0

I am still working with "PHP and SQL for Dummies 4th edition". The problem I am having now is that if I should try to login with the correct password I am being told that the password is not correct, this happens for all the records I added through the PHP web file. The records I added through phpmyadmin works fine (after the removal of the encryption statements) and I can gain access to the login page after providing the correct password. I suspect the problem will be from the encryption because the password column in phpmyadmin contains the SAME ciphertext ("d41d8cd98f00b204e98009") for everything (except the record entered through phpmyadmin, which was without any encryption). I will include the part of my code that contains the encryption, maybe anyone can spot any errors in them. Code that encrypts the inputted password before checking for a match in Database:

if($num > 0) //login name was found 
{
$sql = "SELECT loginName FROM Member 
WHERE loginName='$_POST[fusername]'
AND password=md5('$_POST[fpassword]')";
$result2 = mysqli_query($cxn,$sql) 
or die("Query died: fpassword");
$num2 = mysqli_num_rows($result2); 
if($num2 > 0) //password matches 
{
$_SESSION['auth']="yes"; 
$_SESSION['logname'] = $_POST['fusername'];
$sql = "INSERT INTO Login (loginName,loginTime)
VALUES ('$_SESSION[logname]',NOW())";
$result = mysqli_query($cxn,$sql)
or die("Query died: insert");
header("Location: New_memberpage.php");
}

Code that encrypts a newly registered user's password before it is sent to the database:

else // Add new member to database
{
$sql = "INSERT INTO Member (loginName,createDate,
password,firstName,lastName,street,city,
state,zip,phone,fax,email) VALUES
('$loginName',NOW(),md5('$password'),
'$firstName','$lastName','$street','$city',
'$state','$zip','$phone','$fax','$email')";
mysqli_query($cxn,$sql); 
$_SESSION['auth']="yes"; 
$_SESSION['logname'] = $loginName;

The summary of my challenge is that the username/password login method only works well, when I add through phpmyadmin. I want to make it work when I register through the website, and why are all the ciphertext the same thing in the password column of my database even though I entered different password for all of them?

Improve this question
2
  • 1
    What's the length of the password column? It needs to be 32 to store an MD5 hash in hex format. "d41d8cd98f00b204e98009" is too short for an MD5 hash in hex format (16 bytes * 2 = 32). Commented Feb 2, 2015 at 17:39
  • Danger: MD5 is an unsuitable hashing algorithm; you need to take better care of your users' passwords. Commented Feb 2, 2015 at 17:45

2 Answers 2

Reset to default
1

d41d8cd98f00b204e9800998ecf8427e is the MD5 hash of an empty string. So there appear to be two things wrong here:

  1. The password isn't getting passed to your SQL query properly. It's ending up hashing nothing.

  2. Your password column isn't wide enough to store the whole hash.

More importantly, though, there are a few things wrong with the tutorial you're following:

  • It is teaching you to use the "mysql" extension. This extension is deprecated, and will not be available in future versions of PHP. The "mysqli" and "PDO" extensions are preferable, as they will continue to be available in the future, and they support important security features such as prepared queries and parameter placeholders.

  • It does not appear to be teaching you to quote values passed into MySQL queries (or it's expecting you to rely on magic_quotes, which is even worse). This is likely to introduce serious security vulnerabilities into your application.

  • It is instructing you to use md5() as a password hash. This is not a secure method of storing passwords; a preferable method is the newer password_hash() / password_verify() function set. Refer to PHP's FAQ on password hashing for more information.

I'd strongly suggest that you find a newer reference text. The one you're using is significantly outdated.

Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

OP is doing hashing in MySQL, not PHP. MySQL has SHA1() and in MySQL 5.5.5+, SHA2(). Still, the lack of a salt is a more glaring error than using MD5.
Actually, doing password hashing in the database is wrong, period! It means your plaintext passwords may be exposed in database query logs, or potentially even sent over the network if you're using a remote server. There's absolutely no reason to do it, and lots of reasons to not do it.
If you're doing it in PHP, it's already being sent over the network.
Thanks everyone. I appreciate all responses. I will get another book that will provide a better encrypting logic for the site. The password column was indeed not wide enough, I just changed it from Varchar (15) to Varchar (255) but it only increased the length of the empty hash to d41d8cd98f00b204e9800998ecf8427e from d41d8cd98f00b204e98009. I guess that leaves me with suggestion 1.
I will make sure I get a more updated tutorial. The major reason why I picked this one is because it is easily understandable. Everything was explained thoroughly. I will gladly use another one if it is as explanatory as this one.
|
0

I have discovered the error in my program. I was using the same variable name "password" to connect to my database (with empty quotes). The password declared with the host, username and database was overwriting the password in my table. I changed all the connect "password" to "passwrd" and I was able to view the passwords in my database. Thanks for all the replys at least I now know md5 is not very safe for sensitive data. Different identifiers must always be used for all variable names!

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.