3

I am creating a login system for my website using a mysql database.

When the user registers, it saves the password to the database using:

$password = hash("sha512","somesalt".$password."moresalt");

Then when I login, I compare the password entered to the password in the database using the same hash function.

To compare the database I use this:

$query = mysql_query("select * from users where password='$password' AND email='$email'", $connection);
$rows = mysql_num_rows($query);
if ($rows == 1) {//do login stuff}

But rows always returns 0. When I remove the hash function from both the register and login, it logs in fine. What's wrong?

As a side note in case anyone's wondering, I would be using mysqli but my webhosting's database version is old. They are using 5.2 I believe.

I forgot to mention that I did check to make sure the database did match what it was getting as seen in these pics (can't embed pics so links):

https://drive.google.com/file/d/0B_u6weYp5wTCQng5eVhTSkZFRDg/view?usp=sharing https://drive.google.com/file/d/0B_u6weYp5wTCQVRXTkNqdzhWUFE/view?usp=sharing

Improve this question
3
  • Have you looked at the hash as plain text and checked if it actually exists in the database? That will tell you if the query is wrong or if the row doesn't exist in the 1st place. Commented Mar 16, 2015 at 14:53
  • basic debugging: select the row yourself, and compare the hash in the db v.s. the hash you calculated. I'll bet you a shiny penny they're different, which is why your query returns no rows - no records matched. Commented Mar 16, 2015 at 14:54
  • Which length does the password column have? It may be too short and cut the hash. However, this is too little information to properly help you. At least add the login script to your original question Commented Mar 16, 2015 at 14:54

2 Answers 2

Reset to default
3

what is the length of your password field in database???

The reason seems to me is the hashed password length is too long and while saving to database part or it is dropped...

Then when you compare you get 0 rows...

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Haha wow. The whole password appeared to be in the database but I didn't check the end. It turns out my password is 128 characters long. I had my password length set to only 100.
3

Okay, I would like to suggest that you use prepared statements other than the mysql library. It is much more secure and reliable.

$query = "SELECT * FROM `users` WHERE AND `email`=:email_token";

Then you prepare and execute your query

$data = $connection->prepare($query);
try {
$data->bindParam(":email_token",$_POST["email"],PDO::PARAM_STR);
$data->execute();
}
$result = $data->fetch(PDO::FETCH_ASSOC);
while($row = $result) {
$out = $row["password"];
}
if($out == $_POST["password"]) {
//loggin
} else {
//get lost
}

This is a very basic structure but essentially you want to pull the password out of the database first then compare the strings instead of doing it all with your query.

Improve this answer

2 Comments

I'm still fairly new to web developement, I'm just really good at using google to get stuff done. I've seen this in examples before, but what exactly is this? The syntax looks very foreign compared to everything else I've seen. What are the benifits? Why is it more reliable? Is it better than mysqli?
prepared statements help guard against SQL injection by taking the variable out of the query statement and putting it into a function. It is also much more object oriented and you are able to do a lot more data manipulation within your script so that you are not bound so much by procedural styles of programming.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.