Can't login with encrypted password from database

Question

I can encrypt my password with md5 by simply wrapping it around -

$Password = md5($_POST['password']);

The encrypted password gets stored in the database successfully when the user registers. However when i want to login with the plain text password, it decides not too. How can I solve this issue?

<?php

if(isset($_POST['btnlogin'])) {

$Email = $_POST['email'];
$Password = $_POST['password'];



$Email = mysqli_real_escape_string($connection, $Email);
$Password = mysqli_real_escape_string($connection, $Password);

$query ="SELECT * FROM customers WHERE Email = '{$Email}' AND Password =   '{$Password}'";


$select_customer_query = mysqli_query($connection, $query);

if (!$select_customer_query)

die("QUERY FAILED". mysqli_error($connection));

}

while($row = mysqli_fetch_array($select_customer_query)) {

$Email_db = $row['Email'];
$Password_db = $row['Password'];
$Firstname_db = $row['First_Name'];
$Lastname_db = $row['Last_Name'];
$string ="logged in as";
$logoutlink = '/ <a href="includes/back/logout.php">Logout</a>';



} 


if ($Email_db == $Email || $Password_db == $Password  ) {


header("Location: ../../index.php");



$_SESSION['FirstName'] = $Firstname_db;
$_SESSION['LastName'] = $Lastname_db;
$_SESSION['string'] = $string;
$_SESSION['logoutlink'] = $logoutlink;


} 


?>

you're not MD5'ing the password again before passing it into the SQL query for comparison... — Garry Welding, Mar 07 '16 at 14:37
Change $Password = mysqli_real_escape_string($connection, $Password); to $Password = md5($Password); — Garry Welding, Mar 07 '16 at 14:38
If your password in DB is encrypted and you compare it to the one that is not encrypted, they do not tend to match — Timo, Mar 07 '16 at 14:38
HI Garry Welding, what about the $connection... i need this variable. So your saying this - $Email = mysqli_real_escape_string($connection, $Email); $Password = md5($Password); — steve, Mar 07 '16 at 14:42
Without seeing what exactly is being inserted into the database when a user registers, it's difficult to do anything but *guess*. If you encrypt it with `md5()` (which you really shouldn't), all you need to do is how the answers below suggests. — Qirel, Mar 07 '16 at 14:44
@steve MD5 is not encryption, it is a one-way hash function. It is also insecure, at a minimum use SHA256 for as hash function. But you really need to use PBKDF2 or bcrypt with a random salt to protect passwords. — zaph, Mar 07 '16 at 14:54

Panda · Answer 1 · 2016-03-07T14:56:58.303

2

You forgot to md5() the password before comparing, you'll need to compare the md5() version:

$Password = md5($_POST['password']);

Currently, you are comparing $Password_db == $Password

$Password = $_POST['password']; //Not md5() hashed
$Password_db = $row['Password']; //md5() hashed

Just a tip, you should't use md5() as it's not secure.

edited Mar 07 '16 at 14:56

answered Mar 07 '16 at 14:38

Panda

6,955
6
40
55

@steve If this doesn't work (which shouldn't be the case), try echoing out the values `$Password` and `$Password_db` to double check the values. – Panda Mar 07 '16 at 14:45
Thank you Luweigi. Which encryption method do you recommend? – steve Mar 07 '16 at 16:47
1

@steve I would recommend `password_verify()` as detailed in Scott's answer – Panda Mar 08 '16 at 00:46
While this answers the question, it is still not good advise. MD5 should not be recommended to hash user passwords. – martinstoeckli Mar 08 '16 at 09:04

score 2 · Answer 2 · edited May 23 '17 at 11:59

Instead of what you're doing, to be secure, you'll want a workflow that looks something like this:

Grab the user ID and password-hash from the database, for the given customer.
If password_verify($password, $storedHash), proceed.

Don't outsource your password check to the SELECT query. Don't store plaintext passwords. Don't use MD5 for password protection. Don't call MD5 encryption.

Can't login with encrypted password from database

3 Answers3