PHP md5 password not equal to database md5 password

Question

So, I'm having this issue with my login script where the MD5 password stored in my MySQL database is decrypted and it will check if the password is equal to the one entered.

My code is as follows:

if(isset($_POST['btn-login']))
{
 $email = mysqli_real_escape_string($_POST['email']);
 $upass = mysqli_real_escape_string($_POST['pass']);
 $md5_pass = md5($upass);
 $res = mysqli_query($con, "SELECT * FROM users WHERE email='$email'");
 $row = mysqli_fetch_array($res, MYSQLI_ASSOC);
 if($row['password'] == $md5_pass)
 {
  $_SESSION['user'] = $row['user_id'];
  header("Location: profile.php");
 }
 else
 {  ?>
  <script>alert("Wrong details entered!");</script>
  <?php
 }

}

How do you save new users to the database? And BTW, md5 passwords in your database are not decrypted when you compare them, you just compare hashes. — akasummer, Jun 24 '15 at 11:25
If you're using `mysqli` you should arguably also use prepared statements. — Ja͢ck, Jun 24 '15 at 11:36
Please read [this answer](http://stackoverflow.com/a/10945097/1338292) and the section on password hashing in particular. — Ja͢ck, Jun 24 '15 at 11:39
Btw, you probably should have `$md5_pass = md5($_POST['pass']);` — Ja͢ck, Jun 24 '15 at 11:41

score 1 · Answer 1 · answered Jun 24 '15 at 11:27

1

Both the md5() will be same. You must check your column datatype and number of characters limit.

Check whether your database is having encrypted value. Because you are comparing it with md5() value.

answered Jun 24 '15 at 11:27

AnkiiG

3,468
1
17
28

The database holds the encrypted password. So, my script will encrypt the password entered by the user and check if the encrypted password is equal to the one in the database – Brosky aP Jun 24 '15 at 11:34
What is the column datatype and number of characters limit? @BroskyaP – AnkiiG Jun 24 '15 at 11:35
I'm using varchar(50) @AnkiiGangrade – Brosky aP Jun 24 '15 at 12:09
can you `echo` and paste these 2 variables : `$row['password']` and `$md5_pass`? – AnkiiG Jun 24 '15 at 12:24
only returns the `$md5_pass`, which returns: `cc03e747a6afbbcbf8be7668acfebee5` – Brosky aP Jun 24 '15 at 12:34
What result you get when you `print_r($row);` before `if` condition? – AnkiiG Jun 24 '15 at 12:56
Nothing happens @AnkiiGangrade – Brosky aP Jun 24 '15 at 13:07
That means the email id does not exist in your database. You should check number of rows also before `if` like `$rowcount=mysqli_num_rows($res);` @BroskyaP – AnkiiG Jun 24 '15 at 13:17
I ran the query with the `email="myemail"` in phpMyAdmin and it worked fine – Brosky aP Jun 24 '15 at 13:29
@BroskyaP : Use like this : `$sql = "SELECT * FROM users WHERE email='".$email."'"; $res = mysqli_query($con, $sql);` Also echo `$sql` and check that query. – AnkiiG Jun 24 '15 at 13:31
The `echo $sql` gives me the right values. But, the login in general still does not work – Brosky aP Jun 24 '15 at 13:37
If your query is right then why you are not getting anything in when you print `print_r($row);`? Are you getting any error? – AnkiiG Jun 24 '15 at 13:41
Apparently I had error reporting turned off, right now the error is `mysqli_fetch_array() expects parameter 1 to be mysqli_result` while I'm passing it `$res` which is the result? – Brosky aP Jun 24 '15 at 13:50
Is `$con` a valid connection? – AnkiiG Jun 24 '15 at 13:58
It should be, it is defined in the connection file as `$con = mysqli_connect("localhost", "root", ""); if (mysqli_connect_errno()) { echo "Failed to connect to MySQL: " . mysqli_connect_error(); }` – Brosky aP Jun 24 '15 at 14:00
Have to used `mysqli_select_db($con,"DATABASENAME");` ? – AnkiiG Jun 24 '15 at 14:02
Tried that before, but apparently it works this time! Thanks a lot – Brosky aP Jun 24 '15 at 14:04

score 1 · Answer 2 · answered Jun 24 '15 at 11:35

1

Don't escape before performing md5 on the query.

Ankii's reply can also solve the issue if you have a varchar which is too small.

Also, use a better hashing system (sha512?). Also, use salt.

answered Jun 24 '15 at 11:35

Alexandre

306
1
7

The better hashing system is either bcrypt, scrypt, or some kind of KDF as last resort. – Ja͢ck Jun 24 '15 at 11:38
Hey @Ja͢ck, I'll be sure to use that at a later stage! – Brosky aP Jun 24 '15 at 12:11

PHP md5 password not equal to database md5 password

2 Answers2