Password Hashing

Normo · 12-11-2008, 12:02 PM

Hey I'm having some problems with hashing passwords into a database and then comparing them to a user input.

Here's my code:

PHP Code:


			
if(isset($_REQUEST['username'])){
session_start();
$con = mysql_connect("localhost","","") or die('Could not connect: ' . mysql_error());

mysql_select_db("normo_mydb") or die(mysql_error());


$_SESSION['username'] = $_POST['username'];
$_SESSION['password'] = md5($_POST['password']);
$result = mysql_query("SELECT Password FROM Users WHERE Username = '$username'");
$row = mysql_fetch_array($result);
$num = mysql_num_rows($result);

if($num != "0" && $password == $row['Password']) {
header('location:new.php');
}
else {
session_unset();
session_destroy();
}

mysql_close($con);
}
if(isset($_REQUEST['userReg'])){
session_start();
$con = mysql_connect("localhost","","") or die('Could not connect: ' . mysql_error());

mysql_select_db("normo_mydb") or die(mysql_error());

$_SESSION['userReg'] = $_POST['userReg'];
$_SESSION['passReg'] = md5($_POST['passReg']);
$sql = mysql_query("INSERT INTO Users
(Username, Password) VALUES('$userReg','$passReg')") or die(mysql_error());
echo "You are now registered!";

mysql_close($con);
}

I have the script running fine without hashing the passwords, just when I add the MD5 function it goes wrong.

I do manage to hash the password into the database but it doesn't work when the user logs in.

Also it doesn't hash the password every time. Sometimes it just enters the password as plain text into the database.

Any help would be appreciated. :)

CoryMathews · 12-11-2008, 01:01 PM

It seems to me that you are setting the password with encryption into the session here

$_SESSION['password'] = md5($_POST['password']);

and then trying to check a variable called password here.

if($num != "0" && $password == $row['Password']) {

You do this in the register as well. This is the problem. There is no need to store that stuff in the session for now just setting it to the variable would work. Otherwise your logic seems good.

Normo · 12-11-2008, 05:43 PM

Thanks that does make sense, however even when I take out the sessions it still doesn't work! It just says says "Username or Password was wrong" although I can't figure out why?! :S

PHP Code:


			
if(isset($_REQUEST['username'])){
session_start();
$con = mysql_connect("localhost","","") or die('Could not connect: ' . mysql_error());

mysql_select_db("normo_mydb") or die(mysql_error());

$_SESSION['username'] = $_POST['username'];
$username = $_POST['username'];
$password = md5($_POST['password']);
$result = mysql_query("SELECT Password FROM Users WHERE Username = '$username'");
$row = mysql_fetch_array($result);
$num = mysql_num_rows($result);

if($num != "0" && $password == $row['Password']) {
header('location:new.php');
}
else {
session_unset();
session_destroy();
}

mysql_close($con);
}
if(isset($_REQUEST['userReg'])){
session_start();
$con = mysql_connect("localhost","","") or die('Could not connect: ' . mysql_error());

mysql_select_db("normo_mydb") or die(mysql_error());

$userReg = $_POST['userReg'];
$passReg = md5($_POST['passReg']);
$sql = mysql_query("INSERT INTO Users
(Username, Password) VALUES('$userReg','$passReg')") or die(mysql_error());
echo "You are now registered!";

mysql_close($con);
}

Normo · 12-14-2008, 11:14 AM

Can anyone help with my problem?

Salathe · 12-14-2008, 01:01 PM

The code you posted above does not contain the string "Username or Password was wrong" so we can't see the process leading to that message being displayed.

Normo · 12-17-2008, 11:00 AM

Ah sorry here is my entire code:

PHP Code:


			
<?PHP
if(isset($_REQUEST['username'])){
session_start();
$con = mysql_connect("localhost","","") or die('Could not connect: ' . mysql_error());

mysql_select_db("normo_mydb") or die(mysql_error());

$_SESSION['username'] = $_POST['username'];
$username = $_POST['username'];
$password = md5($_POST['password']);
$result = mysql_query("SELECT Password FROM Users WHERE Username = '$username'");
$row = mysql_fetch_array($result);
$num = mysql_num_rows($result);

if($num != "0" && $password === $row['Password']) {
header('location:new.php');
}
else {
session_unset();
session_destroy();
}

mysql_close($con);
}
if(isset($_REQUEST['userReg'])){
session_start();
$con = mysql_connect("localhost","","") or die('Could not connect: ' . mysql_error());

mysql_select_db("normo_mydb") or die(mysql_error());

$userReg = $_POST['userReg'];
$passReg = md5($_POST['passReg']);
$sql = mysql_query("INSERT INTO Users
(Username, Password) VALUES('$userReg','$passReg')") or die(mysql_error());
echo "You are now registered!";

mysql_close($con);
}
?>

<html>
<body>

<?PHP if(isset($_REQUEST['username'])){ echo "<b>Username or password was wrong!</b>"; } ?>
<form method="post" action="login.php">
<input type="text" name="username" /><br />
<input type="password" name="password" /><br />
<input type="submit" value="Login" />
</form>
<br />
<br />
<fieldset>
<legend>Register an Account:</legend>
<form method="post" action="login.php">
<input type="text" name="userReg" /><br />
<input type="password" name="passReg" /><br />
<input type="submit" value="Register" />
</form>
</legend>
</fieldset>

</body>
</html>