Tom8001 Posted November 29, 2014 Share Posted November 29, 2014 (edited) This is my code it's not working. $username = $_POST['username']; $password = $_POST['password']; $encrypt_password = md5($password); $email = $_POST['email']; $usrsql = "SELECT * FROM $tbl_name WHERE username='$username' AND password='$encrypt_password'"; //--> Below is the INSERT Code $query = "INSERT INTO `x_users` (username, password, email) VALUES ('$username', '$encrypt_password', '$email')"; $result = mysql_query($query); if($result == 1) { print("Thank you, your accout has been created!"); } Can anyone tell me why the md5() function is not working? Edited November 29, 2014 by Tom8001 Quote Link to comment https://forums.phpfreaks.com/topic/292784-php-wont-encrypt-passwords/ Share on other sites More sharing options...
Tom8001 Posted November 29, 2014 Author Share Posted November 29, 2014 It inserts the md5 into the password field in the database but it wont work when logging in. Quote Link to comment https://forums.phpfreaks.com/topic/292784-php-wont-encrypt-passwords/#findComment-1497976 Share on other sites More sharing options...
Frank_b Posted November 29, 2014 Share Posted November 29, 2014 Okay i do only see a part of a user registration process and not of a login . Â Your code is not secured for sql injection. (google it) Â if a user wants to log in he will enter his username and password into a login form. When the form has been sent your php script have to compare username and password to the usernames and password available into the database. Â In the database are only encrypted passwords. so you need to compare an encrypted password to another encrypted password or they will never be equal. THerefore you have to encrypt the password that has been sent through the form first before you compare it to the passwords into the database. Â If you nee more help, please post the part that handles your login form. Quote Link to comment https://forums.phpfreaks.com/topic/292784-php-wont-encrypt-passwords/#findComment-1497978 Share on other sites More sharing options...
Solution QuickOldCar Posted November 29, 2014 Solution Share Posted November 29, 2014 What your code should do:  check if POST is set if(isset($_POST){ //proceed with code } else { //show a message,any errors,redirects or a form } assign variables to POST values only if they exist trimming the unseen whitespace as well with trim() (if a password has whitespace at the ends would become a different hash) checking for empty or blank values if(isset($_POST['username']) && trim($_POST['username']) != ''){ $username = trim($_POST['username']); } checking what type of data the value is character type checking filter validation filter functions sanitize  email example if(isset($_POST['email']) && filter_var(trim($_POST['email']), FILTER_VALIDATE_EMAIL)){ $email = trim($_POST['email']); } as Frank said you compare 2 encrypted passwords, one encrypted from the form value and the saved one in database don't use md5() but something like password_hash()  don't use outdated mysql_* functions, use mysqli_* or pdo  check/sanitize/filter then escape anything you are using in a mysql query mysqli_real_escape_string() or prepared statements  before you try and do anything with the database, ensure that all your variables exist, not empty, data you expect and escaped  it's nice to incorporate error handling to assist you and your users as to whats going on can create an error array or messages upon any errors throughout your script  error reporting While you are creating code add this to the top of your php script error_reporting(E_ALL | E_NOTICE); ini_set('display_errors', '1'); later on set it to log errors or not show errors a production site error_reporting(0); ini_set("log_errors", 1); ini_set("error_log", "/tmp/php-error.log");//or can look default folder Quote Link to comment https://forums.phpfreaks.com/topic/292784-php-wont-encrypt-passwords/#findComment-1497991 Share on other sites More sharing options...
