MD5 password login problem

Asked

Viewed 707 times

1

Login form:

<form id="1" name="1" action="pass.php" method="post">
<div class="login">

    <input placeholder="Usuário" type="text" id="username" size="25" name="name" /><br>
    <input placeholder="Senha" id="pass" type="password" size="25" name="pass" /><br>
    <input type="submit" name="1" value="Login" /> 
    <input type="hidden" name="ed_type" value="" /> 
    <input type="hidden" name="redirect" value="<? echo $redirect;?>" />
</div>
</form>

php pass.

    <?
        session_start();
        $usuario_admin=isset($_SESSION['1x11'])?$_SESSION['1x11']:'';

       include("conf.inc.php");
       include("conectar.php");

  $query="select * from admin where username='".$_POST["name"]."' and pass=MD5('".$_POST["pass"]."')";
      $result=mysql_query($query,$db);
      $row=mysql_fetch_array($result);
      $total = mysql_num_rows($result);
      $name=$_POST['name'];
      $pass=$_POST['pass'];
      $ADMIN_USERNAME=$row["username"];
      $ADMIN_PASSWORD=$row["pass"];

      if($total>0){   
          if($name==$ADMIN_USERNAME && $pass==$ADMIN_PASSWORD){
              if($usuario_admin!='') $_SESSION['1x11']="";
              $_SESSION["1x11"] = $name;
              $_SESSION['logedin'] = true;
              $_SESSION["type"] = $row["type"];
              $_SESSION["usrname"] = $name;
              $_SESSION["logid"] = $row["id"];
              header("Location:index2.php");
          }
      } else {
        header("Location:index.php?id=1");
      }
    ?>

PHP to update password by form after login:

<?
       include_once("conf.inc.php");
       include("conectar.php");

    $sel="select * from admin where id='".$_SESSION["logid"]."'";
    $ressel=mysql_query($sel);
    $rowsel=mysql_fetch_object($ressel);
    $name=stripslashes($rowsel->username);
    $title=stripslashes($rowsel->pass);



if(isset($_POST['submit'])){
    $title = addslashes($_POST["title"]);
    $sql="update admin set pass=MD5('".$title."') where id='".$_SESSION["logid"]."'";         
    $ressql=mysql_query($sql) or die("Erro ao atualizar a senha!");
    header('location:message.php?msg=55');
}
?>

Guys, I’m having a problem here, I’m not getting the login to work.

To update the password after login it works normally and registers in DB as MD5, but when you log out and try to log in again it does not work, say the password is wrong.

What may be happening? It seems that it is not converting to MD5 when logging in...

php mysql sql login md5

3 answers

1

I noticed two details in your code:

The first is that when checking the password you are using PHP’s md5 function

$query="select * from admin Where username='". $_POST["name"]." ' and pass='".md5($_POST["pass"])."'";

The second is that when doing the password update in the database, you are using the MD5 function provided by your database:

$sql="update admin set pass=MD5('$title') Where id='". $_SESSION["logid"]."'";

In my opinion, a good practice is to always use the same method (even if the algorithm is the same), so a hint is to use either the database’s MD5 method or the PHP method in both cases.

But back to your mistake...

You forgot to concatenate the password to the hash method, when updating the password, you are always using the string $title.

Try this way:

$sql="update admin set pass=MD5('".$title."') where id='".$_SESSION["logid"]."'";

  • Hello Diogo, thanks for the tips! So, actually the problem is with the file pass.php, because I can not login. Password change works normally. I upgraded to the MD5 database method for both, made the correction of the part you mentioned but the problem persists, does not log in. :/

  • 1

    I updated the question with the correct codes, as mentioned..

1

I had a problem so because the bank was generating uppercase and nodejs in my case lowercase at the time of comparing are different: example c8d11180c956e5b5afc3d1970ce2193e <> C8D11180C956E5B5AFC3D1970CE2193E

  • I checked in the bank and he’s saving everything in minuscule. How can I know if he’s capitalizing when comparing?

1

As the colleague said, using language and bank md5 methods may be that of some difference, although I find it unlikely.

I suggest you remove the MD5(...) and use this conversion before:

$passwd = md5($passhaDoUsuario);

I used $senhaDoUsuario you are using two different variables then replace with the corresponding one, and consecutively use the new variable in the query $passwd;

Another thing this stretch down, change it by the quoted up.

$title = addslashes($_POST["title"]);

For the addslashes may be adding some \ in your password where it should not, and with the conversion to md5 as I mentioned will already eliminate SQL Injection at least in this variable.

  • Boy, I did what you said but to no avail, it doesn’t work at all... it doesn’t log in, what could be happening? If I remove the MD5, it logs in normally.

Browser other questions tagged php mysql sql login md5

You are not signed in. Login or sign up in order to post.