-3

$email = strip_tags($_POST['email']); $password = strip_tags($_POST['password']);

$email = $DBcon->mysqli_real_escape_string($email);
$password = $DBcon->mysqli_real_escape_string($password);
$password= md5($password);
$query = $DBcon->query("SELECT id, email, password FROM food_user WHERE email='$email' and password='$password");
$row=$query->fetch_array();

$count = $query->num_rows; // if email/password are correct returns must be 1 row

if (password_verify($password, $row['password']) && $count==1) {
    $_SESSION['userSession'] = $row['id'];
    header("Location: cookiecups.php");
    $msg = "<div class='alert alert-danger'>
                <span class='glyphicon glyphicon-info-sign'></span> &nbsp; Invalid Username or Password !
            </div>";
 } else {
    $msg = "<div class='alert alert-danger'>
                <span class='glyphicon glyphicon-info-sign'></span> &nbsp; Invalid Username or Password !
            </div>";
}
$DBcon->close();
YetAnotherBot
  • 1,937
  • 2
  • 25
  • 32
chaeldyn lumahan
  • 1
  • 1
    why would use mix `md5()` and `password_*` functions? – Kevin Nov 30 '17 at 06:02
  • use `password_hash()`. Also the method in which you use to fetch the details is wrong. Fetch using only the email and then compare the hashed password in the database with the post password using `password_verify()` – Rotimi Nov 30 '17 at 06:03

1 Answers1

1

MD5 cannot be "decrypted" as is an hash alghoritm https://en.wikipedia.org/wiki/MD5

To encrypt/decrypt a string you should use something like AES https://en.wikipedia.org/wiki/Advanced_Encryption_Standard

You maybe mean "how to compare" but in your user case, this is completely wrong to hash the user password with md5 functions (not safe too); you should rely on bcrypt (https://en.wikipedia.org/wiki/Bcrypt) or use the password_hash() (http://php.net/manual/en/function.password-hash.php) function like Akintunde wrote in the comments.

hope it helps ;)

Oscar Cosimo
  • 51
  • 6