Problem with md5 and hash

Question

<form action="inc/login/login.php" method="post" id="userLogon">
    <div class="field required">
        Username: <input type="text" name="regduser" tabindex="1" /><br />
        </div>
        <div class="field required">
        Password: <input type="password" name="regdpass" tabindex="2" /><br />
        </div>
        <input type="submit" name="submitUser" />
</form>

PHP

<?php
ob_start();
$host="localhost"; // Host name 
$username="root"; // Mysql username 
$password=""; // Mysql password 
$db_name="ureviewdu"; // Database name 
$tbl_name="Student"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

// Define $myusername and $mypassword 
$myusername=$_POST['regduser']; 
$mypassword=$_POST['regdpass'];

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

$sql="SELECT * FROM $tbl_name WHERE uname='$myusername' and upass='$mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("regduser");
session_register("regdpass"); 
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}

ob_end_flush();
?>

DB Submission

When I click submit for entering joe joe for user and pass. How do I get php to recognize joe for pass is actually '55abd89cb7ab6742370f0ad912fef335' ? How do i get php to be able to decipher this?

Anyone?

Answer 1

To answer your question directly, without giving an opinion on what is more secure:

When I click submit for entering joe joe for user and pass. How do I get php to recognize joe for pass is actually '55abd89cb7ab6742370f0ad912fef335' ? How do i get php to be able to decipher this?

$mypassword = md5(stripslashes($mypassword));

$sql="SELECT * FROM $tbl_name WHERE uname='$myusername' and upass='$mypassword'";
$result=mysql_query($sql);

Answer 2

Hash the password on the way in as well:

$sql = "SELECT * FROM $tbl_name
    WHERE uname = '$myusername' and upass = MD5('$mypassword')";

By the way, if your system isn't in production yet, I strongly advise you look for a more secure hashing algorithm such as SHA256. Not much of a change is required, as long as you have the ability to flush your current password records:

$sql = "SELECT * FROM $tbl_name
    WHERE uname = '$myusername' and upass = SHA2('$mypassword', 256)";

Answer 3

SELECT * FROM $tbl_name WHERE uname='$myusername' and upass=MD5('$mypassword')

However, I need to advise you to read the blog by fearless leader about using salted passwords and stronger hashing functions. Don't implement weak security.

---

If the password in the database is already salted, you need to combine the plaintext password with the same salt before hashing. Ideally, each user has its own unique random salt, stored in the same row with the uname and upass. Then you can do this:

SELECT * FROM $tbl_name WHERE uname='$myusername' 
  AND upass=MD5(CONCAT(usalt, '$mypassword'))