-3

I have made an register script with md5 but now I have to log in with it. I have tried many things but it didn't work.

This is my code:

if(isset($_POST['sub'])) {
include_once("Connect.php");
$username = mysqli_real_escape_string($dbcon,$_POST['username']);
$password = mysqli_real_escape_string($dbcon,$_POST['password']);
$password = md5($_POST['password']);//hashing pass 

$sql = "SELECT * FROM users WHERE userName = '{$username}' and userPassword = '{$password}'";

$query = mysqli_query($dbcon, $sql) or die(mysqli_error($dbcon));
$count = mysqli_num_rows($query);

if ($count > 1)
{

    $row = mysqli_fetch_row($query);
    $userId = $row[0]; // takes id from DataBase
    $dbUsername = $row[1]; // takes username from DataBase
    $dbPassword = $row[2]; // takes userpass from DataBase
    $_SESSION['password'] = $dbPassword;
    $_SESSION['username'] = $dbUsername;
    $_SESSION['id'] = intval($userId);
    $_SESSION['login'] = TRUE; // if username and pass are corrects it logs in
    header('location: login.php');
    die(); // using die() after header()

}
else {
    echo "incorrect username or password.";
}
}

thanks all for your comments.

the solution:

  $inlogcrypt = md5($password);



$sql = "SELECT * FROM users WHERE userName = '".$username."' and userPassword = '".$inlogcrypt."'";
fy.
  • 23
  • 5
  • 3
    **Do not** hash passwords with MD5. Use the Password Hashing API of PHP. There exists a compatibility script on GitHub if you don't have PHP 5.5 yet. – Charlotte Dunois Feb 29 '16 at 11:11
  • 1
    What does that mean you tried many things? that did'nt work? What have you tried and what didnt work? – B001ᛦ Feb 29 '16 at 11:12
  • The code is right if in the database the column `userPassword` it's saved the value `md5` – Lorenzo Belfanti Feb 29 '16 at 11:14
  • @bub i have tried different code's but none of them worked – fy. Feb 29 '16 at 11:52
  • @Furkanyavuz is the password field large enough to store the md5 key? – arc Feb 29 '16 at 11:53
  • This `Connect.php` is unknown as to which MySQL API is used to connect with. `mysql_`? `mysqli_`? PDO? You omitted the HTML form that should have been posted, and we don't know if it does contain form tags, if a post method is used and if all elements bear the matching name attributes. MD5 produces a 32-length string, so make sure the password length is equal or greater to that. Make sure that no whitespace is being introduced. Other than this, there isn't anything else to ask. All I can is is this and check for errors. You're not doing that via PHP, and unknown if the session was started. – Funk Forty Niner Feb 29 '16 at 12:34
  • @Fred -ii- It connects with myslqli_. I have an 32-lenght string, and it doesn't show any errors. – fy. Feb 29 '16 at 12:40

1 Answers1

1

If you're new to PHP, I wouldn't recommend starting with building a custom CMS.

To learn more about (different types of) authentication, you can:

  • Read this guide about basic authentication with PHP/PDO.
  • Use PHPAuth.
  • Use OpenID so you don't have to handle login data.

The first link will show you how to

  1. Use PDO instead of mysql(i).
  2. Filter submitted data (although I'll admit they do it in a somewhat ugly way, but it's easy to understand).
  3. Use $SESSION to store session data.
  4. Use that same session data to require authentication on some pages.

Just know that logins contain sensitive data and there's a lot more you should learn before building a platform that you want people to use.

I just mentioned some things about logins, but you should also learn more about hashing (don't use md5 for logins, I recommend bcrypt) and program structures.

Community
  • 1
  • 1
Sébastien Vercammen
  • 512
  • 3
  • 8