md5 password confirmation failing

Question

Yes, I know that md5 is not a good option, and I should rather use password_hash(), but my hosting solution is on php version 5.3.3. Anyway, this is never supposed to be a production environment, just for training purposes, and I will soon change provider.

So I have setup some code, and I can see that the credentials I register, the password in md5 format are logged in the db. But when logging in the same credentials I get my error message I set up, "invalid email or pass"

This is my code:

echo 'Current PHP version: ' . phpversion();
include_once("config.php");
session_start();

if(isset($_POST['signup'])){
 $name = $_POST['name'];
 $email = $_POST['email'];
 $pass = md5($_POST['pass']);

$insert = $pdo->prepare("INSERT INTO users (name,email,pass)
values(:name,:email,:pass) ");
$insert->bindParam(':name',$name);
$insert->bindParam(':email',$email);
$insert->bindParam(':pass',$pass);
$insert->execute();
}
 elseif(isset($_POST['signin'])){
 $email = $_POST['email'];
 $pass = $_POST['pass'];

 $select = $pdo->prepare("SELECT * FROM users WHERE email='$email' and pass='$pass'");
 $select->setFetchMode();
 $select->execute();
 $data=$select->fetch();
 if($data['email']!=$email and $data['pass']!=$pass)
 {
  echo "invalid email or pass";
 }
 elseif($data['email']==$email and $data['pass']==$pass)
 {
 $_SESSION['email']=$data['email'];
    $_SESSION['name']=$data['name'];
header("location:aeroplane.php"); 
 }
 }

So, the signup works fine, then the else if for signing fails. What have I missed here?

-thanks

`my hosting solution is on php version 5.3.3` You do realize that you're open to a ton of security flaws that were not patched since PHP 5.3 [went EOL almost 3 years ago](http://php.net/eol.php) — Machavity, Apr 22 '17 at 13:22
You shouldn't use `md5()` for password storage, you should use the `password_*()` API instead. — Qirel, Apr 22 '17 at 13:23
there is the compatibility pack https://github.com/ircmaxell/password_compat that you can use for php <5.5 - it's even mentioned in the `password_hash()` manual. http://php.net/manual/en/function.password-hash.php — Funk Forty Niner, Apr 22 '17 at 13:27
And just because it bears repeating [MD5 is not secure at all, because it is fast](https://security.stackexchange.com/questions/19906/is-md5-considered-insecure) — Machavity, Apr 22 '17 at 13:28
@Fred-ii- The compatibility pack requires >= 5.3.7 and he's on 5.3.3 — Machavity, Apr 22 '17 at 13:28
@Machavity they can still use crypt/bcrypt http://php.net/manual/en/function.crypt.php - their php version isn't an excuse for using md5 - and it might even still work. — Funk Forty Niner, Apr 22 '17 at 13:31
[How do you use bcrypt for hashing passwords in PHP?](http://stackoverflow.com/questions/4795385/how-do-you-use-bcrypt-for-hashing-passwords-in-php) — Funk Forty Niner, Apr 22 '17 at 13:32
if you intend to go live or are live with this, you **will** get hacked; that's a guarantee that you can take to the bank. Even though you are going to use the accepted answer, md5 is still md5, even though a prepared statement is used. — Funk Forty Niner, Apr 22 '17 at 13:34
No way, this is not at all for production purposes, just for learning purposes. I am planing to move to a new provider — user2371684, Apr 22 '17 at 13:36
Since you care about security it seems, your login code contains sql injections using user and pass directly in SQL, whereas the signin code does use PDO bind parameters API. You should fix that. — beberlei, Apr 22 '17 at 20:08

score 1 · Answer 1 · answered Apr 22 '17 at 13:21

The password is saved as md5 in the database so you should hash it too on the sign in order to compare it correctly.

Solution:

just change this $pass = $_POST['pass']; to $pass = md5($_POST['pass']);

Your code is basically comparing a non hashed password to a hashed password which makes no sense.

score 1 · Accepted Answer · answered Apr 22 '17 at 13:23

echo 'Current PHP version: ' . phpversion();
include_once("config.php");
session_start();

if(isset($_POST['signup'])){
 $name = $_POST['name'];
 $email = $_POST['email'];
 $pass = md5($_POST['pass']);

$insert = $pdo->prepare("INSERT INTO users (name,email,pass)
values(:name,:email,:pass) ");
$insert->bindParam(':name',$name);
$insert->bindParam(':email',$email);
$insert->bindParam(':pass',$pass);
$insert->execute();
}
 elseif(isset($_POST['signin'])){
 $email = $_POST['email'];
 $pass = md5($_POST['pass']);

 $select = $pdo->prepare("SELECT * FROM users WHERE email='$email' and pass='$pass'");
 $select->setFetchMode();
 $select->execute();
 $data=$select->fetch();
 if($data['email']!=$email and $data['pass']!=$pass)
 {
  echo "invalid email or pass";
 }
 elseif($data['email']==$email and $data['pass']==$pass)
 {
 $_SESSION['email']=$data['email'];
    $_SESSION['name']=$data['name'];
header("location:aeroplane.php"); 
 }
 }

updated $pass = md5($_POST['pass']); in signing code.

You need to use md5 at login time also

`SELECT * FROM users WHERE email='$email' and pass='$pass'` - I don't know why you used a prepared statement for one, but not the other. — Funk Forty Niner, Apr 22 '17 at 13:36
@Fred-ii- just trying to solve his problem. everything copied from the question. — Ankit vadariya, Apr 22 '17 at 16:30

score 0 · Answer 3 · edited Apr 22 '17 at 13:55

0

I have seen your code and find error after sign in code.
update the code $pass=$_POST['pass']; to

$pass = md5($_POST['pass']);

edited Apr 22 '17 at 13:55

Shaiful Islam

7,034
12
38
58

answered Apr 22 '17 at 13:46

user3485259

21
4

md5 password confirmation failing

3 Answers3