...

View Full Version : trouble using md5 for a password check



Becon
01-14-2008, 06:49 AM
ok....I made a registration screen that encodes the users password into md5 encryption and stores it into a database. Everything works alright with that....however..after that I made a login screen that asks for the username and the pw and compares it to what is stored in the DB. The problem with my coding is that Im haveing trouble taking the password that is typed into the login screen and converting it to the md5 BEFORE the comparison is made. Example:
ID USERNAME MD5 ENCRYPION (pw is 1234 btw) E-MAIL ADDRESS
1 1234 81dc9bdb52d04dc20036dbd8313ed055 1234@1234.com

I type in 1234 as the username, and 1234 as the password and it is comparing the pw of 1234 to md5 encryption of 81dc9bdb52d04dc20036dbd8313ed055 and comming back negative. if I use 81dc9bdb52d04dc20036dbd8313ed055 as the password it works but that kind of defetes the purpose. =o)~

I just cant seem to type the md5 part out right for recalling it. Can anyone help? Here is my code:



<?php
ob_start();
$host="localhost"; // Host name
$username="username"; // Mysql username
$password="password"; // Mysql password
$db_name="db_name"; // Database name
$tbl_name="members"; // Table name

mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='.md5($mypassword).'";
$result=mysql_query($sql);

$count=mysql_num_rows($result);
if($count==1){
session_register("myusername");
session_register("mypassword");
header("location:logged_in.php");
}
else {
echo "Username or Password not registered!";
}

ob_end_flush();
?>


Thank you all!!!

Becon
01-14-2008, 07:58 AM
Found it.
Should have been:

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='".md5($mypassword)."'";

StupidRalph
01-14-2008, 08:06 AM
Pesky quotation marks :). You have to be careful with user input tho. I don't see you validating the user input and they could bypass the password field all together with SQL injection.

mysql_real_escape_string() (http://www.php.net/mysql-real-escape-string)



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum