MySQL PASSWORD () doesn't work with SELECT statement

Question

The password function in mysql works fine with me in inserting and updating such as here:

$query_insert = "INSERT INTO `account`(`Gender`, `Birth_date`, `Name`, `UserName`, `Password`, `Email`, `Type`) VALUES ('" . $gender . "' , '" . $birthdate . "' , '" . $name . "' , '" . $username . "' , password('" . $password . "') , '" . $email . "' , 'Member' ) ";

it insert the hashed password correctly

but when i try to retrieve it in log in code it doesn't work !

mysqli_query($con, "SELECT * FROM account where UserName = '" . $username . "' AND password = password('" . $password . "') ");

I tried to use

mysqli_set_charset($con, 'utf8');

but the result is same I even tried to use it in PHPMyAdmin as a select query, and the same error !

UPDATE

I used MD5() and it worked with me !

"it doesn't work" is not an error message mysql spits out. – PeeHaa Apr 18 '14 at 08:11 — PeeHaa, Apr 18 '14 at 08:11

score 1 · Accepted Answer · edited May 23 '17 at 10:26

1

As documented under PASSWORD():

Note

The PASSWORD() function is used by the authentication system in MySQL Server; you should not use it in your own applications. For that purpose, consider MD5() or SHA2() instead. Also see RFC 2195, section 2 (Challenge-Response Authentication Mechanism (CRAM)), for more information about handling passwords and authentication securely in your applications.

Also, if you're rolling your own authentication system (which I'd strongly discourage), you really should read both The definitive guide to form based website authentication and Secure hash and salt for PHP passwords.

edited May 23 '17 at 10:26

Community

1
1

answered Apr 18 '14 at 08:12

eggyal

122,705
18
212
237

1

@user3504563: One can only therefore conclude that you followed none of the advice I just gave (I strongly discouraged rolling your own auth system, the "Secure hash and salt for PHP passwords" link explicitly says "**Never hash passwords with SHA1 or MD5! Modern crackers can exceed 60 and 180 billion hashes/second (respectively).**" and "The definitive guide to form based website authentication" contains a whole host of other important information you've undoubtedly ignored). Using MD5(), you may as well not bother hashing your passwords at all - just store them plaintext. – eggyal Apr 18 '14 at 09:43
@user3504563 - Please please use the PHP function [password_hash()](http://php.net/manual/en/function.password-hash.php) instead of the fast MD5. It is not possible to verify a password safely in an SQL statement, you first have to retrieve the password then you can use the function [password_verify()](http://php.net/manual/en/function.password-verify.php). – martinstoeckli Apr 19 '14 at 17:42

MySQL PASSWORD () doesn't work with SELECT statement

UPDATE

1 Answers1

Note