PHP MD5 Password Encryption and DB Entry

Question

I have built a simple registration form shown below and Iam trying to get the users to have their passwords encrypted and then entered into my database. I am attempting to use md5 encryption. I have also attached the database connection script.

My goal is when I check my database, I want to see the following: ( id, name, username, encrypted password )

The issue I have is that the form does not process completely. All I get this error (Error: Unknown column 'd8578edf8458ce06fbc5bb76a58c5ca4' in 'field list' ).

Could some tell me or show me " What is it that needs to be corrected either in my Code or SQL insert and /or my Variables" to make this work correctly. I know that its probably a very, very simple fix. I am just stuck at this point.

I really appreciate your help.

<?php
error_reporting(0);
if($_POST['submit'])
{ //Begining of full IF Statment
$name = $_POST['name'];
$username = $_POST['username'];
$password = $_POST['password'];
$confirm_password = $_POST['confirm_password'];
// Encrypt Pasword
$enc_password = md5($password);
//$enc_password2 = md5($confirm_password);


// Confirm All feild were filled out when submit button was pressed
if($name && $username && $password && $confirm_password) 
{
// Confirm that the NAME that you used is NOT greater than 30 characters     
     if(strlen($name)>24)
     {
     echo "<h2><center>YOUR NAME IS TOO LONG!!!!</center></h2><br>";
     }
// Confirm that the USERNAME that you used is NOT greater than 10 characters        
    if(strlen($username)>10)
     {
     echo "<h2><center>YOUR USERNAME IS TOO LONG!!!!</center></h2><br>";
     }
     else {

// Confirm that the PASSWORD that you used MATCH & Between 6 and 15 characters   
        if(strlen($password)>10 || strlen($password)<6)
         {
         echo "<h2><center>YOUR PASSWORD MUST BE BETWEEN 6 and 15          CHARACTERS!!!!</center></h2><br>";
         }
        if($password == $confirm_password)
        {
        // Database Connection required
        require "db_conncect.php";
        // We Now connect to the Dabase and insert the Form input details
        //------- ### ENTERING ALL INFORMATION INTO THE DATABASE BELOW ### --------// 


// 1. Create a database connection
$con = mysql_connect("localhost","root",""); // <-- THIS IS WHERE YOU " CAN CHANGE " THE USERNAME IS "root", PASSWORD IS "" ONLY.

if (!$con) {
  die('Database connection failed could not connect: ' . mysql_error());
  }

// 2. Select a database to use
$db_select = mysql_select_db("registernow_2012",$con); // <-- THE "registernow_2012" IS     THE NAME OF THE DATABASE.
if (!$db_select) {
  die('Database selection failed could not connect: ' . mysql_error());
}

mysql_select_db("registernow_2012", $con); // <-- THE "registernow_2012" IS THE NAME OF THE DATABASE TO BE CONNECTED.

    // <-- THE `registernow_2012` IS THE NAME OF THE DATABASE TO BE CONNECTED....     `visitors` IS THE TABLE WITH ALL THE FIELDS WITHI IN THE DATABASE.


$sql="INSERT INTO `registernow_2012`.`users` (`id` , `name` , `username` ,
`$enc_password` , `confirm_password`    )
VALUES (NULL , '$_POST[name]', '$_POST[username]', '[$enc_password]', '$_POST[confirm_password]')";


if (!mysql_query($sql,$con))
  {
  die('Error: ' . mysql_error());
}

// 3. Close Connection
mysql_close($con);

header("Location: index.php");  // <-- THIS IS WHERE YOU CAN CHANGE THE "Location: Thank you / Index page" of the THANK YOU PAGE.       

        }
    else 
    {
    echo "<h2><center>PASSWORDS MUST MATCH!!!!!</center></h2><br>";
    }   

     }

    //echo "<h2><center>WORKING!!!!</center></h2>";
}   
else echo "<h2><center>ALL FEILDS MUST BE COMPLETED</center></h2>";

} //Ending of full IF Statment
?>

<!DOCTYPE html>
<html lang='en'>
    <head>
        <title>THE FORM MY WAY NOW</title>
    </head>
<body>
<div id='centerstage'>
    <form name="myform" action="workingitoutproperly.php" method="POST">
      <p>
        <label>Name</label><br>
        <input type='text' name='name' value=''><br>
        <label>UserName</label><br>
        <input type='text' name='username' value=''><br>
        <label>Password</label><br>
        <input type='password' name='password' value=''><br>
        <label>Re-Enter Password</label><br>
        <input type='password' name='confirm_password' value=''><br>
        <br>
        <input type='submit' name='submit' value='REGISTER NOW!!'>
    </p>
</form>
</div>
</body>

Google SQL injection before your site gets hacked, please. Also, MD5 isn't encryption. — ceejayoz, Mar 21 '12 at 16:22
your problem is that your field list has `$enc_password` in it ... I'm sure you mean `enc_password` ... — keithhatfield, Mar 21 '12 at 16:22

Shiplu Mokaddim · Answer 1 · 2012-03-21T16:45:44.527

You have used $enc_password in the column list in the insert statement. it should be the name of the column that hold the encrypted password. Not the value of encrypted password.If the name of the encrypted password column is encrypted_password put encrypted_password in column list instead of $enc_password
```
INSERT INTO `registernow_2012`.`users` (`id` , `name` , `username` , `encrypted_password` , `confirm_password` )
```
Always sanitize user inputs. Dont use them directly in the query which will allow an attacker to inject arbitrary SQL. At least use mysql_real_escape_string for mysql database.
```
$name = mysql_real_escape_string($_POST['name']);
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
```

the value of encrypted password should not be [$enc_password]. Dont enclose it with square braket. It should be $enc_password.

