-2

I'm trying to implement MD5 into the login form of my website. I have been able to use MD5 on the registration form to hash the password, its just being able to convert the login password to that stored in the database.

The code used on the register form:

    $password = md5($password);

The code that doesn't work on my login form:

$sql = "SELECT username FROM custlogin WHERE username = '.$_POST[username].' AND password=md5('$_POST[password]')";

This isn't going to be a live website, it's part of an assignment.

JackH
  • 11
  • 6
  • 1
    why are you using md5? – Funk Forty Niner Dec 06 '16 at 19:29
  • 1
    I am not sure if `md5` function in PHP will work like that in MySQL. Maybe you need to assign the value to a variable before passing it to a query. – Maximus2012 Dec 06 '16 at 19:30
  • *"This isn't going to be a live website, it's part of an assignment."* - Oh, so it's homework. Well, whoever told you to use md5 is really OLD school. There are TONS of md5 stuff out there btw. – Funk Forty Niner Dec 06 '16 at 19:30
  • 2
    (1) You're trying to use `md5()` in SQL, not in PHP. (2) This code is wide open to SQL injection. (3) Why re-invent the wheel? PHP provides password management tools. – David Dec 06 '16 at 19:30
  • ***You shouldn't use [SHA1 password hashes](https://konklone.com/post/why-google-is-hurrying-the-web-to-kill-sha-1)*** or ***[MD5 password hashes](http://security.stackexchange.com/questions/19906/is-md5-considered-insecure)*** and you really should use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. Make sure you [don't escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Dec 06 '16 at 19:31
  • 1
    It's part of the assignment to have the passwords stored not as plain text, I know MD5 isn't a good choice for the real world. – JackH Dec 06 '16 at 19:31
  • 4
    I hate when people say *"I'm not that far along..."* or *"This site will not be public..."* or *"It's only for school, so security doesn't matter..."*. If teachers and professors are not talking about security from day one, they're doing it wrong. Challenge them. They're teaching sloppy and dangerous coding practices which students will have to unlearn later. I also hate it when folks say, *"I'll add security later..."* or *"Security isn't important now..."* or *"Ignore the security risk..."*. If you don't have time to do it right the first time, when will you find the time to add it later? – Jay Blanchard Dec 06 '16 at 19:31
  • are you double `md5`ing it? you haven't given enough context. Are you md5ing the password, storing that, and then on login attempt, md5ing the password, and passing that hash to the db which then hashes it again for comparison? – Kritner Dec 06 '16 at 19:32
  • 2
    @JackH: In that case what you are likely looking to do is hash the input and *then* use the hashed value in the query. Keep it as two steps, don't combine them into one step. (And, for your own sake, also look into the variety of things being indicated throughout these comments. Someday you're going to be outside of the management of some inept grad student TA and will need to be able to actually do things. It's in your best interests to learn how. I understand the hesitation, but it really is a good idea.) – David Dec 06 '16 at 19:32
  • If that is part of the assignment then use the real tools. – Jay Blanchard Dec 06 '16 at 19:32
  • well, use error reporting on php then and check for errors on the query and make sure the password column is long enough. There's not enough code/information to support the question. – Funk Forty Niner Dec 06 '16 at 19:32
  • Kritner - The password is being hashed at the registration form and stored in that form. I then assumed the code would hash the login password and compare that against the database. – JackH Dec 06 '16 at 19:37
  • David - Thanks for the help! The main reason for using MD5 is the time constraints and the fact I've not come from a coding background, but I have learnt about different security hashing methods. Thanks everyone else for the suggestions! – JackH Dec 06 '16 at 19:39
  • Time constraints? `password_hash()` and `password_verify()` are painfully simple to use. – Jay Blanchard Dec 06 '16 at 19:40
  • Jay - I've seen about these. But it's easy for someone to say how easy something is when one already knows it. Thanks anyway. – JackH Dec 06 '16 at 19:41

1 Answers1

0

Hello Jack :D you can try this ! for me it works :D

$username = $_POST['username'];
$password = md5($password);

$sql = "SELECT username FROM custlogin WHERE username = '$username' AND password='$password';";
ZakSdn
  • 1
  • 3