PHP problem - login the user with md5 hash.

[Stefany93]

Hello colleagues,


Please help me! I have this little annoying problem. When I want to log the user in using PHP and MySQL everything goes OK, using plain text as password. The thing is, that I want the passwords my users enter into the MySQL database to be md5 hash encrypted so that if any evil user break into the database he wouldn't be able to see the passwords.

So long story short, here is the code, and please tell me what I have done wrong and why the user can't log in using the md5 hash even tho they can register and the MySQL database receives the passwords md5 hashed.

		// Registration process file
		
			 $con = mysql_connect("localhost","root","");
			 
			 global $con;
			 
			$nickname = $_POST['nickname'];
			$password = $_POST['password'];
			$email = $_POST['email'];
			$name = $_POST['name'];
			
			$password_hash = md5($password);
			
				if (!$con)
				  {
				  die('Could not connect: ' . mysql_error());
				  }

				mysql_select_db("first_database");

				$sql="INSERT INTO users (username, password, firstname, email)VALUES('$nickname','$password_hash','$name', '$email')";

				if (!mysql_query($sql,$con))
				  {
				  die('Error: ' . mysql_error());
				  }
				echo "1 record added";

				mysql_close($con)

And here is the login process file.

			<?php
			
			
			require 'mysql.php';
						
			
			
			$nickname = $_POST['nickname'];
			$password = $_POST['password'];
			
			$password_hash = md5($password);
			if(!empty ($nickname) and !empty ($password)){
			
			
			$query = "SELECT id FROM users WHERE username='$nickname' AND password='$password_hash'";
			
			
			if($query_run = mysql_query($query)){
			
			$mysql_num_rows = mysql_num_rows($query_run);
			
			if($mysql_num_rows==0){
			
			echo 'Password/username error!';
			
			
			
			
			}else if($mysql_num_rows==1){
			
			$user_id = mysql_result($query_run, 0, 'id');
			$_SESSION['user_id']=$user_id;
			header('Location: index.php');
			
			echo 'You are now logged in!';
			
			}
			}
			
			
			
			
			
			}
			
			
			
			
			
			
			?>

This is the root account of my local server.
Thank you very much!!

Best Regards
Stefany

 

[z3r010]

You would probably be better asking in a forum aimed at that sort of thing, maybe - PHP Forum

 

[Stefany93]

Thank you

 

[murmatron]

There's no polite way to put this... Your scripts are a serious disaster area just waiting for an SQL injection. If you learned this stuff from a book then throw it away. If you learned it from a website then delete the bookmark.

You really need to do some reading to know why virtually everything in those scripts is bad bad bad.

Start here: PHP: SQL Injection - Manual

If you go elsewhere for help with this and don't get told the same thing then take whatever advice you've been given as being wrong.

Use PDO and prepared statements: PHP: PDO - Manual

Also, don't use MD5() ; use crypt() and learn about salting your hashes.

Expect that once you've learned how to work securely with your database, your code will probably have other issues.

https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

 

[Stefany93]

@murmatron Thank you very much for the information, don't worry I think you were very polite because you told me what I have done wrong, thank you very much again. 1 more question please. The crypt() tag, is it the same as md5 hash or a better way to do the hashing?

Thank you again!

 

[murmatron]

PHP: crypt - Manual

crypt is similar to md5 (it produces a hash) except you can choose a different (better) algorithm and a salt string.

 

[Stefany93]

Thank you very much murmatron, much appriciated!