how to use md5() function with my sql database

Question

my problem is solved. I don't expect for more answers. So, please don't vote down, cause I need some reputations to vote up for others post. Thanks

I try to use md5() for the login system but it doesn't encrypt password. It still display the original password on my database. Here is my code:

mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

$myusername=$_POST['myusername']; 
$mypassword=md5($_POST['mypassword']); 



$sql="select * from $tbl_name where username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

$count=mysql_num_rows($result);

if($count==1){
session_register("myusername");
session_register("mypassword"); 
header("location:login_success.php");
}
else {
header("location:login.html");
}
?>

I just edit my code to $mypassword=md5($_POST['mypassword']);

echo md5($mypassword); should be $mypassword = md5($mypassword); — Wayne Whitty, Nov 30 '12 at 10:14
You should keep in mind that MD5 is considered insecure nowadays. If you start something new, you should use a more secure hashing algorithm, like SHA1. — Gerald Schneider, Nov 30 '12 at 10:16
Also, `mysql_*` functions shouldn't be used anymore since they are going to be deprecated in future versions of PHP. — Gerald Schneider, Nov 30 '12 at 10:17
@GeraldSchneider SHA1 is almost as weak as MD5. The get collision resistance, use SHA2 or SHA3. — CodesInChaos, Nov 30 '12 at 13:19
No plain hash function is appropriate for password hashing. This includes SHA-1/2/3. You must use a salt and key strengthening. bcrypt is a good choice. — CodesInChaos, Nov 30 '12 at 13:19

score 9 · Accepted Answer · edited May 23 '17 at 12:22

9

You just printed the md5d password, store it into the variable before insertion

$mypassword = md5($_POST['mypassword']);
$sql="select * from $tbl_name where username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

I think your logic have some problem, are you storing passwords in encrypted form? then only you can fetch the data by this select command, otherwise the $count=mysql_num_rows($result); is zero always

and please take a look here also

Why shouldn't I use mysql_* function in PHP?

edited May 23 '17 at 12:22

Community

1
1

answered Nov 30 '12 at 10:14

arun

3,667
3
29
54

Sorry,I new to php. I don't understand how the md5() work. Do I need to store password in encypted form in database OR I it will auto encrypt when I use md5() ? – surisava Nov 30 '12 at 10:33
no it will not auto encrypt, you must encrypt the password using the function `md5()` and use that encrypted value for storing inside the table, just like above. `$mypassword = md5($_POST['mypassword']);` `$sql="insert into $tbl_name (username,password) values ('$myusername','$mypassword');` `$result=mysql_query($sql);` – arun Nov 30 '12 at 10:36
what doesnt work?!!!! Do you look into your table? what you can see in password column? – arun Nov 30 '12 at 10:50
ah now it encypt but I can't login with the form? what should I do? – surisava Nov 30 '12 at 10:56
Sorry my internet connection is slow, now everything work well. thank you very much. Sorry but I don't have enough reputation to vote up you...Thanks again. – surisava Nov 30 '12 at 11:04
@LoverOfEvening Both tutorials advocate really bad practices. Please don't advertise them. – CodesInChaos Nov 30 '12 at 13:21
2

Please, *please* escape your POST variables to protect against SQL injection. Every time you don't escape them, a kitten dies. – Jon Cairns Nov 30 '12 at 15:02

score 3 · Answer 2 · answered Nov 30 '12 at 10:15

3

SELECT MD5('testing');

For example

$sql="select * from $tbl_name where username='$myusername' and password=MD5($mypassword)";

In your sql

answered Nov 30 '12 at 10:15

som

4,650
2
21
36

score 3 · Answer 3 · answered Nov 30 '12 at 12:07

Storing unsalted MD5 hashes of passwords, is almost the same as storing them plaintext. With off-the-shelf hardware, one can try 8 Giga passwords per second, that means you can brute-force a whole dictionary with about 500'000 words in less than a millisecond!

Even more, there are tons of precalculated hash-tables for MD5 without salt, so just take an MD5 hash of your own password, type it into google and see what the original password was, or maybe it's better not to do it...

That's why one should use a slow key-derivation function like BCrypt nowadays. PHP 5.5 will have it's own functions password_hash() and password_verify() ready, to simplify this task. There is a compatibility pack for PHP 5.3/5.4 available, downloadable at password_compat.

I would invite you to ready more about correctly hashing passwords in this tutorial.

Just to emphasize: Hashing passwords with plain SHA-1/2/3 is almost as bad as using MD5. Those new password hashing functions are great, use them! — CodesInChaos, Nov 30 '12 at 13:24

mychalvlcek · Answer 4 · 2012-11-30T10:18:48.073

1

now you just echoing encrypted password to output:

echo md5($mypassword);

what you want is assign to the $mypassword

$mypassword = md5($mypassword);

edited Nov 30 '12 at 10:18

answered Nov 30 '12 at 10:13

mychalvlcek

3,956
1
19
34

what doesnt work? print $mypassword and you will see the result – mychalvlcek Nov 30 '12 at 10:22

score 1 · Answer 5 · answered Nov 30 '12 at 10:19

1

You MUST escape your strings, to block SQL injections. At the very least use mysql_real_escape_string(). And don't use MD5, use Sha1:

$mypassword = sha1($_POST['mypassword']);
$myusername = mysql_real_escape_string($_POST['myusername']);
$sql="select * from $tbl_name where username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

answered Nov 30 '12 at 10:19

Jon Cairns

11,783
4
39
66

Your use of SHA1 is just as bad as MD5. Both are cheap to brute-force, use bcrypt instead. – CodesInChaos Nov 30 '12 at 13:23
I agree, but it's even easier to attack a database by SQL injection, so that was the main point of my post. Given that the user didn't understand what `md5()` did, I think perhaps suggesting `sha1()` was a step too far! However, for a one-liner it adds slightly better encryption than MD5. – Jon Cairns Nov 30 '12 at 15:01
Both MD5 and SHA1 have significant collision weaknesses(irrelevant for password hashing), but first pre-images(relevant for password hashing) require >2^120 work, even for MD5. So guessing passwords is *much* more efficient than exploiting the weaknesses of MD5. The practical difference in strength for SHA-1 and MD5 for password hashing is negligible. – CodesInChaos Nov 30 '12 at 15:06

score 1 · Answer 6 · answered Nov 30 '12 at 10:53

I would recomend you to use mysqli or PDO.You just printed the md5d password, you need to store it value to particular variable and use that variable in to your query.To do it try this

<?php 
mysql_connect("$host", "$username", "$password") or die("cannot connect"); 

mysql_select_db("$db_name")or die("cannot select DB");

$myusername=$_POST['myusername']; 
$mypassword=$_POST['mypassword']; 

$newpassword = md5($mypassword);

$sql="select * from $tbl_name where username='".$myusername."' and password='".$mypassword."'";
$result=mysql_query($sql);

$count=mysql_num_rows($result);

if($count==1)
{
    session_register("myusername");
    session_register("mypassword"); 
    header("location:login_success.php");
}
else {
    header("location:login.html");
}
?>

how to use md5() function with my sql database

6 Answers6