PHP Code:
//setting variables
$reg_username = ($_POST['reg_username']);
$reg_email = ($_POST['reg_email']);
$reg_password = md5($_POST['reg_password']);
//creating a query that inserts the data into the database
$query = 'INSERT INTO users SET
user_name = "'.mysql_real_escape_string($reg_username).'",
email = "'.mysql_real_escape_string($reg_email).'",
user_pass = "'.mysql_real_escape_string($reg_password).'"
';
As I was reading over this thread yet again, I suddenly noticed this code (probably because most of it was hidden unless you scroll over a bit). That's not quite what you want. You mentioned having trouble matching against the password, and here's another thing to consider. You're actually running mysql_real_escape_string() on an MD5 hash value, the value stored in
$reg_password. So basically, it might be a completely invalid string stored in the database as compared to what you're trying to input.
This is what you want to do instead, on both the registration form and the login processing form:
PHP Code:
// escape the input string
$reg_pass= mysql_real_escape_string($_POST['reg_password']);
// now run md5 on it
$md5pass= md5($reg_pass);
...which is different than doing
PHP Code:
// running the hash function on an unchecked, unescaped string!
$reg_pass= md5($_POST['reg_password']);
// INSERT INTO ... mysql_real_escape_string($reg_pass)
Now here's the twist. Technically speaking you can always omit the use of m_r_e_s() on the password field, since you're going to run MD5 on it anyway. If you look at it that way,
regardless of what the input value is going to be, all the database is going to see is a 32 character hash value. See what I'm saying?
The other thing you want to look at redoing is the reassignment code. All this
PHP Code:
$somevariable = $_POST['somevariable'];
..is all unnecessary and takes up resources. If you must reassign the variables, at least reassign the output of mysql_real_escape_string() to them.