Jump to content

Unable to login with password, have to copy md5 encrypted to login


WilliamNova

Recommended Posts

Still having some issues on my scripts. This time when I register a new user, which works fine, then I attempt to login into that user on the webpage, it doesn't go through, but if I go into my database and copy the column with the password that's been encrypted and paste it into the password field on the webpage, it works.

 

I do have my script using md5 to encrypt the passwords the user sends to the database. I'm also salting for further security.

<?php
error_reporting(E_ALL);

$error = "";
if ($_POST['register']) {
$date = date("Y,-m-d");
$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];
$username = strip_tags($_POST['username']);
$email = strip_tags($_POST['email']);
$password1 = strip_tags($_POST['password']);
$password2 = strip_tags($_POST['passwordrepeat']);

$day = strip_tags($_POST['day']);
$month = strip_tags($_POST['month']);
$year = strip_tags($_POST['year']);
$dob = "$day/$month/$year";

if ($firstname == "") {
$error = "First Name cannot be left blank.";
}
else if ($lastname == "") {
$error = "Last Name cannot be left blank.";
}
else if ($username == "") {
$error = "Username cannot be left blank.";
}
else if ($email == "") {
$error = "Email cannot be left blank.";
}
else if ($password1 == "") {
$error = "Password cannot be left blank.";
}
else if ($password2 == "") {
$error = "Repeat Password cannot be left blank.";
}
else if ($day == "") {
$error = "The day of your birthday cannot be left blank.";
}
else if ($month == "") {
$error = "the month of your birthday cannot be left blank.";
}
else if ($year == "") {
$error = "The year of your birthday cannot be left blank.";
}
// Check for username existence.
$check_username = mysql_query("SELECT username FROM users WHERE username='$username'");
$numrows_username = mysql_num_rows($check_username);
if ($numrows_username != 0) {
$error = 'That Username is already taken.';
}
else
{
$check_email = mysql_query("SELECT email FROM users WHERE email='$email'");
$numrows_email = mysql_num_rows($check_email);
if ($numrows_email != 0) {
$error = 'That Email is already registered.';
}
else
{
	$salt1 = "great";
	$salt1 = md5($salt1);
	$salt2 = "white";
	$salt2 = md5($salt2);
	$salt3 = "void";
	$salt3 = md5($salt3);
	$password1 = $salt1.$password1.$salt3;
	$password1 = md5($password1.$salt2);
	$password2 = $salt1.$password2.$salt3;
	$password2 = md5($password2.$salt2);
	
if ($password1 != $password2) {
$error = 'The Passwords do not match.';
}
else
{
// Register the user
$register = mysql_query("INSERT INTO users VALUES('','$firstname','$lastname','$username','$email','$password1','$dob','$date','no','')");
if(!$register){
    die(mysql_error());}
die("<h2>Success!</h2>");
}
}
}
}
?>
Edited by WilliamNova
Link to comment
Share on other sites

There's one thing about your code that is strange, why do you compare the repeated password after hashing both? If you compare them before you save your server some work.

 

And there's the login logic missing here to tell you why it is not working.

Link to comment
Share on other sites

Is there a reason you're rolling your own password algorithm with md5? It's insecure. Why not use password_compat? Easy and secure. And forward-compatible.

 

or crypt(), works just fine.

 

Actually on topic though, as mac gyver said your login logic (hashing) should be EXACTLY the same hashing you use for registering.

 

This:

This time when I register a new user, which works fine, then I attempt to login into that user on the webpage, it doesn't go through, but if I go into my database and copy the column with the password that's been encrypted and paste it into the password field on the webpage, it works.

makes me believe your login logic isnt hashing at all.

Link to comment
Share on other sites

I'm using md5 only because I'm new to this. I simply googled "how to encrypt passwords" and found a website tutorial pertaining to that. I know md5 isn't very secure, it was only for learning and I do plan on getting something better. But for now it will do since my website isn't even online and there's one user (me).

 

The login logic makes sense since I scripted the encryption after both scripts were made and only modified the signin script.

 

But I'll definitely look into crypt() and password_compat

Link to comment
Share on other sites

I attempt to login into that user on the webpage, it doesn't go through, but if I go into my database and copy the column with the password that's been encrypted and paste it into the password field on the webpage, it works.

 

 

This only is a dead giveaway, without even looking at your code, that you are not comparing the input password with the database stored password correctly.

 

You say that in order to login successfully you have to use the HASHED (not encrypted) password stored in the database.  That can only mean that you are not hashing the input password before making the comparison.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.