0

I set the signup.php with password md5 encrypted and it works ok when i checked it at phpmyadmin but when i apply the md5 to the login.php it doesnt match the passwords ? it says always wrong password could be the syntax but couldnt figure it out...

signup.php

if (isset($_POST['user']))
{
    $user = sanitizeString($_POST['user']);
    $pass = sanitizeString($_POST['pass']);

    if ($user == "" || $pass == "")
        $error = "Not all fields were entered<br /><br />";
    else
    {
        if (mysql_num_rows(queryMysql("SELECT * FROM members
              WHERE user='$user'")))
            $error = "That username already exists<br /><br />";
        else
          {
            queryMysql("INSERT INTO members VALUES('$user', '".md5('$pass')."')");
            die("<h4>Account created</h4>Please Log in.<br /><br />");
        }
    }
}

login.php

if(isset($_POST['user'])) {
    $user = sanitizeString($_POST['user']);
    $pass = sanitizeString($_POST['pass']);

    if ($user == "" || $pass == "") {
    $error = "Not all fields were entered<br />";
    } else {
        $query = "SELECT user,pass FROM members WHERE user = '$user' AND pass = \'\".md5('$pass').\"\'";

        if(mysql_num_rows(queryMysql($query)) == 0) {
            $error = "<span class='error'>Username/Password invalid</span><br /><br />";
        } else {
            $_SESSION['user'] = $user;
            $_SESSION['pass'] = $pass;
            die("You are now logged in. Please <a href='society.php?view=$user'>" . 
                "click here</a> to continue.<br /><br />");
            }
        }
    }
Yunus Yen
  • 17
  • 1
  • 3
  • 4
    There is a difference between [single quoted and double quoted strings in PHP](http://www.php.net/manual/en/language.types.string.php). – Gumbo Mar 17 '13 at 19:11
  • 1
    MD5 is **broken** for hashing passwords. [See this post](http://stackoverflow.com/questions/401656/secure-hash-and-salt-for-php-passwords). – Waleed Khan Mar 17 '13 at 19:12
  • What you are doing is extremely dangerous. You are **wide open** to SQL injection, and you **will be hacked** if you haven't been already. Learn to use prepared/parameterized queries with PDO or similar. – Brad Mar 17 '13 at 19:15
  • @WaleedKhan No, it’s not. [MD5 is still resistant to preimage attacks.](http://en.wikipedia.org/wiki/MD5#Preimage_vulnerability) – Gumbo Mar 17 '13 at 19:15
  • @Gumbo, He isn't even salting his passwords. It's definitely not safe. – Brad Mar 17 '13 at 19:16
  • @Brad That depends on what `sanitizeString` does. – Gumbo Mar 17 '13 at 19:16
  • Broken may not have been the best word. – Waleed Khan Mar 17 '13 at 19:17
  • @Gumbo, True, I didn't catch that on first read. – Brad Mar 17 '13 at 19:17
  • @Brad That’s completely different than saying: “MD5 is broken for hashing passwords”. – Gumbo Mar 17 '13 at 19:18

1 Answers1

1

I think the buggy part is md5('$pass') from

queryMysql("INSERT INTO members VALUES('$user', '".md5('$pass')."')");

Because you have an uninterpolated string there - try with:

queryMysql("INSERT INTO members VALUES('$user', '".md5($pass)."')");
Tudor Constantin
  • 26,330
  • 7
  • 49
  • 72
  • the inserting works fine i just put it here for the integrity of code i am having problems with the login.php the SELECT part but thanks anyway – Yunus Yen Mar 17 '13 at 19:15
  • I don't think the `INSERT` part is fine, try to log in with password `$pass` for any user and see if that works – Tudor Constantin Mar 17 '13 at 19:19
  • with this signup.php i can sign new users and when i check the phpmyadmin their passwords are md5 encrypted i think its good but i have problems with checking section in login.php – Yunus Yen Mar 17 '13 at 19:55
  • in your phpmyadmin, are you seeing different values for the encrypted passwords, or are you seeing the same value across all the users? (I think all your users are having `b148e7f41fdc3be4b14e8d17e068bbad` as the encrypted value for the password) – Tudor Constantin Mar 17 '13 at 20:09
  • 1
    you are right in phpmyadmin they are all same password so what did i wrong u think ? – Yunus Yen Mar 17 '13 at 20:45
  • I told you earlier - the `INSERT` statement is wrong, it always md5 encodes the string **$pass** instead of the value from the `$pass` variable. Change that and see if it works – Tudor Constantin Mar 17 '13 at 20:58
  • i tried your codes and its the same they store same md5 codes at every users... – Yunus Yen Mar 17 '13 at 21:50