Tom8001 Posted November 29, 2014 Author Share Posted November 29, 2014 (edited) I have SQL Injection code in the login script but not registration and i already have & i always use error_reporting(E_ALL | E_NOTICE); error_reporting(E_ALL | E_NOTICE); Here's my login <?php error_reporting(E_ALL | E_NOTICE); require 'connect.php'; session_start(); if(isset($_POST['submit'])) { $username = $_POST['username']; $password = md5($_POST['password']); if(empty($username)) { echo "You did not enter a username, Redirecting..."; echo "<meta http-equiv='refresh' content='2' URL='login.php'>"; exit(); } else if(empty($password)) { echo "You did not enter a password, Redirecting..."; echo "<meta http-equiv='refresh' content='2' URL='login.php'>"; exit(); } //Prevent hackers from using SQL Injection to hack into Database $md5_password = md5($_POST['password']); $username = stripslashes($username); $password = stripslashes($password); $username = mysql_real_escape_string($username); $password = mysql_real_escape_string($password); $sql = "SELECT * FROM $tbl_name WHERE username='$username' AND password='$encrypt_password'"; $result = mysql_query($sql); $count = mysql_num_rows($result); $row = mysql_fetch_assoc($result); $user_level = $row['user_level']; if($count == 1) { $_SESSION['loggedIn'] = true; $_SESSION['username'] = $_POST['username']; } else { print("<br> <br>Username / Password is Incorrect!"); exit(); } Edited November 29, 2014 by Tom8001 Quote Link to comment https://forums.phpfreaks.com/topic/292784-php-wont-encrypt-passwords/#findComment-1498006 Share on other sites More sharing options...
Tom8001 Posted November 29, 2014 Author Share Posted November 29, 2014 (edited)  What your code should do:  check if POST is set if(isset($_POST){ //proceed with code } else { //show a message,any errors,redirects or a form } assign variables to POST values only if they exist trimming the unseen whitespace as well with trim() (if a password has whitespace at the ends would become a different hash) checking for empty or blank values if(isset($_POST['username']) && trim($_POST['username']) != ''){ $username = trim($_POST['username']); } Why do i need to add these? I'm still new to PHP im just curious i don't fully understand  Edited November 29, 2014 by Tom8001 Quote Link to comment https://forums.phpfreaks.com/topic/292784-php-wont-encrypt-passwords/#findComment-1498007 Share on other sites More sharing options...
Tom8001 Posted November 29, 2014 Author Share Posted November 29, 2014 It says this on PHP.net " " (ASCII 32 (0x20)), an ordinary space. "\t" (ASCII 9 (0x09)), a tab. "\n" (ASCII 10 (0x0A)), a new line (line feed). "\r" (ASCII 13 (0x0D)), a carriage return. "\0" (ASCII 0 (0x00)), the NUL-byte. "\x0B" (ASCII 11 (0x0B)), a vertical tab. But i don't understand what they are Quote Link to comment https://forums.phpfreaks.com/topic/292784-php-wont-encrypt-passwords/#findComment-1498009 Share on other sites More sharing options...
mac_gyver Posted November 29, 2014 Share Posted November 29, 2014 if(isset($_POST){  this is wrong advice. the $_POST array is always set by php. all the super-global arrays are set, even if they are empty.  to detect if a post method form has been submitted, you either need to test if a specific, non-optional/non-disabled, field in the form is set, which your code is doing with the if(isset($_POST['submit'])) {, provided you always click on the submit button to submit the form, or you can test if $_SERVER['REQUEST_METHOD'] == 'POST' if all you want to detect is if any post method form was submitted.  once you have detected that a form has been submitted, you don't need to individually test if text/password/textarea fields are set, they will be if you don't have any coding errors in your form. and in fact, if you do have coding errors, you wouldn't want to use isset() to qualify the references to those type of fields as it would hide the fact that your form doesn't have fields by those expected names. Quote Link to comment https://forums.phpfreaks.com/topic/292784-php-wont-encrypt-passwords/#findComment-1498010 Share on other sites More sharing options...
Tom8001 Posted November 29, 2014 Author Share Posted November 29, 2014 (edited) I Used the code below & The script works fine with that, but my only problem now is encrypting my passwords i can't get it to work, when they register it goes into the database as md5() but when trying to login it says username or password is incorrect. if (isset($_POST['username']) && isset($_POST['password'])){ Edited November 29, 2014 by Tom8001 Quote Link to comment https://forums.phpfreaks.com/topic/292784-php-wont-encrypt-passwords/#findComment-1498011 Share on other sites More sharing options...
QuickOldCar Posted November 29, 2014 Share Posted November 29, 2014 oops my bad, meant to add the submit or even !empty  For the rest it depends if have multiple forms or optional fields within a form. I got into the habit of checking them while trim or filter. Quote Link to comment https://forums.phpfreaks.com/topic/292784-php-wont-encrypt-passwords/#findComment-1498012 Share on other sites More sharing options...
