VanityCrush Posted August 1, 2015 Share Posted August 1, 2015 Hello, I have inserted a user into my database table through phpMyAdmin using the predefined MD5 function. (I know md5 is not secure and I should use bcrypt istead, but I don't need that type of security, my only purpose is not to store the passwords in plain text) Now my problem is that whenever I try to log the user in, I can never read the hashed password back. This is my code: The function that is testing for the username and password: function login($username, $password) { include('core/db/db_connection.php'); $sql = "SELECT COUNT(user_id) FROM `_users` WHERE username = '$username' AND password = '$password'"; $query = mysqli_query($dbCon, $sql); $user_id = get_user_id($username); $username = sanitize($username); $password = md5($password); // issue return (mysqli_result($query, 0) == 1) ? $user_id : false; // possible issue } The logging processing code: if (empty($_POST) === false) { $username = $_POST['username']; $password = $_POST['password']; if (empty($username) === true || empty($password) === true) { $errors[] = 'Username and/or password fields must not be left blank'; } else if (user_exists($username) === false) { $errors[] = 'Username does not exist! Please register before logging in.'; } else if (user_active($username) === false) { $errors[] = 'You haven\'t activated your account yet'; } else { $login = login($username, $password); if ($login === false) { $errors[] = 'Username/password incorrect'; } else { echo 'ok' . '<br/>'; //set user session //redirect user } } print_r($errors); } How can I read the stored MD5 password to allow my registered users access? Many thanks. Quote Link to comment Share on other sites More sharing options...
mac_gyver Posted August 1, 2015 Share Posted August 1, 2015 if you have the hashed password stored in your database table, how can this part of your query - AND password = '$password' ever be true? Quote Link to comment Share on other sites More sharing options...
VanityCrush Posted August 1, 2015 Author Share Posted August 1, 2015 (edited) You are right. The order in which I was doing this is wrong. The correct way is: function login($username, $password) { include('core/db/db_connection.php'); $user_id = get_user_id($username); $username = sanitize($username); $password = md5($password); $sql = "SELECT COUNT(user_id) FROM `_users` WHERE username = '$username' AND password = '$password'"; $query = mysqli_query($dbCon, $sql); return (mysqli_result($query, 0) == 1) ? $user_id : false; } However, next time I'm looking for an answer, a little bit of specificity won't hurt. Edited August 1, 2015 by VanityCrush Quote Link to comment Share on other sites More sharing options...
mac_gyver Posted August 1, 2015 Share Posted August 1, 2015 you're welcome. putting lines of code together so that they accomplish a stated goal is fundamental to this thing called programming. i can guarantee that you learned much more by actually looking at your code and fixing it yourself, than what you would have by someone telling you where to put your fingers on the keyboard and what to type. Quote Link to comment Share on other sites More sharing options...
VanityCrush Posted August 2, 2015 Author Share Posted August 2, 2015 Sorry if that sounded ungrateful, I see your point and I thank you for taking the time to look at my question Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.