Reputation: 1555
md5 password confirmation failing
Yes, I know that md5 is not a good option, and I should rather use password_hash(), but my hosting solution is on php version 5.3.3. Anyway, this is never supposed to be a production environment, just for training purposes, and I will soon change provider.
So I have setup some code, and I can see that the credentials I register, the password in md5 format are logged in the db. But when logging in the same credentials I get my error message I set up, "invalid email or pass"
This is my code:
echo 'Current PHP version: ' . phpversion();
include_once("config.php");
session_start();
if(isset($_POST['signup'])){
$name = $_POST['name'];
$email = $_POST['email'];
$pass = md5($_POST['pass']);
$insert = $pdo->prepare("INSERT INTO users (name,email,pass)
values(:name,:email,:pass) ");
$insert->bindParam(':name',$name);
$insert->bindParam(':email',$email);
$insert->bindParam(':pass',$pass);
$insert->execute();
}
elseif(isset($_POST['signin'])){
$email = $_POST['email'];
$pass = $_POST['pass'];
$select = $pdo->prepare("SELECT * FROM users WHERE email='$email' and pass='$pass'");
$select->setFetchMode();
$select->execute();
$data=$select->fetch();
if($data['email']!=$email and $data['pass']!=$pass)
{
echo "invalid email or pass";
}
elseif($data['email']==$email and $data['pass']==$pass)
{
$_SESSION['email']=$data['email'];
$_SESSION['name']=$data['name'];
header("location:aeroplane.php");
}
}
So, the signup works fine, then the else if for signing fails. What have I missed here?
-thanks
Upvotes: 0
Views: 222
Answers (3)
Reputation: 21
I have seen your code and find error after sign in code.
update the code $pass=$_POST['pass']; to
$pass = md5($_POST['pass']);
Upvotes: 0
Reputation: 1263
echo 'Current PHP version: ' . phpversion();
include_once("config.php");
session_start();
if(isset($_POST['signup'])){
$name = $_POST['name'];
$email = $_POST['email'];
$pass = md5($_POST['pass']);
$insert = $pdo->prepare("INSERT INTO users (name,email,pass)
values(:name,:email,:pass) ");
$insert->bindParam(':name',$name);
$insert->bindParam(':email',$email);
$insert->bindParam(':pass',$pass);
$insert->execute();
}
elseif(isset($_POST['signin'])){
$email = $_POST['email'];
$pass = md5($_POST['pass']);
$select = $pdo->prepare("SELECT * FROM users WHERE email='$email' and pass='$pass'");
$select->setFetchMode();
$select->execute();
$data=$select->fetch();
if($data['email']!=$email and $data['pass']!=$pass)
{
echo "invalid email or pass";
}
elseif($data['email']==$email and $data['pass']==$pass)
{
$_SESSION['email']=$data['email'];
$_SESSION['name']=$data['name'];
header("location:aeroplane.php");
}
}
updated $pass = md5($_POST['pass']); in signing code.
You need to use md5 at login time also
Upvotes: 1
Reputation: 2119
The password is saved as md5 in the database so you should hash it too on the sign in order to compare it correctly.
Solution:
just change this $pass = $_POST['pass'];
to $pass = md5($_POST['pass']);
Your code is basically comparing a non hashed password to a hashed password which makes no sense.
Upvotes: 1
Related Questions
- Missing Password check
- PHP - Validating Password with MD5 and MySQL
- When entering a login password, password to be checked doesn't ==
- Checking md5(password) match value stored in mysql
- Not matching md5 passwords
- md5 hash login with php and mysql
- Issue with simple md5 login script
- Problem with md5 and hash
- MD5 hash validation failing for unknown reason in PHP
- MySQL's MD5 hash is incorrect