Tom8001 Posted November 29, 2014 Author Share Posted November 29, 2014 in my login script i used if(isset($_POST['submit']) i'll add it to my register script Quote Link to comment https://forums.phpfreaks.com/topic/292784-php-wont-encrypt-passwords/#findComment-1498013 Share on other sites More sharing options...
QuickOldCar Posted November 29, 2014 Share Posted November 29, 2014 I guess you skipped past my post, answers to your issue in there. Quote Link to comment https://forums.phpfreaks.com/topic/292784-php-wont-encrypt-passwords/#findComment-1498014 Share on other sites More sharing options...
Tom8001 Posted November 29, 2014 Author Share Posted November 29, 2014 I guess you skipped past my post, answers to your issue in there. it didn't work Quote Link to comment https://forums.phpfreaks.com/topic/292784-php-wont-encrypt-passwords/#findComment-1498015 Share on other sites More sharing options...
QuickOldCar Posted November 29, 2014 Share Posted November 29, 2014 You mean the advice didn't work? Â trimming post values didn't work? Â You know that's going to be as secure as just checking if the password is bobby? Little overboard, but not that far off. Â $md5_password = md5(trim($_POST['password'])); Â $sql = "SELECT * FROM $tbl_name WHERE username='$username' AND password='$md5_password'"; Quote Link to comment https://forums.phpfreaks.com/topic/292784-php-wont-encrypt-passwords/#findComment-1498016 Share on other sites More sharing options...
Tom8001 Posted November 29, 2014 Author Share Posted November 29, 2014 i did that, now it doesn't insert anything into the database. Quote Link to comment https://forums.phpfreaks.com/topic/292784-php-wont-encrypt-passwords/#findComment-1498017 Share on other sites More sharing options...
Tom8001 Posted November 29, 2014 Author Share Posted November 29, 2014 i can get it to insert the md5 password into the database but then it wont login. Quote Link to comment https://forums.phpfreaks.com/topic/292784-php-wont-encrypt-passwords/#findComment-1498018 Share on other sites More sharing options...
QuickOldCar Posted November 29, 2014 Share Posted November 29, 2014 (edited) You don't need stripslashes, mysql_real_escape_string does that  Be sure to trim on both registration and your login.  grr were doing it 2x $username = $_POST['username'];$password = md5($_POST['password']);  Just this $username = mysql_real_escape_string(trim($_POST['username'])); $md5_password = md5(trim($_POST['password'])); $password = mysql_real_escape_string($md5_password); If this don't work tom, post both your current register and login forms. Edited November 29, 2014 by QuickOldCar Quote Link to comment https://forums.phpfreaks.com/topic/292784-php-wont-encrypt-passwords/#findComment-1498020 Share on other sites More sharing options...
