Using md5 to encrypt passwords in admin, but do I need to use it at log in screen

I have an admin area where the owner can set a username and password for the client. Those details are automatically sent to the client in an email.

I am using the code below, so that the first password entry is encrypted and put in the database, and the second exactly the same password entry is used to confirm the password in the email back to the client.

So the password is encrypted in the database, and so I then go to the log in screen for the clients and wondered if i need use md5 in the password field there to read the encrypted password in the database.

My code is below:

Admin are:

// Connect to server and select database.
mysql_connect("$host", "$user", "$pass")or die("cannot connect"); 
mysql_select_db("$db")or die("cannot select DB");

// Get values from form 
$name=$_POST['name'];
$lastname=$_POST['lastname'];
$email=md5($_POST['email']);
//$email=$_POST['email'];
$email2=$_POST['email2'];

// Insert data into mysql 
$sql="UPDATE Register SET Username='$lastname', Password='$email' WHERE Email='$name'";
$result=mysql_query($sql);
//$result=mysql_query($sql) or die('mysql error : ' . mysql_error() . ' in query: ' . $sql);

// if successfully insert data into database, displays message "Successful". 
if($result){

echo "This update has been successful. Check the details below before moving on.";
echo "<BR>";
echo "<BR>";
echo "Username is: $lastname";
echo "<BR>";
echo "<BR>";
echo "Password is: $email2";
echo "<BR>";
echo "<BR>";
echo "<a href='http://www.tourcheck.co.uk'>Click here to return to the main page</a>";
echo "<BR>";
echo "<BR>";
echo "<a href='insert.php'>Click here to edit another account.</a>";

$to = $name;
 $subject = "TourCheck: Your Username & Password";
 $body = "Hello,\
\
 Below are the user details for you to log into the TourCheck website.\
\
 Please keep these details safe:\
\
 Username: $lastname\
\
 Password: $email2\
\
 If you have any questions please contact tourcheck@checksafetyfirst.com\
\
 www.tourcheck.co.uk";
 
 if (mail($to, $subject, $body)) {
   echo("<p>Email successfully sent to: $name</p>");
  } else {
   echo("<p>Email delivery failed...</p>");
  }

}

else {
//echo "ERROR";
echo $sql;
//echo $sql2;
//echo $name;
//echo $lastname;
//echo $email;
}

// close connection 
mysql_close();
?>

Log In screen wit commented out md5 encryption code that I have been trying.

// Connect to server and select databse.
mysql_connect("$host", "$user", "$pass")or die("cannot connect"); 
mysql_select_db("$db")or die("cannot select DB");

// username and password sent from form 
$myusername=$_POST['myusername']; 
$mypassword=$_POST['mypassword']; 

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);


// encrypt password 
//$encrypted_mypassword=md5($mypassword);

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

//$sql="SELECT * FROM $tbl_name WHERE Username='$myusername' and Password='$encrypted_mypassword'";
//$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){
// Register $myusername, $mypassword and redirect to file ".php"
session_register("myusername");
session_register("mypassword"); 
//header("location:.php");
header("location:/tourCheck/.php");
}
else { ?>

Basically when i try to log into the system using the username and password I used, it doesnt work.

Can anybody advise

$myusername = stripslashes($myusername); 
$mypassword = stripslashes($mypassword); 
$myusername = mysql_real_escape_string($myusername); 
$mypassword = mysql_real_escape_string($mypassword);
$mypassword = md5($mypassword);

Quick answer is yes. md5 will encrypt your password so it is unreadable. You compare the hash at login with that stored on your DB.

Hi TacMaf,

Yes I thought so, I changed my code to yours and still it doesnt work.

Its so simple too, I cant believe how much stress these little issues cause, when there almost nothing to it.

You can see my code for the admin area cant you? Do you think there anything wrong with the upload of the password from there.

Thanks for the help

You have to compare like things. Currently you are storing and MD5 hash in the DB (good) then when signing in, comparing the hash to the directly typed password. Unless the user happens to type a 32 character hash they will never match.

Your essentially doing this:

$pw1 = 'hello';
$pw2 = md5($pw1);

if( $pw1 == $pw2 ) {
   //This will never happen
}

So MD5 the password when signing in, so that you’re comparing that to the DB hash.

A few other notes:

• Don’t wrap single variables in double quotes (your DB credentials). It will work but is totally unnecessary.
• You still need to escape in the input in your admin area. You’re using $_POST directly in your SQL. Every single day 50 people seem to do this on this forum.
• Your variable naming is pretty confusing. $_POST[‘name’] matches the Email column? $_POST[‘email’] = the Password column?
• HTML tags are not capitalized (<BR>) and you shouldn’t use multiple <BR> to space elements out.
• You only want to call strip_slashes if magic quotes are enabled. Probably better just to turn them off in the first place.

Also it’s worth using [fphp]trim[/fphp] on username and password fields before escaping or hashing them (both when creating an account and signing in) because if users copy and paste there will often be a trailing space in the value.

No problem.

On your login script, echo $mypassword and see what it produces. Compare it manually with that in the database. If nothing is echo’d it narrows the problem down.