Good day/night everyone,

I'm having a problem with my login script. I have my password in md5 hash in the registration. The registration is successful and the password is in md5 form in the database table. But the problem occurs whenever I try to login the username and password. It seems that the password enter during login is not == with the md5 password in the database. Here is my code, hope someone spent a little time with me :queasy:

<?php
include 'dbconnect.php';

if(!$_POST['submit'])
{
?>

<html>
...
<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
      <p>Username&nbsp;:</br>
	  <input type="text" name="username" maxlength="20">
	  </p>
	  <p>Password&nbsp;:</br>
	  <input type="password" name="password" maxlength="20">
	  </p>
	  <p>
	  <input type="submit" name="submit" value="Submit">
	  </p>
	  </form>
...
</html>
<?php
}
else
{
  $username = cleanString($_POST['username']);
  $password = cleanString($_POST['password']);

if($username && $password)
{
	$password = md5($password);
	$sql="SELECT id,username FROM `users` WHERE `username`='$username' AND `password`='$password'";
	$query=mysql_query($sql) or die(mysql_error());

if(mysql_num_rows($query) > 0)
{
	  $row = mysql_fetch_assoc($query);
	  $_SESSION['id'] = $row['id']; 
	  $_SESSION['username'] = $row['username'];


	  echo "<script type=\"text/javascript\">window.location=\"members_area.php\"</script>";
}
else
   {
		echo "<script type=\"text/javascript\">
		alert(\"Your username or password is incorrect\");
		window.location=\"index.php\"</script>";
   }	
}
else
{			
    echo "<script type=\"text/javascript\">
    alert(\"You need to input your username and password\");
    window.location=\"index.php\"</script>";
}
}
?>

    Did you also use PHP's md5 function when storing the password to begin with?

    Note that you should use a salt instead of just applying a cryptographic hash when storing passwords.

      Yes I use the md5 of PHP 5. I did make it work just a moment ago. It's an error I created which I converted the md5('password') into an md5(password) again on the other php page. 😃

      By the way I've heard of salt, but precisely I'm confuse how to infuse it to my scripts.

      Thanks laserlight once again 🙂

        kingdm wrote:

        By the way I've heard of salt, but precisely I'm confuse how to infuse it to my scripts.

        Randomly generate a short string specific to each user and store it in the database. To compute the hash, concatenate the password with this salt value, then take the hash. Alternatively, take a hash of the password, then concatenate the salt, then take a hash of the result and store the final result. Repeat the same process to authenticate.

          Write a Reply...