Tom8001 Posted November 29, 2014 Author Share Posted November 29, 2014 Login script <?php error_reporting(E_ALL | E_NOTICE); require 'connect.php'; session_start(); if(isset($_POST['submit'])) { $username = $_POST['username']; $password = $_POST['password']; if(empty($username)) { echo "You did not enter a username, Redirecting..."; echo "<meta http-equiv='refresh' content='2' URL='login.php'>"; exit(); } else if(empty($password)) { echo "You did not enter a password, Redirecting..."; echo "<meta http-equiv='refresh' content='2' URL='login.php'>"; exit(); } //Prevent hackers from using SQL Injection to hack into Database $md5_password = md5(trim($_POST['password'])); $username = mysql_real_escape_string($username); $password = mysql_real_escape_string($password); $sql = "SELECT * FROM $tbl_name WHERE username='$username' AND password='$password'"; $result = mysql_query($sql); $count = mysql_num_rows($result); $row = mysql_fetch_assoc($result); $user_level = $row['user_level']; if($count == 1) { $_SESSION['loggedIn'] = true; $_SESSION['username'] = $_POST['username']; } Registration script <?php error_reporting(E_ALL | E_NOTICE); require 'connect.php'; echo "<title> Register </title>"; if(isset($_POST['submit'])) { if (isset($_POST['username']) && isset($_POST['password'])){ $username = $_POST['username']; $password = $_POST['password']; $email = $_POST['email']; $username = mysql_real_escape_string($username); $email = mysql_escape_string($email); $password = mysql_real_escape_string($password); $usrsql = "SELECT * FROM $tbl_name WHERE username='$username' AND password='$md5_password'"; $usrres = mysql_query($usrsql); if (!$usrres) { die("Query Failed."); } if (mysql_num_rows($usrres) > 0) { echo "<style>body {background-image: url('http://desktopwallpapers.biz/wp-content/uploads/2014/09/Website-Background-Cool-HD.jpg');} #uexist {position: fixed;top: 200px;left: 550px; font-size: 24px;}</style>"; die("<font color='yellow' face='Tahoma'> <b> <center> <p id='uexist'> The username you entered is already in use. </p> </center> </b> </font>"); } else { // DO NOTHING } if(empty($username)) { print("<font color='red'>You did not enter a username!</font> Â <br> <br>"); } else if(empty($password)) { die("<font color='red'>You did not enter a password!</font>"); } if(strlen($username)<3) { die("<font color='red'>Your username must be over 3 characters!</font>"); } else if(strlen($username)>20) { die("<font color='red'>Your username is over 20 characters and must be under! usernames are 3 - 20 characters!</font>"); } if(isset($_POST['email']) && filter_var(trim($_POST['email']), FILTER_VALIDATE_EMAIL)) { $email = trim($_POST['email']); } $md5_password = md5(trim($_POST['password'])); $query = "INSERT INTO `x_users` (username, password, email) VALUES ('$username', '$md5_password', '$email')"; $result = mysql_query($query); if($result == 1) { print("Thank you, your accout has been created!"); } } } ?> Quote Link to comment https://forums.phpfreaks.com/topic/292784-php-wont-encrypt-passwords/#findComment-1498021 Share on other sites More sharing options...
Tom8001 Posted November 29, 2014 Author Share Posted November 29, 2014 Also i'm not using MySQLi, i think it's stupid MySQL can do everything i need it to do i don't even know why they added sqli Quote Link to comment https://forums.phpfreaks.com/topic/292784-php-wont-encrypt-passwords/#findComment-1498022 Share on other sites More sharing options...
QuickOldCar Posted November 29, 2014 Share Posted November 29, 2014 login <?php error_reporting(E_ALL | E_NOTICE); require 'connect.php'; session_start(); if (isset($_POST['submit'])) {       $username = trim($_POST['username']);    $password = trim($_POST['password']);       if (empty($username)) {               echo "You did not enter a username, Redirecting...";               echo "<meta http-equiv='refresh' content='2' URL='login.php'>";               exit();           }       if (empty($password)) {               echo "You did not enter a password, Redirecting...";               echo "<meta http-equiv='refresh' content='2' URL='login.php'>";               exit();           }       //Prevent hackers from using SQL Injection to hack into Database    $username    = mysql_real_escape_string($username);    $md5_password = md5($password);    $password    = mysql_real_escape_string($md5_password);          $sql       = "SELECT * FROM $tbl_name WHERE username='$username' AND password='$password'";    $result    = mysql_query($sql);    $count     = mysql_num_rows($result);    $row       = mysql_fetch_assoc($result);    $user_level = $row['user_level'];          if ($count == 1) {               $_SESSION['loggedIn'] = true;        $_SESSION['username'] = $_POST['username'];           }    } ?