-1

I do md5 to user password before saving to db, then I take user input and md5 it and save it in a variable but when I echo the user input variable its generated md5 is different from the one saved in db even though same character is used, I don't understand.

when saving to db

$query = "insert into customer (name, email, password, contact) values ('$name', '$email', MD5('$passw'), '$contact');";

When verifying:

if ($row = mysqli_fetch_assoc($result))
   {
      $dbname = $row["email"];
       $dbpass = $row["password"];
    }
       $mdrpass = md5($lpass);
if ($lemail == $dbname && $mdrpass == $dbpass)
    {
      echo "SUCCESS";
     }
else
 {
      echo "failed";
 }
Huud Rych
  • 21
  • 5
  • 8
    **Don't [MD5 password hashes](http://security.stackexchange.com/questions/19906/is-md5-considered-insecure)**. Please use **PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html)** (`password_hash()` and `password_verify()`) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). **It is not necessary** to [escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. – GrumpyCrouton Sep 19 '17 at 14:53
  • I would recomend not using md5 instead use $mdrpass = password_hash($lpass, PASSWORD_DEFAULT); – dsadnick Sep 19 '17 at 14:54
  • 3
    [Little Bobby](http://bobby-tables.com/) says **[you may be at risk for SQL Injection Attacks](https://stackoverflow.com/q/60174/)**. Learn about [Prepared Statements](https://en.wikipedia.org/wiki/Prepared_statement) with [parameterized queries](https://stackoverflow.com/a/4712113/5827005). I recommend `PDO`, which I [wrote a function for](http://paragoncds.com/grumpy/pdoquery/#function) to make it extremely easy, clean, and more secure than using non-parameterized queries. Also, [This article](http://php.net/manual/en/mysqlinfo.api.choosing.php) may help you choose between `MySQLi` and `PDO` – GrumpyCrouton Sep 19 '17 at 14:55
  • You do realise that you are not actually calling the md5 method within `$query` at all here right? – apokryfos Sep 19 '17 at 14:55
  • @apokryfos it's the query... MD5 is a mysql function – Salketer Sep 19 '17 at 14:56
  • What's the length of your password field? – Salketer Sep 19 '17 at 14:56
  • GrumpyCrouton, dsadnick - This is just a simple login php page, however thank you for the guidance apokryfos - I'm caling it to md5 user input and then save it in a variable then match that variable's value with value from the db Salketer - Its just one character, not sure if that would be an issue, will add more characters, for now just jusing "t" as password however the md5 value returned by md5 from user input is very lenghty, 15-18 characters- while the md5 saved in db is very short, 5-7 character – Huud Rych Sep 19 '17 at 22:10

1 Answers1

0

OK, FIRSTLY THANK YOU EVERYONE FOR GUIDING ME RIGHT, HOWEVER I FOUND THE ISSUE BEING NUMBER OF CHARACTERS STORING FOR PASSWORD BEING JUST 8 IN THE DB AND IS THE REASON IT WOULDN'T MATCH, SILLY MISTAKE I KNOW.

THANK YOU ALL.

Huud Rych
  • 21
  • 5