How to use the md5 hash?

Question

Okay, so I'm learning php, html, and mysql to learn website development (for fun). One thing I still don't get is how to use md5 or sha1 hashes. I know how to hash the plain text, but say I want to make a login page. Since the password is hashed and can't be reversed, how would mysql know that the user-inserted password matches the hashed password in the database? Here is what I mean:

$password = md5($_POST['password']);
$query = ("INSERT INTO `users`.`data` (`password`) VALUES ('$password')");

I know that this snippet of script hashes the password, but how would I use this piece of code and make a login page? Any working examples would be great.

Here is my script:

<?php  

session_start();  

include("mainmenu.php");  

$usrname = mysql_real_escape_string($_POST['usrname']); 
$password = md5($_POST['password']);  

$con = mysql_connect("localhost", "root", "g00dfor@boy"); 

if (!$con) {    
   die(mysql_error()); }  

mysql_select_db("users", $con) or die(mysql_error());  

$login = "SELECT * FROM `data` WHERE (`usrname` = '$usrname' AND `password` = '$password')"; 

$result = mysql_query($login);  


if (mysql_num_rows($result) == 1) {     

$_SESSION['logged_in'] = true;   
  header('Location: indexlogin.php');  

exit; 

} 

else {     
echo "Wrong username or password."; 

}  

?> 

But I still get the else statement, "Wrong username or password. Someone help plz!"

Answer 1

You have a major crypto problem, too.

$password = md5($_POST['password']); 

The problem there is that all the people with identical passwords will have identical hashes, so if (when?) someone breaks into your site, they run one dictionary attack, and then compare the hashes from the attack to the hashes from your DB. As a result, they break every single account on your site for essentially the same cost as breaking one.

At a very minimum, you should salt it, something like this:

$password = md5($_POST['user'] + $_POST['password']); 

But even that has surprising weaknesses, so it's better to hash it twice, maybe like this:

$password = md5($_POST['password'] + md5($_POST['password'] + $_POST['user']));

Of course, the best way of all is to use something written by someone who knows far more about doing crypto properly than I do :)

(And remember that bad perf in your authentication system is a feature.)

Answer 2

Please use SHA1/256. MD5 is not cryptographically secure anymore and it's discouraged to use it for cryptography (it's fine for file hashes ETC).

I'm not posting code, but explaining the technique:

First, on the registration, take the SHA1/256 hash of the password and store it in the database. The next time the user logs in you take the SHA1/256 hash of the password he/she entered again and match it against the hash stored in your database. This works because the SHA1 hash for the password is semi-unique (the chances for duplicates are small) for that password.

Answer 3

Edited Your code seems okay. Check if your password field in the database is at least 32 characters. And try to execute this query (changing variables to real string) in phpMyAdmin if you use one.

Answer 4

It hashes the password so it is not save in clear text e.g mylongpassword becomes 9a995d3f6a3d69c1a9b4344bed4f2c87

Select the hashed password using the db First

$password_from_db = Select * from user where username='".$_POST['username']."'

Then password from the ($_POST['password']) should be hashed first in PHP then compared to the valued stored in the DB

<?       
   if (md5($_POST['password'])==$password_from_db){
      return true;
   }else{
      return false;
   }
?>

Answer 5

When the user tries to login using their password, you take the md5 of what they enter and compare it with what you've already stored in the database. If it matches, you know they entered the right password.

Answer 6

The answer is quite simple: You have a hash in the database, so you need to hash the user-provided password to compare them.

So when the user attempts to log in, you take the $_POST['password'] or whatever, and create a hash of it. Then, you simply query the database for the hash, SELECT * FROM users WHERE password = 'hashgoeshere'

I would also recommend you read more about secure storage of passwords. For example this is a good start: You're probably storing passwords incorrectly - Coding Horror

Answer 7

well instead of inserting into the SQL database, assign some query into a variable and check it against the md5 given by the user