PHP, mysqli login form - need help

The problem is with the password check as when I remove password and I check email address only it works, password is giving me hassle, I have read a bunch of forum posts, tutorials and watched video’s. I can’t seem to get anywhere

<?php

	session_start();

	$mysqli = mysqli_connect("localhost", "", "", "");
	$error = ""; //Variable for storing our errors.
	
	if(isset($_POST["submit"])){
		
	if(empty($_POST["emailadd"]) || empty($_POST["password"])){
	$error = "Both fields are required.";
	}
	else {
	// Define $emailadd and $password
	$emailadd=$_POST['emailadd'];
	$password= $_POST['password'];

	// To protect from MySQL injection
	$emailadd = stripslashes($emailadd);
	$password = stripslashes($password);
	$emailadd = mysqli_real_escape_string($mysqli, $emailadd);
	$password = mysqli_real_escape_string($mysqli, $password);
	
 	$sql="SELECT * FROM member WHERE emailadd='$emailadd' AND password='".md5($password)."'";
    $result=mysqli_query($mysqli,$sql);
    $row=mysqli_fetch_array($result,MYSQLI_ASSOC);

    //If username and password exist in our database then create a session.
    //Otherwise echo error.

     if(mysqli_num_rows($result) == 1 ){
    $_SESSION['emailadd'] = $login_user; // Initializing Session
    header("location: pages/dashboard.html"); // Redirecting To Other Page
    }else{
    $error = "Incorrect email address or password.";
    }

	}
	} 

?>

When you say “as when I remove password and I check email address only it works”, do you mean it still logs you in even if you don’t type in a password, or do you mean that if you remove the code that handles passwords, it works correctly?

Do you store the password as an MD5 hash in your database? If you do, is the field long enough to store all of it? What exactly happens with the code above? Does it log you in when it should not, or does it not log you in when it should?

I have read here that MD5 is not really suitable for storing passwords as it’s too easy to crack, but that’s a separate matter if your password field is correct and the data stored in the same way that you are checking for.

Slightly off-topic, but where does $login_user come from?

    $_SESSION['emailadd'] = $login_user; // Initializing Session

It means that if I take out AND password='".md5($password)."' and check email address only it works…

yes…

I just figured out now that when its storing into db its not storing as an md5, so its not generating an md5, cos what I did was I generated an md5 string online inserted into db(directly from phpmyadmin) and tested that and it worked, so my guess is something wrong with my register script but that is so straight forward I can’t imagine what could be wrong, I’m going to check now

in register.php:

$password = md5(mysqli_real_escape_string($_POST['password']));

Are you saying that this is not a strong password

Hm1p9^\/

compared to

Hm1p9^/

If you think the bottom one is stronger, you might want to check it again by using this website.

http://www.passwordmeter.com/


There are so many bad practices in just this snippet itself.

Well, it’s not the same as you do in your login code, for a start - that has an additional call to stripslashes(). But that means people can’t use certain characters in their passwords that might make them stronger, as I believe @spaceshiptrooper was alluding to above.

Can you please have a look at my register.php:

<?php
 
$mysqli = mysqli_connect("localhost", "", "", "");

//if(isset($_POST['submitted'])){


$emailadd =$_POST['emailadd'];
    
$antispam =$_POST['antispam'];

$password = md5(mysqli_real_escape_string($_POST['password']));

    if(!empty($_POST['antispam'])) {
	// it's spam ... go away!
} else {
	
       
    $query = mysqli_query($mysqli, "SELECT * FROM member WHERE emailadd='".$emailadd."'");
    if(mysqli_num_rows($query) > 0){
       
                echo "<script> alert('not registered! - Email already exists'); </script>";
    } //if
    
	else {
		 //insert db start   
        $insert = "INSERT INTO member(emailadd, password) VALUES('$emailadd', '$password')";

		if(!mysqli_query($mysqli,$insert)){
		echo "Error";
		} else {
		echo "<script> alert('Registered!');
                    window.location.href='../index.php';
                    </script>"; 
		}
   		//db end
 	} //else

}//else spam
    
//}//submitted
?>

Could you explain please, as I’m new to backend programming.

