php/mysql md5 encryption help

[Bavilo]

Hello folks,

I am making a Register and Login script for my site. It works great but i would rather have the passwords be encrypted using md5. Right now i have figured out how to store the password the user enteres in the registering page into md5 right into the database. Now i want to be able to have the user login, his password that he enters gets encrypted, and then checked with the one on the database. Im not sure how i would go about encrypting the password on the login script. I hope someone can help me out a little. Here are the 2 scripts.

Register.php
[code]
<?php
         $dbhost='localhost';
          $dbusername='username';
         $dbuserpass='password';
         $dbname='database name';

         mysql_connect ($dbhost, $dbusername, $dbuserpass);
         mysql_select_db($dbname) or die("Cannot select database");

         if (isset($_POST["username"])) {
         $username = $_POST["username"];
         $password = md5($_POST["password"]); //here the password was hashed and then submitted
         $cpassword = md5($_POST["cpassword"]); //here the password was hashed and then submitted
         $email = $_POST["email"];
         if($username==NULL|$password==NULL|$cpassword==NULL|$email==NULL) {
         echo "A field was left blank.";
         }else{
         if($password!=$cpassword) {
         echo "Passwords do not match";
         }else{
         $checkuser = mysql_query("SELECT username FROM users WHERE username='$username'");
         $username_exist = mysql_num_rows($checkuser);

         $checkemail = mysql_query("SELECT email FROM users WHERE email='$email'");
         $email_exist = mysql_num_rows($checkemail);

         if ($email_exist>0|$username_exist>0) {
         echo "The username or email is already in use";
         }else{
         $query = "INSERT INTO users (username, password, email) VALUES('$username','$password','$email')";
         mysql_query($query) or die(mysql_error());
         echo "The user \"$username\" has been successfully registered. You may now login.";
         }
         }
         }
         }
         ?>
[/code]

Login.php
[code]
<?php
         $dbhost='localhost';
         $dbusername='username;
         $dbuserpass='password';
         $dbname='username database';

         mysql_connect ($dbhost, $dbusername, $dbuserpass);
         mysql_select_db($dbname) or die('Cannot select database');

         if ($_POST['username']) {
         $username=$_POST['username'];
         $password=$_POST['password'];
         if ($password==NULL) {
         echo "You didn't enter a password";
         }else{
         $query = mysql_query("SELECT username,password FROM users WHERE username = '$username'") or die(mysql_error());
         $data = mysql_fetch_array($query);
         if($data['password'] != $password) {
         echo "The Login you entered is incorrect";
         }else{
         $query = mysql_query("SELECT username,password FROM users WHERE username = '$username'") or die(mysql_error());
         $row = mysql_fetch_array($query);
         $_SESSION["s_username"] = $row['username'];
         echo "<meta http-equiv='Refresh' content='0; url=loggedin.php'>";}
         }
         }
         ?>
[/code]

Again, not sure how i would encrypt the password on the login script and have it succesfully check out on this line so it gets submitted "data = mysql_fetch_array($query); if($data['password'] != $password) {"

Thanks in advance
Mike

[toplay]

Observations/suggestions:

1) Change all "|" (bitwise or) to have two like so "||" (logical or). See these links for more info.

[a href=\"http://us2.php.net/manual/en/language.operators.logical.php\" target=\"_blank\"]http://us2.php.net/manual/en/language.operators.logical.php[/a]

[a href=\"http://us2.php.net/manual/en/language.operators.bitwise.php\" target=\"_blank\"]http://us2.php.net/manual/en/language.operators.bitwise.php[/a]


2) Instead of check for NULL, it's best to use empty(). See:

[a href=\"http://us2.php.net/manual/en/function.empty.php\" target=\"_blank\"]http://us2.php.net/manual/en/function.empty.php[/a]


3) You only need one query to check if the username or email has already been used (since you're displaying same message for both). Also, you need to check for any MySQL errors right after the query. Example:

[code]
    } else {
         $checkuser = mysql_query("SELECT `username`, `email` FROM `users` WHERE `username` = '$username' OR `email` = '$email'") or die('SQL error: ' . mysql_error());

         $user_exists = mysql_num_rows($checkuser);

         if ($user_exists > 0) {
             echo "The username or email is already in use";
         } else {
[/code]


4) Password is a reserved word in MySQL. Either change the column name to something else (recommended), or use backtick marks surrounding the column name. Example:

[code]
$query = "INSERT INTO users (`username`, `password`, `email`) VALUES('$username', '$password', '$email')";
[/code]


5) And finally the part that you're asking about:

[code]
if ($_POST['username']) {
         $username=$_POST['username'];
         $password= $_POST['password'];
        
         if (empty($username) || empty($password)) {
             echo "You didn't enter a username and password";
         }else{
             $password = md5($password); // hash it before checking it against table

             $query = mysql_query("SELECT `username`, `password` FROM `users` WHERE `username` = '$username' AND `password` = '$password'") or die(mysql_error());

             $row = mysql_fetch_assoc($query);

             if (!$row)  {    // No data was retrieved (didn't match search criteria)
                 echo "The Login you entered is incorrect";
             } else {
                 $_SESSION['s_username'] = $row['username'];
                 echo "<meta http-equiv='Refresh' content='0; url=loggedin.php'>";
             }
         }
}
[/code]

[Bavilo]

Thanks for the great tips! Everything works great except or the login part, it still says that the login is incorrect. I made sure that when i sign up the password is hashed in the table. I guess the login tries to check the actual password instead of the encrytped password? Im not really sure how to fix this. Any further help is appreciated. Btw is used the code you gave me.

Here is the site btw, check it out and see for yourself.
[a href=\"http://mike.eurodogcrates.com/login.php\" target=\"_blank\"]http://mike.eurodogcrates.com/login.php[/a]

Mike

[Bavilo]

Ok it works now, the row for the passwords didn't allow enough characters for the hash. Fixed that and shes up and running. One more problem. I have a Forgot Password? script that sends you your username and password from the row of the email you entered. Well, now it sends the hash. Any way i can make it so it sends the actual password instead of the hash?

Thanks
Mike

[toplay]

You're welcome.

It's a common mistake. The md5 hash is 32 characters long. I'm glad you figured it out.


Happy coding.

:)

[craygo]

[!--quoteo(post=370209:date=Apr 30 2006, 10:35 PM:name=Bavilo)--][div class=\'quotetop\']QUOTE(Bavilo @ Apr 30 2006, 10:35 PM) [snapback]370209[/snapback][/div][div class=\'quotemain\'][!--quotec--]
Ok it works now, the row for the passwords didn't allow enough characters for the hash. Fixed that and shes up and running. One more problem. I have a Forgot Password? script that sends you your username and password from the row of the email you entered. Well, now it sends the hash. Any way i can make it so it sends the actual password instead of the hash?

Thanks
Mike
[/quote]

You cannot retrieve a forgotten password from an md5 hash. You have to write your script to reset the password and send that password to the user.

Ray