md5 problem

adavis

I don't know what I'm doing wrong. I decided (big mistake) to change from crypt($pasword,$salt) encryption to md5($password) encryption. When I change a password, everything works just find, but then when I try to go back in and log in with the new password, they don't match. I check the db to see if it was changed to what I told it to change to, and it was. Here's what I'm doing to change/activate my password:

    $idIN = $_GET['id'];
$codeIN = $_GET['code'];
$activateIN = $_GET['activate'];
include "headerA.inc";
include "connectdb.inc";
$locksql = "LOCK TABLES MA_users READ";
$lockreq= mysql_query($locksql) || die("ERROR: Query failed\n");
$sql = "SELECT * FROM MA_users WHERE id='$idIN' LIMIT 1";
$result = mysql_query($sql,$dblink) || die("Couldn't query db.");
$num = 0;
while ($row = mysql_fetch_array($result)) {
  $num++;
  $userIN   = $row['username'];
  $passIN   = $row['password'];
  $nameIN   = $row['firstname']." ".$row['lastname'];
  $firstIN  = $row['firstname'];
  $lastIN   = $row['lastname'];
}
if ($num) {
  $locksql = "UNLOCK TABLES";
  $lockreq = mysql_query($locksql) || die("ERROR: Query failed");
  $locksql = "LOCK TABLES MA_users WRITE";
  $lockreq= mysql_query($locksql) || die("ERROR: Query failed");
  $sql = "UPDATE MA_users SET password='$codeIN' WHERE id='$idIN' LIMIT 1";  

// $codeIN comes in crypted
// I send a link via email with the crypted password
  $result = mysql_query($sql) || die("ERROR: SQL query failed");
  $locksql = "UNLOCK TABLES";
  $lockreq = mysql_query($locksql) || die("ERROR: Query failed");
  mysql_close ($dblink);
  echo "<div align='center'>\n";
  echo "<h3>Your password has been successfully ".$activateIN.".</h3>\n";
// $activateIN will be reset or change
  echo "<h4>Close this window and log in from the main page.</h4>\n";
  echo "<form>\n";
  echo "<input type='button' value='Close' onClick='window.close()'>\n";
  echo "</form>\n";
  echo "</div>\n";
} else {
  echo "<h3 align='center'>ERROR: Password not $activateIN</h3>\n";
  echo "<h4 align='center'>idIN: ".$idIN."&nbsp;"</h4>\n";
}

Now, here's what I'm doing to check it for loggin in:

if     ($_POST['casePWc']) { $activateIN = "Change Password"; }
elseif ($_POST['casePWr']) { $activateIN = "Reset Lost Password"; }
else {
  include "connectdb.inc";
  $locksql = "LOCK TABLES MA_users READ";
  $lockreq= mysql_query($locksql) || die("ERROR: Query failed");
  $userADS = addslashes($_POST['user']); 
  $passwd = "";
  $passwd   = md5($_POST['pass']);
  $sql = "SELECT * FROM MA_users WHERE username='$userADS' ";
  $sql .= "AND password='$passwd'";
  $result = mysql_query($sql,$dblink) || die(ERROR: query failed");
  $num = 0;
  while ($row = mysql_fetch_array($result)) {
    $num++;
    $userIN   = $row['username'];
    $passIN   = $row['password'];
    $nameIN   = $row['firstname']." ".$row['lastname'];
    $firstIN  = $row['firstname'];
    $lastIN   = $row['lastname'];
  }
  $locksql = "UNLOCK TABLES";
  $lockreq = mysql_query($locksql) || die("ERROR: Query failed");
  mysql_close ($dblink);

$num is coming back as 0. I've displayed what I put in on the first piece of code (username, password, and md5(password) and then same information in the second piece of code. Username and password match, but crypt password does not match what is on the database. WHY??? 😕

planetsim

When using md5(); you must use it again on the password so

When registering you use md5 to encrypt to the database. You must use it again. When logging in as well.

Also read a bit more of your code and found this line

$result = mysql_query($sql,$dblink) or die(ERROR: SQL query failed: $sql");

Try getting rid of the quote at the end or get rid of the or die thing.

$result = mysql_query($sql,$dblink) or die("ERROR: SQL query failed: $sql");

Is what it should be

adavis

The missing quote was because I took out some stuff to try to make the line shorter. What I do is something like this:

$crypted_password = md5($_POST['password']);
$sql="UPDATE users SET password='$crypted_password'";
$result = mysql_query($sql,$dblink);

...write this to the database.

Then to compare I have:

$password-IN = $_POST['password'];
$c_password = md5($password-IN);

$num = 0;
$sql = "SELECT * FROM users where username='$_POST['username'] ";
$sql .= "AND password = '$c_password'";
$result = mysql_query($sql,$dblink);
while ($row = mysql_fetch_array($result)) {
  $num++;
}

$num is returning 0, so I take out the AND password=$c_password. It find the user, then I echo the crypted password I was trying to match on and what's in the db and they are different.

Am I missing something? All I did was change crypt($password,$salt) to md5($password). It was working with crypt, but is not working with md5. What I can't figure out is why this happens, I echo username, password, and crypted password, just before I write to the db and get one thing for crypted password, then (in a different script) echo the same information and get a different crypted password, even though the password before encryption is the same both times.

I'm about ready to change it back though I think I'm going to try crypt($password,$username) instead of using a preset $salt for everyone. Doing it that way is at least as secure as md5. My usernames are anywhere from 5 to 10 characters long.