[SOLVED] md5 and post

[scottybwoy]

I have a signup form that encrypts the password into md5 format, which then stores it in to the database.

 

I then have a login section that translates the password into md5 to check against the stored version.  However the one that is entered and posted via a password field, results in a different md5 hash, is this due to the nature of the password field or post, if so what is the best way to store an encrypted password and then compare it?

 

Thanks in advance.

[rarebit]

I assume that the form use's a js md5 function and the main comparison is done by php's md5. I'd check the js version!

[BlueSkyIS]

i use the md5 password without this issue. the fact that a form field is in use will not affect the value of the md5 created for the password text.

[wildteen88]

Shouldn't make a difference whether you use a password or a text input filed. Both get submitted as plain text. The password input field just hides the characters being typed. This has no affect on how it is submitted.

[scottybwoy]

hmm, well no i'm not using a js md5 func, it's pure php.  The php md5's the pass during signup and converts the one entered at login, however the one created at signup is 5f4dcc3b5aa765d61d8327deb882cf99 and when inserted at login returns d41d8cd98f00b204e9800998ecf8427e

 

Any more suggestions?

[GingerRobot]

Well that just doesn't make sense. Are you 100% sure you're entering the same password? Perhaps there's an extra character in one of them somewhere?

 

The string 'password' generates your first hash - 5f4dcc3b5aa765d61d8327deb882cf99 - so the register appears to be working ok; perhaps there is an issue with your login script.

[scottybwoy]

This is what is invoked when login is clicked:

<?php
$username = $_POST['username'];
$password = $_POST['password'];
$password = md5($password);
Central::login($username, $password);
?>

 

This is the login script:

<?php

function login($username, $password) {
	echo $password;
	$sql = "SELECT f_name FROM members WHERE email = '" . $username . "' AND password = '" . $password . "'";

	if ($qry = mysql_query(mysql_real_escape_string($sql))) {
		$_SESSION['USERNAME'] = mysql_result($qry, 0);
	} else {
		trigger_error("You did not enter valid credentials, Please try again.", E_USER_WARNING);
	}
}
?>

 

The echo is just to tell me what it's looking for.  Should be really simple.

Can you see where it's going wrong?

[GingerRobot]

Well, where do you apply the md5() function in your login script?

[scottybwoy]

See $password = md5($password); in the first bit of code before its sent to the login script, it shouldn't matter where it is should it?

[rarebit]

What about when you create the form input, does the value have a space in it e.g. ' ', if it does you'd need to use trim()... dunno

[scottybwoy]

tried trim already no joy, does anyone have a working script that may be a bit better, they wouldn't mind posting me.  The strange thing is it's the same php engine working on the script and it's the same browser posting the data, has me baffled.

[rarebit]

I just tried this...

$p = $_POST['nowt'];
$sum = md5($p);
echo $sum;

Obviously the form element 'nowt' doesn't exist, but it gave the following sum:

d41d8cd98f00b204e9800998ecf8427e

Look similar? Look for a spelling mistake in your form!

lol don't you just love the manytrix...

[scottybwoy]

LOL!!!!

 

How silly I have been, I didn't even have a name for the input field!  Thanks for all your time over my schoolboy error! lol