Md5 to password hash

boriskeba · April 24, 2018, 9:33am

Hi guys,i learning login and registration sistem and i need help…

I have something like this

$password = md5($password);
$validation_code = md5($username . microtime());

now i want to change to password hash, if i replace

$password = md5($password);

to

$password = password_hash($password, PASSWORD_BCRYPT, array(‘cost’=>12));

do i need to change anything in $validation_code or can stay md5

tnx

droopsnoot · April 24, 2018, 9:41am

What do you do with $validation_code later on?

Note that when you store the password hash, the database column may need to be longer than that used for an MD5 hash.

boriskeba · April 24, 2018, 9:50am

its a register user function validation code use for activate account…

function register_user($first_name, $last_name, $username, $email, $password){

    $first_name = escape($first_name);
    $last_name =  escape($last_name);
    $username =   escape($username);
    $email =      escape($email);
    $password =   escape($password);
    
    if(email_exists($email)) {
        
        return false;
        
    } else if (username_exists($username)) {
        
        return false;
    
} else {
    
 
    
    $password = md5($password);
    $validation_code = md5($username . microtime()); 
    


        
    $sql = "INSERT INTO users(first_name, last_name, username, email, password, validation_code, active)";
    $sql.= " VALUES('$first_name', '$last_name', '$username', '$email', '$password', '$validation_code', 0)";
    $result = query($sql);

      
    $subject = "Activate Account";
    $msg = "Please click the link below to activate your Account
    <a href\"http://localhost/activate.php?email=$email&code=$validation_code\">Activation link</a>";
    
    $headers = "From: norreply@website.com";
        
    send_email($email, $subject, $msg, $headers);

    return true;
        
  }
    
}

TechnoBear · April 24, 2018, 9:54am

Off Topic:

@boriskeba: when you post code on the forums, you need to format it so it will display correctly. (I’ve edited your post above for you.)

You can highlight your code, then use the </> button in the editor window, or you can place three backticks ``` (top left key on US/UK keyboards) on a line above your code, and three on a line below your code. I find this approach easier, but unfortunately some European and other keyboards don’t have that character.

boriskeba · April 24, 2018, 9:56am

ok i will rember that in future, tnx

Dormilich · April 24, 2018, 11:39am

since the validation code is not depending on the password, no.

Note, you should add a UNIQUE constraint on the email and username field in your DB. This way it’s impossible to have duplicate values (otherwise you have a time window of smth. around 100 ms where it’s possible to create duplicates).

Also note that you should never ever modify the user password! And $password = md5($password); is a very error prone line since you can’t tell in your code if you are using the plain-text or hashed password.

spaceshiptrooper · April 24, 2018, 11:57am

Also, to take note, use prepared statements. They are relatively easy to use in mysqli_* and PDO.

system · July 24, 2018, 6:57pm

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.