-3

I had been researching a while and even got a hold of my hosting company for help but I have run into a problem with my PHP code and my database through my website. While the code that I have does hash the password that I enter, when I attempt to use the regular word password it comes up as incorrect. But if I copy and paste the hashed password, it works. 

<?php
/* NEW.PHP 
    Allows user to create a new entry in the database
*/
// creates the new record form

// since this form is used multiple times in this file, I have made it a function that is easily reusable

function renderForm($email, $pass, $error)
{
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"        "http://www.w3.org/TR/html4/strict.dtd">

<html>
<head>
<title>New User</title>
<link href="style.css" rel="stylesheet" type="text/css">
</head>
<body>

<?php

// if there are any errors, display them
if ($error != '') {
    echo '<div style="padding:4px; border:1px soluser_id red;      color:red;">'.$error.'</div>';
}
?>

<form action="" method="post">
<div>
<strong>Update User Info <br><br><br><br><br>Email:    *</strong>
<input type="text" name="email" value="<?php echo $email; ?>" /><br/>
<strong>Password: *</strong> <input type="password" name="pass" value="<?php echo $pass; ?>" /><br/>
<p>* required</p>
<input type="submit" name="submit" value="Submit"> <br><br>Back to <a    href="index2.html">home</a>?</div>
</form>
</body>
</html>
<?php
}

// connect to the database
include('connect-db.php');

// check if the form has been submitted. If it has, start to process the form and save it to the database

if (isset($_POST['submit'])) {
    // get form data, making sure it is valuser_id
    $email = mysql_real_escape_string(htmlspecialchars($_POST['email']));
    $pass = mysql_real_escape_string(htmlspecialchars($_POST['pass']));
    // check to make sure both fields are entered

    if ($email == '' || $pass == '') {
        // generate error message
        $error = 'ERROR: Please fill in all required fields!';
        // if either field is blank, display the form again
        renderForm($email, $pass, $error);
    } else {

        // save the data to the database

        mysql_query("INSERT users SET email='$email', pass=MD5('$pass')")
            or die(mysql_error());
        // once saved, redirect back to the view page
        header("Location: view.php");
    }
} else {

    // if the form hasn't been submitted, display the form
    renderForm('','','');
}
?>

As you can see it does hash it when I enter it into the database, but when I try to use the password the way it was originally spelled, it tells me it's the wrong one.

RiggsFolly
  • 93,638
  • 21
  • 103
  • 149
Steven Eck
  • 23
  • 5
  • 4
    If your intent is to add security by hashing passwords prior to storing them, `md5` is a terrible choice. Read up on BCrypt. – Madbreaks Oct 18 '16 at 21:53
  • I realize that MD5 is pretty much a useless hashing but if I first can get this to work I would be more than glad to try another method. – Steven Eck Oct 18 '16 at 21:54
  • 4
    You should be using prepared statements for interacting with the database, you're opening yourself up to SQL injection. http://php.net/manual/en/pdo.prepared-statements.php – kyle Oct 18 '16 at 21:56
  • 1
    please make sure to check the md5 password to the one saved in the database, not the password itself – Lamine K Oct 18 '16 at 21:57
  • Do you have error reporting turned on for your PHP code? Are you getting any error messages ? – Maximus2012 Oct 18 '16 at 21:57
  • Keep using MD5 and **you will get hacked;** it's just a matter of time. Plus, use a prepared statement as outlined already. `mysql_real_escape_string()` isn't good enough. – Funk Forty Niner Oct 18 '16 at 22:01
  • 4
    Please dont __roll your own__ password hashing. PHP provides [`password_hash()`](http://php.net/manual/en/function.password-hash.php) and [`password_verify()`](http://php.net/manual/en/function.password-verify.php) please use them. And here are some [good ideas about passwords](https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet) If you are using a PHP version prior to 5.5 [there is a compatibility pack available here](https://github.com/ircmaxell/password_compat) – RiggsFolly Oct 18 '16 at 22:02
  • 1
    you need to show HOW you're doing the verification later on. there's nothing "obviously" wrong with the above code, other than using the deprecated mysql_*() functions and using md5. – Marc B Oct 18 '16 at 22:03
  • Some sensible code indentation would be a good idea. It helps us read the code and more importantly it will help **you debug your code** [Take a quick look at a coding standard](http://www.php-fig.org/psr/psr-2/) for your own benefit. You may be asked to amend this code in a few weeks/months and you will thank me in the end. – RiggsFolly Oct 18 '16 at 22:05
  • here is the [mysqli](http://stackoverflow.com/a/33665819) of what you want and a `PDO` version link at the bottom for that version. Uses password_hash, verify, shows a schema for a test, shows prepared stmts. Never have the password column in your `WHERE` clause or you are subject to Timing Attacks. So, scrap what you have, and move on – Drew Oct 18 '16 at 22:39
  • Not at all related to the question at hand, but looking at your comments, it says that the function is called multiple times within the same file? If so, you should move the opening block with the doctype, head, and opening body tag outside of the function...the function itself should probably only contain the form data (unless I'm missing something - I'm not particularly well versed with php). – user2366842 Oct 19 '16 at 13:17

2 Answers2

-5

I would do the MD5 hashing on the PHP side. Print it before it goes into the database and try to compare it with the input given on the login form.

Also the htmlspecialchars is not needed in this case. Since your escaping is fine. If it would contain weird chars, it would match them against the database.

Also make sure your encoding type is set on both pages and make sure they're the same.

Benjamin de Bos
  • 4,334
  • 4
  • 20
  • 30
-5

Without seeing your SELECT query in the login form I'd ask if you're MD5 hashing it when you select it as well?

mysql_query("SELECT * FROM users WHERE email='$email' AND pass=MD5('$pass')") 
or die(mysql_error());

However, I agree that you shouldn't be using MD5 for password hashing. Check out http://php.net/manual/en/function.password-hash.php

Andrew Shell
  • 810
  • 1
  • 8
  • 15
  • I think I understand it now, so when I go to have a user log in I want to make sure that whatever they type in gets hashed and that is what is then compared to my database entry? – Steven Eck Oct 18 '16 at 22:03
  • 2
    @StevenEck You really ought not to use this approach.Read all the comments below your question warning you of this, and recommending actual hashes like `password_hash()` (and usage of `mysql_` for that matter). You wrote "you wanted this to work first", but why would you paint your house green first if you want it blue? It's twice the work for no good use. – Qirel Oct 18 '16 at 22:05
  • I guess I will look into another way, but I get the gist of it now. I have to compare apples to apples – Steven Eck Oct 18 '16 at 22:07
  • I am morally obliged to down vote this question: it promotes **horrible security** by doing two very wrong things at once: encouraging the use of officially-deprecated `mysql_` functions **and** using MD5 for password hashing. Use PDO + Bcrypt instead! – Terry Oct 18 '16 at 22:07
  • @StevenEck Well, sort of - you can't compare apples with bananas, sure. But if you use `password_hash()`, you need to verify it using `password_verify()` (there are good examples of this in the manual: http://php.net/manual/en/function.password-hash.php – Qirel Oct 18 '16 at 22:08
  • Ok, I am going to look those up. They seem to work similarly and provide me with better security. It's a win win. Thanks to everyone – Steven Eck Oct 18 '16 at 22:18