Comparing MYSQL password vs HTML form password

Question

I have a Login form with UserId and Password. I guess the problem is with md5 password in the mysql database.so How to compare HTML form password with mysql password.??

here is the code for the login form

<body>
    <form method="post" action="validate_login.php" >
        <table border="1" >
            <tr>
                <td><label for="LoginID">LoginID</label></td>
                <td><input type="text" 
                  name="LoginID" id="LoginID"></td>
            </tr>
            <tr>
                <td><label for="password">password</label></td>
                <td><input name="password" 
                  type="password" id="password"></input></td>
            </tr>
            <tr>
                <td><input type="submit" value="Submit"/>
                <td><input type="reset" value="Reset"/>
            </tr>
        </table>
    </form>
</body>

And the php code :

<?php

// Grab User submitted information

$LoginID = $_POST["LoginID"];
$password = $_POST["password"];
//$UserID= $_POST["UserID"];
// Connect to the database

 $username = "avaninfo_dairy";
    $password = "CMANcustomersupportsystem1234#";
    $hostname = "localhost";

    //connection to the database
    $con = mysqli_connect($hostname, $username, $password)
      or die("Unable to connect to MySQL");
      echo "Connected to MySQL<br>";



// Select the database to use
mysql_select_db("avaninfo_dairy",$con);

$result = mysqli_query("SELECT * FROM cman_users WHERE LoginID = $LoginID");

$row = mysqli_fetch_array($result);

if($row["LoginID"]==$LoginID && $row["Password"]== $password)
    echo"You are a validated user.";
else
    echo"Sorry, your credentials are not valid, Please try again.";
?>

You can't, since you're overwriting your POSTed password with your database password. :P But if you weren't, just `md5` your POSTed password and compare to the recorded `md5`'d password. However, I suggest you move away from `md5` and use [`password_hash`](http://php.net/manual/en/function.password-hash.php) instead - MD5 is not secure. — Amadan, Jan 20 '15 at 04:43

score 1 · Answer 1 · answered Jan 20 '15 at 04:43

1

The way to do this would be to md5 encode using the same salt the password from the user and check it against the md5 hash stored on the database. http://php.net/md5

answered Jan 20 '15 at 04:43

Asheliahut

901
6
11

If your password isn't salted it should be, yes standard practice this day and age is to have a different salt for each md5 password. If it isn't salted don't worry just md5 encode and check against. http://stackoverflow.com/questions/14538034/md5-salt-password-php – Asheliahut Jan 20 '15 at 04:49
1

Standard practice this day and age is to use bcrypt or another good password hashing algorithm, not md5 digest. – Amadan Jan 20 '15 at 04:50
That is true, but if you are still using md5 it is best to still. – Asheliahut Jan 20 '15 at 04:50
Quote from your own link's accepted answer: "Using the mailaddress as salt is a good idea. But using md5 is not. Use instead bcrypt, scrypt or pbkdf2. Don't invent your own ecryption, unless you really know what you are doing, and trust me, you don't". – Amadan Jan 20 '15 at 04:52
I am not saying you should use md5, I am just answering the question of the OP. – Asheliahut Jan 20 '15 at 04:53

score 1 · Answer 2 · answered Jan 20 '15 at 04:44

1

Use the md5 function

$row = mysqli_fetch_array($result);

if($row["LoginID"]==$LoginID && $row["Password"]== md5($password))
    echo"You are a validated user.";
else
    echo"Sorry, your credentials are not valid, Please try again.";

answered Jan 20 '15 at 04:44

chiliNUT

18,989
14
66
106

score 1 · Answer 3 · answered Jan 20 '15 at 04:44

1

Use MD5 built in function:

if($row["LoginID"]==$LoginID && $row["Password"]== MD5($password))
    echo"You are a validated user.";
else
    echo"Sorry, your credentials are not valid, Please try again.";

answered Jan 20 '15 at 04:44

Gul Muhammad Akbari

260
3
13

Blue Sheep · Answer 4 · 2015-01-20T04:54:55.507

(Assuming you want to compare an unhashed password to an md5 hashed password.)

Change $row["Password"] == $password to $row["Password"] == md5($password).

$row = mysqli_fetch_array($result);

if($row["LoginID"]==$LoginID && $row["Password"]== md5($password))
    echo"You are a validated user.";
else
    echo"Sorry, your credentials are not valid, Please try again.";

More info on md5: http://php.net/manual/en/function.md5.php

P.S. - If it is within your control, I recommend that you use password_hash() and password_verify() to hash your passwords. It is much securer than md5().

Richard Schneider · Answer 5 · 2015-01-20T04:54:56.393

You can use the md5 function. Also you do not need to check the LoginID because the SQL Select prefilters.

if($row["Password"]== md5($password))

However the overall security system is wrong. The web browser should send username and md5(password). The password should never be sent over the internet.

Also, the MD5 hash has been proven to be hackable. Use SHA-1 hash at a minimum.

And most systems Salt the Hash so that the same password for different users have a different hash value in the database.

score 1 · Answer 6 · answered Jan 20 '15 at 05:04

<?php

// Grab User submitted information

$LoginID = $_POST["LoginID"];
$password = md5($_POST["password"]);
//$UserID= $_POST["UserID"];
// Connect to the database

 $username = "avaninfo_dairy";
    $password = "CMANcustomersupportsystem1234#";
    $hostname = "localhost";

    //connection to the database
    $con = mysqli_connect($hostname, $username, $password)
      or die("Unable to connect to MySQL");
      echo "Connected to MySQL<br>";



// Select the database to use
mysql_select_db("avaninfo_dairy",$con);

$result = mysqli_query("SELECT * FROM cman_users WHERE LoginID = $LoginID" and Password=$password);

$row = mysqli_num_row($result);

if($row>0)
    echo"You are a validated user.";
else
    echo"Sorry, your credentials are not valid, Please try again.";
?>

Try this one it will be work fine

score 0 · Accepted Answer · answered Jan 20 '15 at 04:58

The answer is simple. To have some clarity first you need to get an idea of whats going on.

Your MD5 Hashing algorithms which is stored in your database

"md5 password in the mysql database"

are one way. That means you cannot "undo" it once its encrypted. What you can do is compare a hashed value to it to see if it matches.

How to compare HTML form password with mysql password.??

this will compare the html form password with mysql password, $hashed_value_from_mysql being your encrypted password from mysql and $_POST[password] being your password from the form submission where your name="password" is accessible through $_POST after you submit the form depending on which method you use.

if ($hashed_value_from_mysql === md5('$_POST[password]')) {
  //if the password matched do whatever here
} else {
  //it doesn't match, throw an error
  echo "password doesn't match";
 }

Comparing MYSQL password vs HTML form password

7 Answers7