Trying to check a password against MD5 in the db... 1. Post username/password 2. Escape special chars 3. Encrypt password to MD5 4. Search where = to username/password I've tried it with the encrypted password and without the encrypted password. Checked that it's outputting the same MD5 hash as in the db but it's still saying error. I changed the code to check if the username was found and it was so it's only the password field. Never worked with MD5 before so a little bit of a noob. <?php //Post variables $username = $_POST['username']; $password = $_POST['password']; //Escape variables mysql_real_escape_string($username); mysql_real_escape_string($password); $password = md5($password); //Connect to db mysql_connect("", "", "") or die(mysql_error()); mysql_select_db("") or die(mysql_error()); //Search for user/pass $result = mysql_query("SELECT * FROM users WHERE username = '$username' and password = '$password'"); if(mysql_num_rows($result)!=0) { echo "Found!!"; } else { echo "Error, there appears to be a problem with your username/password. Please <a href=\"index.php\" title=\"Go Back\">go back</a> and try again."; echo "<br /><br />USERNAME: $username<br />PASSWORD: $password";} ?> PHP:
It should work, are you absolutely sure that the output is the same as in the db? Try adding mysql_query("INSERT INTO users (username, password) VALUES('$username', '$password')"); before $result = mysql_query("SELECT * FROM users WHERE username = '$username' and password = '$password'"); if it still doesn't work then the problem is most likely with your db structure(is the length of the password field at least 32 chars?).
Thanks For some strange reason, it didn't like the variable name $password... I changed it to $encryptedpass and it worked fine.
is there any particular reason why you use md5? it is a very old and outdated hashing algorithm. sha1 is better but even that is not really secure anymore.
Good point, Plussy I hadn't really thought about it, I thought it was standard to encrypt with MD5 but you prompted me to read up on it. It appears that SHA1() and MD5() are both unsuitable encryption methods (for passwords). They're both easy to brute force. For those who come into this thread, the following article is worth a read: Source: http://www.php.net/manual/en/faq.passwords.php#faq.passwords.fasthash
blowfish is a much better choice. here is a tutorial http://www.gregboggs.com/php-blowfish-random-salted-passwords/
And how do you use a salt with md5? http://php.net/manual/en/function.md5.php check the documentation.
face the fact that md5 is outdated. if you add a 1000 long string or not. md5 is old technology and as a developer you should always try to use the latest technology. and yes they can be broken Check this link http://www.golubev.com/hashgpu.htm they were checking 42 228 252 672 passwords in 16s. at this speed yes md5 and sha1 can be broken. One major problem with md5 and sha1 is that they are not encrypting. they are hashing. md5 hash will be 32 digits long and sha1 will always have 40. So you will end up with multiple strings having the same hash. so in order to break the md5 you don't actually need to find the extact string. you can find another one that has the same hash.
Another string with the same hash wont work because the password gets salted every time before it's checked against the one in the db. $salt = "s21jSJaqodoXOMOZOom20sijsoasj129d0j10djajd9JD209jJ0J903JD3390D009D390J393J09dj9J9DJj9djdj1DJ1D91dj12019PDJJDJDIWRWis90jS"; $password = md5($password.substr($salt, 0,120-strlen($password))); PHP: Lets say passwords are between 3 and 20 characters long, case sensitive and contain a-Z and 0-9. If we use the code above the string that would be md5 hashed woud always be 120 characters long. Since the hacker wouldn't know how long the salt is(or if there even was one) he would have to try every possible string that is at least 3 characters long. If we add special characters that would give us even more possibilites.