> register <?php error_reporting(E_ALL | E_NOTICE); require 'connect.php'; echo "<title> Register </title>"; if (isset($_POST['submit'])) { if (isset($_POST['username']) && isset($_POST['password'])) { $username = trim($_POST['username']); $password = trim($_POST['password']); $email = $_POST['email']; $username = mysql_real_escape_string($username); $email = mysql_real_escape_string($email); $md5_password = md5($password); $password = mysql_real_escape_string($md5_password); /* why checking for a username and also a password? isn't this registration? don't you want just no duplicate names? */ $usrsql = "SELECT * FROM $tbl_name WHERE username='$username' AND password='$password'"; $usrres = mysql_query($usrsql); if (!$usrres) { die("Query Failed."); } if (mysql_num_rows($usrres) > 0) { echo "<style>body {background-image: url('http://desktopwallpapers.biz/wp-content/uploads/2014/09/Website-Background-Cool-HD.jpg');} #uexist {position: fixed;top: 200px;left: 550px; font-size: 24px;}</style>"; die("<font color='yellow' face='Tahoma'> <b> <center> <p id='uexist'> The username you entered is already in use. </p> </center> </b> </font>"); } else { // DO NOTHING } if (empty($username)) { print("<font color='red'>You did not enter a username!</font>  <br> <br>"); } else if (empty($password)) { die("<font color='red'>You did not enter a password!</font>"); } if (strlen($username) < 3) { die("<font color='red'>Your username must be over 3 characters!</font>"); } else if (strlen($username) > 20) { die("<font color='red'>Your username is over 20 characters and must be under! usernames are 3 - 20 characters!</font>"); } if (isset($_POST['email']) && filter_var(trim($_POST['email']), FILTER_VALIDATE_EMAIL)) { $email = trim($_POST['email']); } $query = "INSERT INTO `x_users` (username, password, email) VALUES ('$username', '$password', '$email')"; $result = mysql_query($query); if ($result == 1) { print("Thank you, your account has been created!"); } } } ?> Quote Link to comment https://forums.phpfreaks.com/topic/292784-php-wont-encrypt-passwords/#findComment-1498026 Share on other sites More sharing options...
QuickOldCar Posted November 29, 2014 Share Posted November 29, 2014 I fixed a few errors in that that should have been obvious, maybe you should be displaying errors and showing us them Quote Link to comment https://forums.phpfreaks.com/topic/292784-php-wont-encrypt-passwords/#findComment-1498027 Share on other sites More sharing options...
Tom8001 Posted November 29, 2014 Author Share Posted November 29, 2014 the only error i have is Deprecated: mysql_connect(): The mysql extension is deprecated and will be removed in the future: use mysqli or PDO instead in C:\xampp\htdocs\Login\connect.phpon line 15  &  It still says username or password is incorrect when trying to login. Quote Link to comment https://forums.phpfreaks.com/topic/292784-php-wont-encrypt-passwords/#findComment-1498031 Share on other sites More sharing options...
mac_gyver Posted November 29, 2014 Share Posted November 29, 2014 you need to actually debug and find out why your script is not matching the username/password. just randomly throwing a bunch of code against the wall to see what sticks isn't programming and will take forever to get something that works. Â you need to echo out the $sql query statement to see what exactly it is and then look in your database table, using your favorite database management tool, such as phpmyadmin, and see if the username and hashed password values, in the $sql variable that you echoed, exactly match the values in a row in your database table. Quote Link to comment https://forums.phpfreaks.com/topic/292784-php-wont-encrypt-passwords/#findComment-1498032 Share on other sites More sharing options...
Tom8001 Posted November 29, 2014 Author Share Posted November 29, 2014 you need to actually debug and find out why your script is not matching the username/password. just randomly throwing a bunch of code against the wall to see what sticks isn't programming and will take forever to get something that works. Â you need to echo out the $sql query statement to see what exactly it is and then look in your database table, using your favorite database management tool, such as phpmyadmin, and see if the username and hashed password values, in the $sql variable that you echoed, exactly match the values in a row in your database table. I'm new to PHP Quote Link to comment https://forums.phpfreaks.com/topic/292784-php-wont-encrypt-passwords/#findComment-1498038 Share on other sites More sharing options...
mac_gyver Posted November 30, 2014 Share Posted November 30, 2014 everyone that is reading this was new to php at one point in time. Â does that mean you are not going to echo the $sql variable holding the query statement, look at it to see if it even has values in it, and then look at your database table and make sure you have a row with those exact same values? you are the only person here who has access to your server and can do these things to pin down where the problem is at. Quote Link to comment https://forums.phpfreaks.com/topic/292784-php-wont-encrypt-passwords/#findComment-1498062 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.