Checking md5(password) match value stored in mysql

Question

I can't figure why this isn't working. At registration I have (in php)

$data['salt'] = randomStr(3);
$data['password'] = md5($data['salt'].md5($data['password']));

Then I have an IOS app passing a MD5 encrypted pw ($xpassword) to the web app. So I thought if I use:

$q1_result = mysql_query("SELECT password, salt FROM `members` WHERE `username`='". $username. "'");
$row = mysql_fetch_array($q1_result);
echo "this should match? = " .md5($xpassword.($row['salt']));

The echo'd value should match that stored in the database as password

...but it doesn't Any help would be much appreciated

Answer 1

In SQL you need to concatonate the string:

SELECT * FROM users WHERE username = 'blah' AND password = MD5(CONCAT(salt, password))

Answer 2

You are double-hashing the password part:

// Don't pre-hash the password before hashing with the salt!
$data['password'] = md5($data['salt'].md5($data['password']));
//---------------------------------^^^^^^^^^

You should only be hashing the entire concatenation of salt and password.

// Hash only the entire combination of salt . password
$data['password'] = md5($data['salt'].$data['password']);

And as already mentioned, reverse the order of the concatenation in your test:

md5($row['salt'] . $xpassword);

Answer 3

It won't match because you have the order wrong:

md5($row['salt'] . $xpassword)

In the first code you have salt + password, in the second code you have password + salt.

As @Michael also points out, you are double hashing the password which will mean it won't match.