can't test it.

 

Changed AND from the query to && and added brackets around both WHERE clauses

removed a space between md5 and (

 

<?php

// Open a connection to the DB
$conn = mysql_connect('localhost', 'root', '') or die(mysql_error());
mysql_select_db('Sumeru Skills', $conn);

// Start the session (DON'T FORGET!!)
session_start();

// Check if user wants to login (GET info)
if(isset($_GET['try'])) {

   // That's nice, user wants to login. But lets check if user has filled in all information
   if(empty($_POST['username']) || empty($_POST['password'])) {
   
      // User hasn't filled it all in!
      echo 'Please fill in all the required fields!';
   
   } else {

      // User filled it all in!

      // Make variables save with addslashes and md5
      $username = $_POST['username'];
      $password = md5($_POST['password']);

      // Search for a combination
      $query = mysql_query("SELECT login_id FROM login
                  WHERE (username = '" . $username . "' && password = '" . $password . "')
                 ") or die(mysql_error());

      // Save result
      list($user_id) = mysql_fetch_array($query);

      // If the user_id is empty no combination was found
      if(empty($user_id)) {

         echo 'No combination of username and password found.';

      } else {
      
         // the user_id variable doesn't seem to be empty, so a combination was found!

         // Create new session, store the user id
         $_SESSION['user_id'] = $user_id;

         // Redirect to userpanel.php
         header('location: userpanel.php');
      }      
   }
}

?>
<form action="login.php?try=true" method="post">

Username: <input type="text" name="username"><br>
<br>
Password: <input type="password" name="password"><br>
<br>
<input type="submit" value="Login!">

</form>

[PFMaBiSmAd]

When a comparison fails, please examine the values being compared to find out why. What is in your database and what is the result of echoing $_POST['username'] and md5($_POST['password']) in the code.

[aashcool198]

49f68a5c84  is the registered password..

 

but at the time of login the password was 49f68a5c8493ec2c0bf489821c21fc3b

 

if you see arefully the first digits a maching.. from where came the extra digits.

[PFMaBiSmAd]

What makes you think they are extra -

Return Values

Returns the hash as a 32-character hexadecimal number.

 

[aashcool198]

please tell me how should i store password during registration and how should i match it during login?

[iarp]

make sure the password column is something like varchar(32). Currently the column looks to only be storing up to 10 characters and not 32.

[aashcool198]

thanks a lot!

 

That was it!