-4

Why the following query doesn't work? I'm working with md5 and it doesn't do anything.

 $query = "select email from user where email='".$email."' and password='".md5('$password')."'";

Any suggestions?

Irina Farcau
  • 167
  • 10
  • 1
    Don't use quotes around `$password`. It's unneeded, and single quotes means that it will pass the phrase `$password`, not the value. – aynber Jul 13 '16 at 15:16
  • 2
    `md5` is not a good way to encrypt a password given that `password_hash` is exactly as simple to use and much more secure. – apokryfos Jul 13 '16 at 15:19
  • ***You really shouldn't use [MD5 password hashes](http://security.stackexchange.com/questions/19906/is-md5-considered-insecure)*** and you really should use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. Make sure you [don't escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Jul 18 '16 at 21:13

1 Answers1

1

You need to remove the quotes in md5 encryption

md5('$password') to md5($password)

$query = "select email from user where email='".$email."' and password='".md5($password)."'";
I'm Geeker
  • 4,601
  • 5
  • 22
  • 41
  • I understand that you're trying to help the OP, but please do not reinforce the habit of using MD5 hashes for passwords. – Jay Blanchard Jul 18 '16 at 21:14