md5 hash compare to database dont work php

Question

I have this code for my login test but sadly, my hash (md5) when once compared to the one record (if exist) that match the login data that has been pass through my login parameters. (refer to the code below) it always return $error = "Invalid username or password" but when i tried to remove the md5 hashing and make my password flat (none hashed) and it work which supposedly I dont want to flat my password for security purpose.

//check if there is post request named username and password
if (isset($_POST['username']) || isset($_POST['password'])){
//check if username and password is empty
if ($_POST['username'] === "" || $_POST['password'] === ""){
$error = "Username or password must not be empty.";
} elseif (preg_match('`^[a-zA-Z0-9_]@{1,}$`', $_POST['username'])) {
// check if username contains other than number, letters and underscore
$error = "Username must only letters, underscore and numbers!";
exit;
}else{ //not empty then check in database
//filter username and password to avoid sql injections
$username = htmlspecialchars(stripslashes($_POST['username']));
$password = htmlspecialchars(stripslashes($_POST['password']));
$password = md5($password);
$sql = "SELECT id from user WHERE username='$username' and password='$password'";
 //checking if the username is available in the table
$result = mysqli_query($db,$sql);
$count_row = $result->num_rows;
if ($count_row == 1) {
$_SESSION['login'] = true;
header('location: home.php');
exit;
}else{
        $error = "Invalid username or password";
} //end of else if theres no record found.
} //end of else isset username and password
}//end of isset username and password

and also this line

} elseif (preg_match('`^[a-zA-Z0-9_]@{1,}$`', $_POST['emailusername'])) {
// check if username contains other than number, letters and underscore
echo "Username must only letters, underscore and numbers!";
exit;

doesnt work too, as you see from above reference code line, it must check if username contains other than number, letters and underscore and then throw an error if username contains other than number, letters and underscore yet it always return $error="Username must only letters, underscore and numbers!";

any help, ideas, clues will be greatly appreciated. Thank you!

md5 for password hashing, just stop. http://stackoverflow.com/questions/401656/secure-hash-and-salt-for-php-passwords — , Mar 18 '15 at 00:17
regarding regex pattern, use this: %[^a-zA-Z0-9_]+% (in this particular case, if anything other than number, letter, or underscore is found - echo + exit). — sinisake, Mar 18 '15 at 00:30

score 0 · Accepted Answer · answered Mar 18 '15 at 01:36

0

md5 hash is not recommended to be safe no more. if you prefer md5 hashing still then as i see in your code (in line where md5 hashed) theres seems no problem. check your database and compare your password output (md5 hash).

answered Mar 18 '15 at 01:36

Juliver Galleto

8,831
27
86
164

1

thank you. I just mstype the password. good point for comparing to the database – Juliver Galleto Mar 18 '15 at 01:38

md5 hash compare to database dont work php

1 Answers1