-1

Why when "$password = md5($password)" is not commented out the insert query is unsuccessful?

if (isset($_POST['signupFootball'])) {

    $firstname = mysqli_real_escape_string($con, $_POST['fname']);
    $lastname = mysqli_real_escape_string($con, $_POST['lname']);
    $email = mysqli_real_escape_string($con, $_POST['email']);
    $password = $_POST['password'];

    $password = md5($password);

    if (mysqli_query($con,"INSERT into `users`(fname, lname, email, password) VALUES ('$firstname', '$lastname', '$email', '$password')")) {
        echo "<h1><strong>successful connection</strong></h1>";

        $_SESSION['fname'] = $firstname;
        $_SESSION['success'] = 'You have been registered successfully';

        header('location: signupcomplete.php');
    }
    else {
        echo "<h1><strong>unsuccessful connection</strong></h1>";
        echo "<a href=\"index.php\">Go back home</a>";
    }
}
Cœur
  • 37,241
  • 25
  • 195
  • 267
Jason
  • 1
  • 1
  • 3
    `md5` is outdated way of hashing. Refer to http://php.net/manual/en/faq.passwords.php – u_mulder Aug 22 '17 at 14:22
  • how is created the users table ? – Cid Aug 22 '17 at 14:25
  • what is the length limit of the password column? i think it should be at least 32 – Aiman Daniel Aug 22 '17 at 14:29
  • What error is returned? Do you have error reporting turned on? – Sloan Thrasher Aug 22 '17 at 14:33
  • Instead of using ```mysqli_real_escape_string```, use parameterized queries. Your code, as written is suseptable to sql injection. – Sloan Thrasher Aug 22 '17 at 14:34
  • It was the length of the field that was causing the problems . Thanks for the advice also. I wont use md5 – Jason Aug 23 '17 at 21:24
  • ***You really shouldn't use [MD5 password hashes](http://security.stackexchange.com/questions/19906/is-md5-considered-insecure)*** and you really should use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. Make sure you [don't escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Oct 05 '17 at 16:36

1 Answers1

2

STOP!

FORGET md5...

PHP has a password_hash() function for you and it is beautiful..

  1. Your column needs to be VARCHAR(255)

This is a one way hash and very secure. Do this before inserting to db...

$passwordFromUser = $_POST['password'];
$passwordToInsert = password_hash($passwordFromUser, PASSWORD_DEFAULT);

//no need for mysql_real_escape_string
//do the above and your password troubles are over

To validate the password pull it out of the database and do the following:

$passwordFromUser = $_POST['password'];
$passwordFromDB = //however you get this out of the database..

if (password_verify($passwordFromUser, $passwordFromDB){
     echo 'Good!';
}
else{
    echo 'bad';
}

Side note: I think PDO is a cleaner method for handling DB..

silversunhunter
  • 1,219
  • 2
  • 12
  • 32
  • 2
    ***It is not necessary to [escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing, including trimming. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Oct 05 '17 at 16:36
  • 1
    I never considered that! If a user added spaces as part of their intended password using trim would mess that up. – silversunhunter Oct 05 '17 at 16:41