0

So I just learned about storing passwords with MD5 hash and salt in PHP/MySQL. The method I'm using is md5(md5($row["id"].$password)), so the salt is an MD5 hash of the user's ID in my SQL table (which is an auto-incremented INT), which is concatenated to the inputted password string and then re-hashed.

The problem I'm encountering is that when I trying making a test account, and then logging in with the test account, the hash I generate on logging in isn't matching the hash I created when the account was created.

Login Code:

<?php

$login = mysqli_connect("hiding this info for obvious reasons");

if ($_POST["login"])
{

    $email = $_POST["email"];
    $password = $_POST["passsword"];

    $query = "SELECT * FROM useraccs WHERE email='$email'";

    if ($result = mysqli_fetch_array(mysqli_query($login,$query)))
    {
        $hashpass = md5(md5($result["id"]).$password);

        if ($hashpass == $result["password"])
        {

            $errors = "Logged in succesfully.";

        }

    }
    else
    {
        $error.= "E-mail/Password do not match anything in our database.";
    }

}

?>

Register Code:

<?php

$login = mysqli_connect("hiding this info for obvious reasons");

if ($_POST["submit"])
{

    $username = $_POST["username"];
    $email = $_POST["email"];

    $query = "INSERT INTO useraccs (username,email) values('$username','$email')";

    mysqli_query($login,$query);

    $query = "SELECT id FROM useraccs WHERE username='$username'";

    $userid = mysqli_fetch_array(mysqli_query($login,$query))["id"];

    $password = md5(md5($userid).$_POST["password"]);

    $query = "UPDATE useraccs SET password='$password' WHERE username='$username'";

    mysqli_query($login,$query);

}

?>

As you can see, the way I hash the password in both scenarios is identical, and I have done testing to confirm that I am getting the same value for the ID in both scenarios. I am truly stumped as to why I am not getting a match.

I'd like to mention I am very new to using MySQL/creating login systems, so if I've done anything blatantly wrong or have left out essential information, please let me know.

Eric David Sartor
  • 597
  • 2
  • 8
  • 22
  • 5
    It's 2016 now, why are you using md5 for passwords? – Mark Baker Mar 05 '16 at 20:40
  • 3
    **Danger**: You are **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that you need to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. – Quentin Mar 05 '16 at 20:43
  • 4
    **Danger**: You are using [an unsuitable hashing algorithm](http://php.net/manual/en/faq.passwords.php) and need to [take better care](https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet) of your users' passwords. – Quentin Mar 05 '16 at 20:43
  • 1
    If this is a live site or intended to go live, *call it a blessing in disguise*. – Funk Forty Niner Mar 05 '16 at 20:45
  • I am entirely aware that I'm vulnerable to SQL injection, I haven't gotten that far in the learning process yet. I'm trying to take things one step at a time, so no, this is not intended to go live. I'm using md5 because that's what I was taught with. Clearly there is a better way, and I'm going to go read about it now! – Eric David Sartor Mar 05 '16 at 20:47
  • ok, well what's the password column's length? Plus, we don't know if your form's failing or not, so use error reporting for that and the query - http://php.net/manual/en/function.mysql-error.php and http://php.net/manual/en/function.error-reporting.php – Funk Forty Niner Mar 05 '16 at 20:51
  • well, either you're trying to figure this out, or you left your question. I left you a comment but no response. If you care to respond to it, @ / ping me. I am moving on. – Funk Forty Niner Mar 05 '16 at 21:00
  • 2
    `$_POST["passsword"]` with three s correct? – Sami Kuhmonen Mar 05 '16 at 21:04
  • 1
    Ok, so I've just learned about `password_hash` and `password_verify`, which seems to be the current standard, correct? I am using that now. Also, the 3 s's in password was the problem all along. But I'm glad I made the mistake because I learned a more secure way to store passwords. Now I'm going to tackle SQL injection. – Eric David Sartor Mar 05 '16 at 21:08
  • @Fred Is this a suitable way to be storing passwords? `password_hash($_POST["password"],PASSWORD_BCRYPT)` – Eric David Sartor Mar 05 '16 at 21:10
  • sure is but you didn't answer my question from earlier, or is that no longer relevant? – Funk Forty Niner Mar 05 '16 at 21:13
  • About the column length? I'm not really sure what it is, I never set it in MySQL. I'm not entirely sure it is relevant anymore, as I did finally get the login to work with `password_verify`. – Eric David Sartor Mar 05 '16 at 21:33
  • It's a "TEXT" type, if that's what you're referring to. Like I said, I'm VERY new to this stuff, so I'm still figuring this all out, but I appreciate your help. – Eric David Sartor Mar 05 '16 at 21:34

1 Answers1

0

First of all, please see the warnings in the comments, your code is highly unsure.

Regarding the md5: You are using 

mysqli_fetch_array(mysqli_query($login,$query))["id"];

This will always return an array. Be sure to get only the field.

Zsolt Szilagyi
  • 4,741
  • 4
  • 28
  • 44