md5 salt hash can't find equal entry in DB

Question

For now I am trying to check if in MysSql database is same password. But I am failing and I don't get it why.

$username = 'blablabla';
$password = 'blablabla.';
$salt = 'blablabla';
$new = md5($password.md5($salt));
echo($new);
$q=mysql_query("SELECT * FROM mdl_user WHERE username = '$username' AND password = '$new'");
while($e=mysql_fetch_assoc($q))
    $output[]=$e;
print(json_encode($output));

In config file which defines salt word I used the same as above.

EDITED: Is it possible to get hash algorythm from this code?

function validate_internal_user_password($user, $password) {
global $CFG; 
if (!isset($CFG->passwordsaltmain)) { 
$CFG->passwordsaltmain = ''; 
} 
$validated = false; 
if ($user->password === 'not cached') { 
// internal password is not used at all, it can not validate 
} else if ($user->password === md5($password.$CFG->passwordsaltmain) 
    or $user->password === md5($password) 
    or $user->password === md5(addslashes($password).$CFG->passwordsaltmain) 
    or $user->password === md5(addslashes($password))) { 
// note: we are intentionally using the addslashes() here because we 
//       need to accept old password hashes of passwords with magic quotes 
$validated = true; 
} else { 
for ($i=1; $i<=20; $i++) { //20 alternative salts should be enough, right? 
    $alt = 'passwordsaltalt'.$i; 
    if (!empty($CFG->$alt)) { 
        if ($user->password === md5($password.$CFG->$alt) or $user->password === md5(addslashes($password).$CFG->$alt)) { 
            $validated = true; 
            break; 
        } 
    } 
} 
} 
if ($validated) { 
// force update of password hash using latest main password salt and encoding if needed 
update_internal_user_password($user, $password); 
} 
return $validated; 

EDITED I tried this code:

$username = 'admin';
$password = 'Vidsodis25.'+'Karolina';
$new = md5($password);
echo($new);
$q=mysql_query("SELECT * FROM mdl_user WHERE password = '$new'");
while($e=mysql_fetch_assoc($q))
    $output[]=$e;
print(json_encode($output));

Database uses same salt word Karolina. But still can't find correct one.

Answer 1

As others have said in the comments, either:

1. The password/name/salt is incorrect (bad input)
2. The hash is incorrect (generated differently or with different salt)
3. The hash is incorrect for the given user (e.g. it doesn't match, no record, etc)

Now, the way the hashing is done looks ... wrong. The idea of a salt is to stop rainbow table attacks, which makes the attacker have to rely on brute force to "crack" a given password.

Anyway, for each new password hash saved, generate a new random salt value (like, say, 128 bits or more). This one-of-a-kind nonce is then used to salt the password before it is hashed. The hash and the salt are then saved together (they are often combined into a value, but it's okay if they are in separate columns).

So, to make sure the password is valid:

1. Find the row representing the user first and extract the hash and salt
2. Generate the hash from the password using the salt; if hash/salt was saved as a combined value separate it first as needed
3. Verify the generated hash and the stored hash

That is, the query should likely not search for username = '$username' AND password = '$new'" (where password should really be called hash or similar) because the salt needs to be available to generate the correct hash again. In the above code snippets it's doing some monkey business with 20-some different preset salts. This is not the correct way to do it, and requires that each one of the potential salts is used in the hash generation so the "right hash" can be found. (Translated into the select in the post this would require up to 20 different executions and/or use of in or something similar.)

In addition, do not use MD5 for password hashes. It is too easy to brute force. Do not use SHAx either; it is still too fast as it was not designed for this purpose either. Use something like bcrypt or scrypt. If you do want a "server salt" (which is a good additional layer) then use an HMAC. This does not replace the normal salt. Oh, and please don't use SQL-injection prone code!

I would use an existing well-vetted library :)

Happy coding.