0

Why is it showing incorrent password after comparing two equal md5 keys?

<?php

if (isset($_POST['user_password']) && !empty($_POST['user_password'])) {
  $user_password = $_POST['user_password'];
  echo $user_passkey = md5($user_password).'<br>';

  $filename = 'hash.txt';
  $handle = fopen($filename, 'r');
  echo $file_password  = fread($handle, filesize($filename));

  if ($user_passkey==$file_password) {
    echo 'correct password';
  } else {
    echo 'Incorrect Password';
  }

} else {
  echo 'Please enter a password';
}

?>
<form action="index.php" method="POST">
  Password:
  <input type="text" name="user_password"><br><br>
  <input type="submit" value="Submit">
</form>

The other md5 created file is :

<?php 
$string = 'password';
$string_hash = md5($string);
echo $string_hash;
?>

The encrypted key is saved in another file named hash.txt in same folder. echo $user_passkey and echo $file_password both are showing exact hash key(same 'password' given for both user input and previously encrypted key file hash.txt) but not getting compared in the if statement.

Why does it not work as intendet?

Manuel Mannhardt
  • 2,191
  • 1
  • 17
  • 23
neo.abi1000
  • 59
  • 6
  • Why are you rolling your own password hashing thing anyway, when php [has one built in](https://www.php.net/manual/en/function.password-hash.php)? – CD001 Sep 04 '19 at 10:04
  • FWIW: [Why check both isset() and !empty()](https://stackoverflow.com/q/4559925/476) – deceze Sep 04 '19 at 10:28
  • 1
    `$user_passkey = md5($user_password).'
    ';` is wrong because you added `
    ` to the hash. And then I'll bet your file contains linebreak(s). Use `trim(fread($handle, filesize($filename)))` to remove them. P.S. Consider using `json_encode` and `json_decode` to add multiple username/password logins to your file.     – mgutt Sep 04 '19 at 10:32

3 Answers3

3

It is not working, because the md5 hash you generate from the users input happens to have a <br> at the end, from your debug output.

1) Change 

md5($user_password).'<br>';

to 

md5($user_password);

2) Change

if ($user_passkey==$file_password)

to

if ($user_passkey==trim($file_password))

It will show you, that the hash is the same, because it is indeed the same hash, but the first one has the line break at the end, which makes it a different string then the other one.

Manuel Mannhardt
  • 2,191
  • 1
  • 17
  • 23
  • If I'm removing the break line, still it is showing the same thing i.e both keys are not equal – neo.abi1000 Sep 04 '19 at 09:59
  • 1
    Also, hashing password with `md5` is absolutely __insecure__, follow https://www.php.net/manual/en/faq.passwords.php to know what to use instead. – u_mulder Sep 04 '19 at 10:00
  • 2
    Can you please do a `var_dump()` of both `$user_passkey` and `$file_password`? – Manuel Mannhardt Sep 04 '19 at 10:00
  • Actually when using var_dump for both the variable one is showing string32 and another is showing string34 but both the encrypted key are same – neo.abi1000 Sep 04 '19 at 10:17
  • 1
    @neo.abi1000 So you have a trailing newline or such in one of the strings, probably from having written it to the file with a trailing newline. – deceze Sep 04 '19 at 10:27
  • yes you are right. in the hash.txt file the key is getting trailed by a new line. what should I do? – neo.abi1000 Sep 04 '19 at 10:35
  • I have updated my answer. You have to use `trim()` then on the hash you get out of the file. – Manuel Mannhardt Sep 04 '19 at 11:35
0

This is what i'll do

<?php
$filename = 'hash.txt';
  $handle = fopen($filename, 'r');
  echo $file_password  = fread($handle, filesize($filename));
  $name=md5('bimbo');
  if($name==$file_password){
   echo "string";
  }
?>

<?php

if (isset($_POST['user_password']) && !empty($_POST['user_password'])) {
  $user_password = $_POST['user_password'];
  $user_passkey = md5($user_password);
  $new_userpass=$user_userpass."<br/>";

  $filename = 'hash.txt';
  $handle = fopen($filename, 'r');
  echo $file_password  = fread($handle, filesize($filename));

  if ($user_passkey==$file_password) {
    echo 'correct password';
  } else {
    echo 'Incorrect Password';
  }

} else {
  echo 'Please enter a password';
}

?>
<form action="index.php" method="POST">
  Password:
  <input type="text" name="user_password"><br><br>
  <input type="submit" value="Submit">
</form>
Soneye Sina
  • 1
  • 4
0

A md5() example

<?php
$str = 'apple';

if (md5($str) === '1f3870be274f6c49b3e31a0c6728957f') {
    echo "Would you like a green or red apple?";
}
?>
eniazmandi.com
  • 1
  • 2