[RESOLVED] How to Convert MD5 : Cannot Login

akacj

I have a basic login/register system

I was able to store the users passwords as MD5 encryption

When I try to login, I am getting login error. So when I copy and paste the md5 hash into the password box, it will login in successfully.

Somewhere in the code, the MD5 is not converting.

My login page Form Action is = "Redirect.php"
Also Requires "Functions.php"

I believe the error is in one of these files, but I can't find it. I feel like I keep beating my head against the wall to find it.

Redirect.php

<?php

//prevents caching
header("Expires: Sat, 01 Jan 2000 00:00:00 GMT");
header("Last-Modified: ".gmdate("D, d M Y H:i:s")." GMT");
header("Cache-Control: post-check=0, pre-check=0",false);
session_cache_limiter();

session_start();

//clear session variables
session_unset();


//require the functions file
require ("config.php");
require ("functions.php");

//check to see if cookies are already set, remember me
if ((!$lr_user) || (!$lr_pass))
{

$username = $_POST[username];
$password = $_POST[password];

}else{

$username = $lr_user;
$password = $lr_pass;

}

//if username or password is blank, send to errorlogin.html
if ((!$username) || (!$password)) 
{

header("Location:$base_dir/errorlogin.php");
exit;
}

//sets cookies to remember this computer if the user asks to
if ($_POST[remember] == "Yes")
{
setcookie("lr_user", $username, $duration, "/", $domain);
setcookie("lr_pass", $password, $duration, "/", $domain);
}

//sets session variables
sess_vars($base_dir, $server, $dbusername, $dbpassword, $db_name, $table_name, $username, $password);

//check to see if the user has to change their password
if ($_SESSION[pchange] == "1")
{
	$_SESSION[redirect] = "$base_dir/pass_change.html";
}

//check to see if the user has activated the account
if ($_SESSION[verified] == "0")
{
	$_SESSION[redirect] = "$base_dir/not_activated.html";
}

//make the connection to the database
$connection = @mysql_connect($server, $dbusername, $dbpassword) or die(mysql_error());
$db = @mysql_select_db($db_name,$connection)or die(mysql_error());

//build and issue the query
$sql ="SELECT * FROM banned";
$result = @mysql_query($sql,$connection) or die(mysql_error());

while ($sql = mysql_fetch_object($result)) 
	{
	$banned = $sql -> no_access;
	if ($username == $banned || $REMOTE_ADDR == $banned)
		{
			include ('banned.html');
			exit;
		}
	}

$last_log = last_login();

//updates table with last log as now
$sql = "UPDATE $table_name SET last_login = '$last_log' WHERE username = '$_SESSION[user_name]'";
$result = @mysql_query($sql,$connection) or die(mysql_error());

if (($_SESSION[redirect] != "$base_dir/errorlogin.php") && ($log_login == "1"))
{
	include('loglogin.php');
}

//redirects the user	
header("Location:$_SESSION[redirect]");

?>

<head><title>Redirect</title></head>

Functions.php

<?php

//function to get the date
function last_login()
{
	$date = gmdate("Y-m-d");
	return $date;
}

//function that sets the session variable
function sess_vars($base_dir, $server, $dbusername, $dbpassword, $db_name, $table_name, $user, $pass)
{


//make connection to dbase
$connection = @mysql_connect($server, $dbusername, $dbpassword)
			or die(mysql_error());

$db = @mysql_select_db($db_name,$connection)
			or die(mysql_error());

$sql = "SELECT * FROM $table_name WHERE username = '$user' and password = '$pass'";

$result = @mysql_query($sql, $connection) or die(mysql_error());


//get the number of rows in the result set
$num = mysql_num_rows($result);

//set session variables if there is a match
if ($num != 0) 
{
	while ($sql = mysql_fetch_object($result)) 
	{
		$_SESSION['first_name'] 	= $sql -> firstname;
		$_SESSION['last_name'] 	= $sql -> lastname; 
		$_SESSION['user_name'] 	= $sql -> username;       
		$_SESSION['password'] 	= $sql -> password;
		$_SESSION['group1']	 	= $sql -> group1;
		$_SESSION['group2']	 	= $sql -> group2;
		$_SESSION['group3'] 		= $sql -> group3;
		$_SESSION['pchange']		= $sql -> pchange;  
		$_SESSION['email'] 		= $sql -> email;
		$_SESSION['redirect']		= $sql -> redirect;
		$_SESSION['verified']		= $sql -> verified;
		$_SESSION['last_login']	= $sql -> last_login;
	}
}else{
	$_SESSION['redirect'] = "$base_dir/errorlogin.php";
}
}

//functions that will determine if access is allowed
function allow_access($group)
{
	if ($_SESSION['group1'] == "$group" || $_SESSION['group2'] == "$group" || $_SESSION['group3'] == "$group" ||
		$_SESSION['group1'] == "Administrators" || $_SESSION['group2'] == "Administrators" || $_SESSION['group3'] == "Administrators" ||
		$_SESSION['user_name'] == "$group")
		{
			$allowed = "yes";
		}else{
			$allowed = "no";
		}
	return $allowed;
}

//function to check the length of the requested password
function password_check($min_pass, $max_pass, $pass)
{

$valid = "yes";
if ($min_pass > strlen($pass) || $max_pass < strlen($pass))
{
	$valid = "no";
}

return $valid;
}
?>

Weedpacket

Your code runs:

$password = $_POST[password];
...
sess_vars($base_dir, $server, $dbusername, $dbpassword, $db_name, $table_name, $username, $password);
...
function sess_vars($base_dir, $server, $dbusername, $dbpassword, $db_name, $table_name, $user, $pass)
...
$sql = "SELECT * FROM $table_name WHERE username = '$user' and password = '$pass'";

You don't hash the password before before embedding it in the query.

akacj

I put the md5 in front like this : $password = md5($_POST['password']);

And also, in the functions, I have tried putting : $pass = md5($pass);

It still won't login.

Thanks

laserlight

The code that you use for saving the password and the code that you use for checking it must match where the application of MD5 is concerned.

kender

This is here nor there, but you should consider using something other than md5 for encryption... there are more secure ways (check hash/salt, whirlpool, sha256)

akacj

Well, I'm using this System offline, actually on my home network, so I thought I might just stay with md5

This login code I found off the internet and it was using the MySQL Password function, to encrypt the passwords.

I just thought using md5 because, its easier for me, but can't figure it out because I'm a newb.

akacj

I have figured it out

In functions.php

the Line : $sql ... ... ... where password = '$pass'

Originally it was password = password('$pass'), using MySQL password function.

I had tried md5('$pass'), but keep getting error login. <<< This code ended up being right after all.

The problem was My MD5 hash in the database was wrong. The hash was wrong with my password. It did not match the hash.

So, I changed the hash to match the correct password, and it WORKED! 🙂

Marking Thread Resolved

Thanks Everyone

Weedpacket

MySQL's PASSWORD() function does not use MD5. In fact, it's supposed to be for internal use, and not in applications.