SQL password field does not work when I include encryption

Question

I am still working with "PHP and SQL for Dummies 4th edition". The problem I am having now is that if I should try to login with the correct password I am being told that the password is not correct, this happens for all the records I added through the PHP web file. The records I added through phpmyadmin works fine (after the removal of the encryption statements) and I can gain access to the login page after providing the correct password. I suspect the problem will be from the encryption because the password column in phpmyadmin contains the SAME ciphertext ("d41d8cd98f00b204e98009") for everything (except the record entered through phpmyadmin, which was without any encryption). I will include the part of my code that contains the encryption, maybe anyone can spot any errors in them. Code that encrypts the inputted password before checking for a match in Database:

if($num > 0) //login name was found 
{
$sql = "SELECT loginName FROM Member 
WHERE loginName='$_POST[fusername]'
AND password=md5('$_POST[fpassword]')";
$result2 = mysqli_query($cxn,$sql) 
or die("Query died: fpassword");
$num2 = mysqli_num_rows($result2); 
if($num2 > 0) //password matches 
{
$_SESSION['auth']="yes"; 
$_SESSION['logname'] = $_POST['fusername'];
$sql = "INSERT INTO Login (loginName,loginTime)
VALUES ('$_SESSION[logname]',NOW())";
$result = mysqli_query($cxn,$sql)
or die("Query died: insert");
header("Location: New_memberpage.php");
}

Code that encrypts a newly registered user's password before it is sent to the database:

else // Add new member to database
{
$sql = "INSERT INTO Member (loginName,createDate,
password,firstName,lastName,street,city,
state,zip,phone,fax,email) VALUES
('$loginName',NOW(),md5('$password'),
'$firstName','$lastName','$street','$city',
'$state','$zip','$phone','$fax','$email')";
mysqli_query($cxn,$sql); 
$_SESSION['auth']="yes"; 
$_SESSION['logname'] = $loginName;

The summary of my challenge is that the username/password login method only works well, when I add through phpmyadmin. I want to make it work when I register through the website, and why are all the ciphertext the same thing in the password column of my database even though I entered different password for all of them?

user149341 · Accepted Answer

d41d8cd98f00b204e9800998ecf8427e is the MD5 hash of an empty string. So there appear to be two things wrong here:

The password isn't getting passed to your SQL query properly. It's ending up hashing nothing.
Your password column isn't wide enough to store the whole hash.

More importantly, though, there are a few things wrong with the tutorial you're following:

It is teaching you to use the "mysql" extension. This extension is deprecated, and will not be available in future versions of PHP. The "mysqli" and "PDO" extensions are preferable, as they will continue to be available in the future, and they support important security features such as prepared queries and parameter placeholders.
It does not appear to be teaching you to quote values passed into MySQL queries (or it's expecting you to rely on magic_quotes, which is even worse). This is likely to introduce serious security vulnerabilities into your application.
It is instructing you to use md5() as a password hash. This is not a secure method of storing passwords; a preferable method is the newer password_hash() / password_verify() function set. Refer to PHP's FAQ on password hashing for more information.

I'd strongly suggest that you find a newer reference text. The one you're using is significantly outdated.

SQL password field does not work when I include encryption

Answers (2)

Related Questions