how to retrieve MD5 password

Question

I've put username and md5(password) on my MySQL database. Below is my old login PHP code. I want to add some code that can retrieve my md5 password, because on my old code there is no md5 password. Where is should I add md5(password)?

Here is my full login code:

<?
if ($_POST['username']) {
$username=trim($_POST['username']);
$username = mysql_real_escape_string($username);
$password=trim($_POST['password']);
$password=mysql_real_escape_string($password);
//$password = hash('md5','$password');



if ($password==NULL) {
header("Location: login.php?error=2");
}else{

if($_POST['code']!=$_SESSION['string']){ 
header("Location: login.php?error=1");
}else{

$query = mysql_query("SELECT username,password FROM tb_users WHERE username = '$username'") or die(mysql_error());
if(mysql_num_rows($query) == 0)
{
header("Location: login.php?error=3");

} else {
$data = mysql_fetch_array($query);
if($data['password'] != $password) {
header("Location: login.php?error=4");
}else{

$query = mysql_query("SELECT username,password FROM tb_users WHERE username='$username'  ") or die(mysql_error());
$row = mysql_fetch_array($query);

$nicke=$row['username'];
$passe=$row['password'];

setcookie("usNick",$nicke,time()+36000);
setcookie("usPass",$passe,time()+36000);

$lastlogdate=time();
$lastip = getRealIP();

$querybt = "UPDATE tb_users SET lastlogdate='$lastlogdate', lastiplog='$lastip' WHERE username='$nicke'";
mysql_query($querybt) or die(mysql_error());

$query = mysql_query("SELECT akhirupgrade from tb_upgrade WHERE username = '$username' and status='upgraded'") or die(mysql_error());
if(mysql_num_rows($query) > 0) {
$row = mysql_fetch_array($query);
$akhir=$row["akhirupgrade"];
$tgl=time();
if ($tgl > $akhir) {
$query = mysql_query("update tb_upgrade set status='', date='', paket='', akhirupgrade='' WHERE username='$username' and status='upgraded'");
$query = mysql_query("update tb_users set account='' WHERE username='$username'");
}
}
header("Location: member.php");
}

}

}

}

}

?>

Answer 1

I would use password_hash() if you running on php 5.5 or greater

When you send the password to the database simply hash it with the function

$password = password_hash(filter_input(INPUT_POST, "password"));

The when you pull the password back out of the database do the same thing to the password they submitted.

$passwordFromDb = $result['password']; //Password from the database
$passwordFromLoginForm = password_hash(filter_input(INPUT_POST, "password");

//Then when youve got the password to check it agaisnt there input

if($passwordFromDb === $passwordFromForm){
    //The password they entered was the same as the password in the database
} else {
    //The password was wrong
}

I have not tested this code so there may be errors but hopefully youll get the point :)

PS dont use MD5 please, Very insecure

If you must use md5

$password = md5(filter_input(INPUT_POST, "password"));//Store password


$passwordFromDb = $result['password']; //Password from the database
$passwordFromLoginForm = md5(filter_input(INPUT_POST, "password");

//Then when youve got the password to check it agaisnt there input

if($passwordFromDb === $passwordFromForm){
    //The password they entered was the same as the password in the database
} else {
    //The password was wrong
}