-3

signup.php

$password_unencrypted = $_POST['passwd'];

$password=md5($password_unencrypted);

$query = "INSERT INTO Customers (firstname, lastname, username, password, " .     "gender,mobile,email) " .     "VALUES ('$first_name', '$last_name', '$user_name', '$password', " .     " '$gender','$mobile','$email')";

Login.php

$username=$_POST['username'];
$password=md5($_POST['password']); 

 $sql = ("select * from Customers where username='".$username."' and password='".$password."'") or die('Error connecting to MySQL server.');

     $query = mysqli_query($con,$sql);

     $result=mysqli_fetch_row($query);



         if($result)
         {             
           $_SESSION['username']=$username;
           header('location:home.html');           
         }
         else
         {
             echo md5($_POST['password']);
             echo 'Your entered username or password is incorrect';
         }

In above signup and login codes I'm applying md5 for password storing

I checked in Database the md5 password is storing correctly but is not retreiving properly(i think)

trying to login into page it is failing

FYI : echo md5($_POST['password']); in Login.php is showing same password stored in database

Praneeth A
  • 51
  • 8
  • 5
    Please use PHP's [built-in functions to handle passwords](http://php.net/manual/en/ref.password.php) ([tutorial](http://jayblanchard.net/proper_password_hashing_with_PHP.html)). If you're using a PHP version less than 5.5 you can use the password_hash() [compatibility pack](https://github.com/ircmaxell/password_compat). You should also use parameterized queries, with placeholders instead of concatenating variables directly into the query string. – JimL Jul 17 '16 at 11:37
  • Recommended read: [Stackoverflow: Why not use MD5 for password hashing?](http://stackoverflow.com/questions/30496061/why-not-use-md5-for-password-hashing) – Steffen Ullrich Jul 17 '16 at 12:01
  • 2
    1. Do not use MD5 or SHA-1, use a SHA-2 function such as SHA-256. 2. Do not use a static salt, every entry that uses the same password will have the same salt so when one is discovered all others are also exposed, use a random salt that is also saved in the DB. 3. Do not just concatenate the salt, use an HMAC function. 4. it is necessary to iterate the hashing function because calculating hashes is very fast. 5. Use standard password derivation functions such as `Crypto.HashPassword`, `PBKDF2`, `password_hash`, `bcrypt`, script and etc. – zaph Jul 17 '16 at 12:59
  • Consider that it is your users who are at risk from poor password handling, they expect and deserve good security. See [How to securely hash passwords, The Theory](http://security.stackexchange.com/questions/211/how-to-securely-hash-passwords/31846#31846) on Security Stackexchange. See OWASP (Open Web Application Security Project) [Password Storage Cheat Sheet](https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet#Leverage_an_adaptive_one-way_function). – zaph Jul 17 '16 at 13:07

1 Answers1

1

here is it how to fix your login.php code

you were totally checking wrong you need to check first if the query succeeded running then check if returned rows are more than 0 that means the username is correct and we proceed to password checking if everything is fine we start the session assuming you have session_start() on top of your page if not add it before $_SESSION['username'] = $username; check the manual for password_hash() and password_verify()

on register.php modify saving the password into the database $password = md5($_POST['password']); to $password = password_hash($_POST['password'], PASSWORD_DEFAULT);

    <?php
if isset($_POST['submit']) {
$username= mysqli_real_escape_string($con, trim($_POST['username']));
$password = trim($_POST['password']); // no need to sanitize the password 

 $sql = "select * from Customers where username = '" .$username."' "; // you don't need or Die() it's just a string
     if ($result = mysqli_query($con,$sql)) //check if the Query succeeded running
     {
     $count = mysqli_num_rows($result);
         if($count > 0 ) 
         { // if username exists we proceed to checking password
        $fetch = mysqli_fetch_assoc($result);
        $hashedpassword = $fetch["password"];

            if ( password_verify($password, $hashedpassword) ) 
            {  //checking password  
           $_SESSION['username']=$username;
           header('location:home.html'); 
            exit;
            }else {
                    echo "incorrect username or password"; // you don't want to tell him that the username is fine but the password is not correct 
             }                      
            } else {
             echo "incorrect username or password";
         }       
     } else {
             echo 'Query failed to run';
         }
}            
?>
Ahmad ghoneim
  • 844
  • 7
  • 13