Does this work any better?

$password = md5(mysqli_real_escape_string(stripslashes($_POST['password'])));

Is the password column long enough to store an MD5 hash? And how is the column defined?

no success,

varchar 200, I looked up online and I believe this is fine [MyISAM, utf8_general_ci]

OK, it was a long-shot if your passwords didn’t actually contain slashes. And I’m not sure there’s a lot of point calling strip_slashes() or escape_string() if you’re going to convert it to MD5.

What’s the form like? That is, is the password entry field named correctly? Clutching at straws, really, as there doesn’t seem anything intrinsically wrong with the code that I can spot, in terms of syntax and so on. But maybe look at better ways to encode passwords, because MD5 isn’t a good one. Doesn’t PHP have built-in password encoding now?

Yes its fine, as I removed md5() posted and I saw the password I registered with plain in the field so the connection there is made and working.

My initial plan wasn’t to use md5 rather to use hash_mac but when I started receiving error’s I decided to try md5 which is much more simple.[quote=“droopsnoot, post:9, topic:249235”]
Doesn’t PHP have built-in password encoding now?
[/quote]

I don’t know do they ?

http://php.net/manual/en/faq.passwords.php

An awful lot of new programmers seem to appear using old methods.

Rather than md5 you should be using password_hash to put into the database and password_verify to check it on login.
To check the email use if(filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)) before testing against the database.
And instead of strip slashes and real escape you should be using prepared statements for your query with the already validated data.

2 Likes

My initial plan wasn’t to use md5 as I mentioned above, I was using:

$password = hash_hmac('sha512', 'salt' . $password, $_SERVER['site_key']);

I couldn’t come right with it and there’s no tutorials available.


By just reading at those docs I can’t apply it, cos I don’t understand it

That’s a poor excuse most new beginners say when they come straight for PHP. Understanding and not even trying are 2 different things. If you don’t understand something what do you normally do? You ask questions right? But not using it simply because you don’t “understand” it is an excuse saying “I don’t like it, I don’t understand it therefore there is no need for me to use it.”

It is actually more simple than you think and here’s why.

// Assume the password is:   IHateYou12@\/ so it'll be
$password = IHateYou1/@\/

Next, we hash the password

$hashed = password_hash($password, PASSWORD_BCRYPT, 10);

The first segment of that string usually is the password the user provides, next you can define either PASSWORD_BCRYPT or PASSWORD_DEFAULT if you prefer. After that, it’s the cost which is usually an integer. 10 is the default cost. The higher the cost, the more expensive it becomes and the more secure the password is. The lower the cost, the less resource it uses and the less secure the password becomes. The cost will vary on which number you want.


When verifying a password, you just do

if(password_verify($post_password, $password_from_database))
1 Like

does it require anything else ?

and for database any special requirements ?


Can’t I check like how i’m checking currently ?
__________[quote=“spaceshiptrooper, post:14, topic:249235”]
That’s a poor excuse most new beginners say when they come straight for PHP. Understanding and not even trying are 2 different things. If you don’t understand something what do you normally do? You ask questions right? But not using it simply because you don’t “understand” it is an excuse saying “I don’t like it, I don’t understand it therefore there is no need for me to use it.”
[/quote]

I don’t like the tone, I spent a few days trying to understand and learn it(I read around, watched videos), so before assuming you should find out.

Managed to solve this using hash_hmac

The only thing required for it PHP 5.5 + or an alternative library from iircmax’s Github for PHP 5.3.7 +


No, there is no need to be checking the way you are checking. You shouldn’t be using md5.


Tone? This proves my point even more because you later posted that it worked with hash_hmac, hash_hmac isn’t a password hashing algorithm. You should be using password_hash as it is an actual password hashing algorithm.

I also gave you an example that should be a working one. I don’t get why people are so backwards with PHP.

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.