WilliamNova Posted June 26, 2013 Share Posted June 26, 2013 (edited) Still having some issues on my scripts. This time when I register a new user, which works fine, then I attempt to login into that user on the webpage, it doesn't go through, but if I go into my database and copy the column with the password that's been encrypted and paste it into the password field on the webpage, it works. I do have my script using md5 to encrypt the passwords the user sends to the database. I'm also salting for further security. <?php error_reporting(E_ALL); $error = ""; if ($_POST['register']) { $date = date("Y,-m-d"); $firstname = $_POST['firstname']; $lastname = $_POST['lastname']; $username = strip_tags($_POST['username']); $email = strip_tags($_POST['email']); $password1 = strip_tags($_POST['password']); $password2 = strip_tags($_POST['passwordrepeat']); $day = strip_tags($_POST['day']); $month = strip_tags($_POST['month']); $year = strip_tags($_POST['year']); $dob = "$day/$month/$year"; if ($firstname == "") { $error = "First Name cannot be left blank."; } else if ($lastname == "") { $error = "Last Name cannot be left blank."; } else if ($username == "") { $error = "Username cannot be left blank."; } else if ($email == "") { $error = "Email cannot be left blank."; } else if ($password1 == "") { $error = "Password cannot be left blank."; } else if ($password2 == "") { $error = "Repeat Password cannot be left blank."; } else if ($day == "") { $error = "The day of your birthday cannot be left blank."; } else if ($month == "") { $error = "the month of your birthday cannot be left blank."; } else if ($year == "") { $error = "The year of your birthday cannot be left blank."; } // Check for username existence. $check_username = mysql_query("SELECT username FROM users WHERE username='$username'"); $numrows_username = mysql_num_rows($check_username); if ($numrows_username != 0) { $error = 'That Username is already taken.'; } else { $check_email = mysql_query("SELECT email FROM users WHERE email='$email'"); $numrows_email = mysql_num_rows($check_email); if ($numrows_email != 0) { $error = 'That Email is already registered.'; } else { $salt1 = "great"; $salt1 = md5($salt1); $salt2 = "white"; $salt2 = md5($salt2); $salt3 = "void"; $salt3 = md5($salt3); $password1 = $salt1.$password1.$salt3; $password1 = md5($password1.$salt2); $password2 = $salt1.$password2.$salt3; $password2 = md5($password2.$salt2); if ($password1 != $password2) { $error = 'The Passwords do not match.'; } else { // Register the user $register = mysql_query("INSERT INTO users VALUES('','$firstname','$lastname','$username','$email','$password1','$dob','$date','no','')"); if(!$register){ die(mysql_error());} die("<h2>Success!</h2>"); } } } } ?> Edited June 26, 2013 by WilliamNova Quote Link to comment https://forums.phpfreaks.com/topic/279584-unable-to-login-with-password-have-to-copy-md5-encrypted-to-login/ Share on other sites More sharing options...
mac_gyver Posted June 26, 2013 Share Posted June 26, 2013 you must use the same exact processing on the password in your login code that you used in the registration code. how else could you possibly compare the stored hash of the password in the database table with the hash of the password that was entered during log in. Quote Link to comment https://forums.phpfreaks.com/topic/279584-unable-to-login-with-password-have-to-copy-md5-encrypted-to-login/#findComment-1437917 Share on other sites More sharing options...
Csharp Posted June 26, 2013 Share Posted June 26, 2013 There's one thing about your code that is strange, why do you compare the repeated password after hashing both? If you compare them before you save your server some work. And there's the login logic missing here to tell you why it is not working. Quote Link to comment https://forums.phpfreaks.com/topic/279584-unable-to-login-with-password-have-to-copy-md5-encrypted-to-login/#findComment-1437924 Share on other sites More sharing options...
boompa Posted June 26, 2013 Share Posted June 26, 2013 Is there a reason you're rolling your own password algorithm with md5? It's insecure. Why not use password_compat? Easy and secure. And forward-compatible. Quote Link to comment https://forums.phpfreaks.com/topic/279584-unable-to-login-with-password-have-to-copy-md5-encrypted-to-login/#findComment-1437938 Share on other sites More sharing options...
DaveyK Posted June 26, 2013 Share Posted June 26, 2013 Is there a reason you're rolling your own password algorithm with md5? It's insecure. Why not use password_compat? Easy and secure. And forward-compatible. or crypt(), works just fine. Actually on topic though, as mac gyver said your login logic (hashing) should be EXACTLY the same hashing you use for registering. This: This time when I register a new user, which works fine, then I attempt to login into that user on the webpage, it doesn't go through, but if I go into my database and copy the column with the password that's been encrypted and paste it into the password field on the webpage, it works. makes me believe your login logic isnt hashing at all. Quote Link to comment https://forums.phpfreaks.com/topic/279584-unable-to-login-with-password-have-to-copy-md5-encrypted-to-login/#findComment-1437947 Share on other sites More sharing options...
WilliamNova Posted June 27, 2013 Author Share Posted June 27, 2013 I'm using md5 only because I'm new to this. I simply googled "how to encrypt passwords" and found a website tutorial pertaining to that. I know md5 isn't very secure, it was only for learning and I do plan on getting something better. But for now it will do since my website isn't even online and there's one user (me). The login logic makes sense since I scripted the encryption after both scripts were made and only modified the signin script. But I'll definitely look into crypt() and password_compat Quote Link to comment https://forums.phpfreaks.com/topic/279584-unable-to-login-with-password-have-to-copy-md5-encrypted-to-login/#findComment-1438129 Share on other sites More sharing options...
Zane Posted June 27, 2013 Share Posted June 27, 2013 I attempt to login into that user on the webpage, it doesn't go through, but if I go into my database and copy the column with the password that's been encrypted and paste it into the password field on the webpage, it works. This only is a dead giveaway, without even looking at your code, that you are not comparing the input password with the database stored password correctly. You say that in order to login successfully you have to use the HASHED (not encrypted) password stored in the database. That can only mean that you are not hashing the input password before making the comparison. Quote Link to comment https://forums.phpfreaks.com/topic/279584-unable-to-login-with-password-have-to-copy-md5-encrypted-to-login/#findComment-1438130 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.