$sql="INSERT INTO `registernow_2012`.`users` 
(`id` , `name` , `username` , `encrypted_password` , `confirm_password`) 
VALUES
(NULL , '$name', '$username', '$enc_password', '$password')";

Its better you encrypt your password with a seed and use other hash like sha1
```
$enc_password = sha1($password. "my_secret_seed");
```

Your code is **also wide open** to SQL injection. Please do not post answers like this on Stack Overflow. Someone might try to use your code. — Brad, Mar 21 '12 at 16:40
I already did. Is SQL injection vulnerability not reason enough? I think it is. — Brad, Mar 21 '12 at 16:41

score 4 · Answer 2 · edited May 23 '17 at 12:22

You are getting the error because you have (code reformatted for readability):

$sql = "INSERT INTO `registernow_2012`.`users` " .
       "(`id` , `name` , `username` , `$enc_password` , `confirm_password`    ) " .

You are using the encoded password as the column name

       "VALUES (NULL , '$_POST[name]', '$_POST[username]', '[$enc_password]', '$_POST[confirm_password]')";

And you are wrapping the encoded password in square brackets for the variable.

However, this code has massive security problems.

MD5 is no longer safe and Bobby would have a field day.

Follow the OWASP password storage rules and ese prepared statements and parameterized queries to access the database.

score 3 · Accepted Answer · answered Mar 21 '12 at 16:26

This line is the source of your problems.

 $sql="INSERT INTO `registernow_2012`.`users` (`id` , `name` , `username` , `$enc_password` , `confirm_password`    ) VALUES (NULL , '$_POST[name]', '$_POST[username]', '[$enc_password]', '$_POST[confirm_password]')";

Let's break it down:

First, we need to remove a stray $ from the field name:

INSERT INTO `registernow_2012`.`users` (`id` , `name` , `username` , `$enc_password` , `confirm_password`
//                                                                   ^^^ Remove me!

Next, we need to escape our input (unless you want a visit from Bobby Tables):

NULL , '".mysql_real_escape_string($_POST['name'])."', '".mysql_real_escape_string($_POST['username'])."', '$enc_password', '".mysql_real_escape_string($_POST['confirm_password'])."')

So the final line will look like this:

$sql = "
  INSERT INTO `registernow_2012`.`users`
    (`id` , `name` , `username` , `enc_password` , `confirm_password`)
  VALUES
    (NULL , '".mysql_real_escape_string($_POST['name'])."', '".mysql_real_escape_string($_POST['username'])."', '$enc_password', '".mysql_real_escape_string($_POST['confirm_password'])."')
";

Elias Van Ootegem · Answer 4 · 2012-03-26T15:55:18.520

You're using double quotes, and you're trying to insert in a field that has the same name as the $enc_password value. PHP will evaluate all variables to their respective values when using double quotes. Use single quotes, and remove the $ sign.

Also: when encrypting: sha1 is safer, and don't just encrypt the password, add some salt:

$end_password = sha1('F00_'.$_POST['password'].'_8aR-this-is-5Alt');

Edit: Perhaps an even better way to salt your passwords would be this:

$superSalty = sort(array_merge(str_split($pass), str_split('F00_8aR-th1s-1s-5Alt')));

this will result in an even more secure hash, that can easily be reproduced and, to my mind, makes brute force attacks even more difficult, given the fact the salt is mixed in with the password.

Ideally, use a usort function you wrote, rather than the natural -alphabetical- sorting... but every bit helps. I'm editing my answer here, because this question seems to be getting a lot of hits, and I feel this is an easy to use, and good way to salt user info.

fmask · Answer 5 · 2012-04-05T08:09:50.170

0

Your query is not correct.

try below query for insertion

$sql="INSERT INTO `registernow_2012`.`users` 
(name , username , enc_password, confirm_password )
VALUES 
( '".mysql_real_escape_string($_POST[name])."', '".mysql_real_escape_string$_POST[username])."', '".$enc_password."', '".mysql_real_escape_string($_POST[confirm_password])."')
";

here I am assuming your variable $enc_password is encrypted password. like

$enc_password = md5($_POST["password"]) ;

Good Luck!

edited Apr 05 '12 at 08:09

answered Mar 21 '12 at 16:36

fmask

481
7
18

1

Do not use this code. It is **wide open** to SQL injection. How many times do I have to post that here? – Brad Mar 21 '12 at 16:42
Was showing correct query to solve user query run problem. updated now, thanks. – fmask Apr 05 '12 at 08:12
Hashes are not encryption. Also, you shouldn't be using MD5 for password hashes. Try whirlpool or something. – Brad Apr 05 '12 at 13:07
My answer was according to user question, he'd not ask for security but for query correction. Now days MD5 is not used for passwords, you can use Salt with password and a better encryption like SHA, e.g: $hash = hash("sha512",$salt.$password)). – fmask Apr 06 '12 at 09:59

score -1 · Answer 6 · answered Mar 21 '12 at 16:21

-1

"INSERT INTO `registernow_2012`.`users` (`id` , `name` , `username` , `password`, `confirm_password`) 
VALUES (NULL , '$_POST[name]', '$_POST[username]', '$enc_password', '$_POST[confirm_password]')";

Assuming the field is "password" in the database, you were setting the field name for the password as the encoded password.

HOWEVER, you need to prevent against MySQL injection, don't just put data from post into the database.

See SQL Injection

answered Mar 21 '12 at 16:21

Captain Insaneo

470
2
7

Will update to reflect that. Was just trying to show that he was using the encoded password as the field name, not "password". – Captain Insaneo Mar 21 '12 at 16:25

PHP MD5 Password Encryption and DB Entry

6 Answers6