Jump to content

Reading an MD5 hash from the database to allow users to log in


VanityCrush

Recommended Posts

Hello,

 

I have inserted a user into my database table through phpMyAdmin using the predefined MD5 function. (I know md5 is not secure and I should use bcrypt istead, but I don't need that type of security, my only purpose is not to store the passwords in plain text)

 

Now my problem is that whenever I try to log the user in, I can never read the hashed password back. This is my code:

 

The function that is testing for the username and password:

function login($username, $password) {
	include('core/db/db_connection.php');
	$sql = "SELECT COUNT(user_id) FROM `_users` WHERE username = '$username' AND password = '$password'";
	$query = mysqli_query($dbCon, $sql);
	$user_id = get_user_id($username);
	$username = sanitize($username);
	$password = md5($password); // issue
	return (mysqli_result($query, 0) == 1) ? $user_id : false; // possible issue
}

The logging processing code:

if (empty($_POST) === false) {
	$username = $_POST['username'];
	$password = $_POST['password'];

	if (empty($username) === true || empty($password) === true) {
		$errors[] = 'Username and/or password fields must not be left blank';
	} else if (user_exists($username) === false) {
		$errors[] = 'Username does not exist! Please register before logging in.';
	} else if (user_active($username) === false) {
		$errors[] = 'You haven\'t activated your account yet';
	} else {
		$login = login($username, $password);
		if ($login === false) {
			$errors[] = 'Username/password incorrect';
		} else {
			echo 'ok' . '<br/>';
			//set user session
			//redirect user
		}
	}

	print_r($errors);
}

How can I read the stored MD5 password to allow my registered users access?

 

Many thanks.

Link to comment
Share on other sites

You are right. The order in which I was doing this is wrong. The correct way is:

function login($username, $password) {
	include('core/db/db_connection.php');
	$user_id = get_user_id($username);
	$username = sanitize($username);
	$password = md5($password); 
	$sql = "SELECT COUNT(user_id) FROM `_users` WHERE username = '$username' AND password = '$password'";
	$query = mysqli_query($dbCon, $sql);
	return (mysqli_result($query, 0) == 1) ? $user_id : false;
}

However, next time I'm looking for an answer, a little bit of specificity won't hurt.

Edited by VanityCrush
Link to comment
Share on other sites

you're welcome.

 

putting lines of code together so that they accomplish a stated goal is fundamental to this thing called programming. i can guarantee that you learned much more by actually looking at your code and fixing it yourself, than what you would have by someone telling you where to put your fingers on the keyboard and what to type.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.