Md5 to password hash

Hi guys,i learning login and registration sistem and i need help…

I have something like this

$password = md5($password);
$validation_code = md5($username . microtime());

now i want to change to password hash, if i replace

$password = md5($password);


$password = password_hash($password, PASSWORD_BCRYPT, array(‘cost’=>12));

do i need to change anything in $validation_code or can stay md5


What do you do with $validation_code later on?

Note that when you store the password hash, the database column may need to be longer than that used for an MD5 hash.

its a register user function validation code use for activate account…

function register_user($first_name, $last_name, $username, $email, $password){

    $first_name = escape($first_name);
    $last_name =  escape($last_name);
    $username =   escape($username);
    $email =      escape($email);
    $password =   escape($password);
    if(email_exists($email)) {
        return false;
    } else if (username_exists($username)) {
        return false;
} else {
    $password = md5($password);
    $validation_code = md5($username . microtime()); 

    $sql = "INSERT INTO users(first_name, last_name, username, email, password, validation_code, active)";
    $sql.= " VALUES('$first_name', '$last_name', '$username', '$email', '$password', '$validation_code', 0)";
    $result = query($sql);

    $subject = "Activate Account";
    $msg = "Please click the link below to activate your Account
    <a href\"http://localhost/activate.php?email=$email&code=$validation_code\">Activation link</a>";
    $headers = "From:";
    send_email($email, $subject, $msg, $headers);

    return true;

Off Topic:

@boriskeba: when you post code on the forums, you need to format it so it will display correctly. (I’ve edited your post above for you.)

You can highlight your code, then use the </> button in the editor window, or you can place three backticks ``` (top left key on US/UK keyboards) on a line above your code, and three on a line below your code. I find this approach easier, but unfortunately some European and other keyboards don’t have that character.

ok i will rember that in future, tnx

1 Like

since the validation code is not depending on the password, no.

Note, you should add a UNIQUE constraint on the email and username field in your DB. This way it’s impossible to have duplicate values (otherwise you have a time window of smth. around 100 ms where it’s possible to create duplicates).

Also note that you should never ever modify the user password! And $password = md5($password); is a very error prone line since you can’t tell in your code if you are using the plain-text or hashed password.

Also, to take note, use prepared statements. They are relatively easy to use in mysqli_* and PDO.

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.